Table of Contents
BIND 9 configuration is broadly similar to BIND 8; however, there are a few new areas of configuration, such as views. BIND 8 configuration files should work with few alterations in BIND 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BIND 9.
BIND 4 configuration files can be
converted to the new format
using the shell script
contrib/named-bootconf/named-bootconf.sh.
Following is a list of elements used throughout the BIND configuration file documentation:
|
|
The name of an |
|
|
A list of one or more
|
|
|
A named list of one or more |
|
|
A quoted string which will be used as
a DNS name, for example " |
|
|
A list of one or more |
|
|
One to four integers valued 0 through 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. |
|
|
An IPv4 address with exactly four elements
in |
|
|
An IPv6 address, such as 2001:db8::1234. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as delimiter. It is strongly recommended to use string zone names rather than numeric identifiers, in order to be robust against system configuration changes. However, since there is no standard mapping for such names and identifier values, currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated. |
|
|
An |
|
|
A |
|
|
An IP port |
|
|
An IP network specified as an When specifying a prefix involving a IPv6 scoped address the scope may be omitted. In that case the prefix will match packets from any scope. |
|
|
A |
|
|
A list of one or more
|
|
|
A non-negative 32-bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might be further limited by the context in which it is used. |
|
|
A non-negative real number that can be specified to the nearest one hundredth. Up to five digits can be specified before a decimal point, and up to two digits after, so the maximum value is 99999.99. Acceptable values might be further limited by the context in which it is used. |
|
|
A quoted string which will be used as
a pathname, such as |
|
|
A list of an |
|
|
A 64-bit unsigned integer, or the keywords
Integers may take values
0 <= value <= 18446744073709551615, though
certain parameters
(such as max-journal-size) may
use a more limited range within these extremes.
In most cases, setting a value to 0 does not
literally mean zero; it means "undefined" or
"as big as possible", depending on the context.
See the explanations of particular parameters
that use
Numeric values can optionally be followed by a
scaling factor:
|
|
|
Either |
|
|
One of |
address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} )
Address match lists are primarily used to determine access control for various server operations. They are also used in the listen-on and sortlist statements. The elements which constitute an address match list can be any of the following:
Elements can be negated with a leading exclamation mark (`!'), and the match list names "any", "none", "localhost", and "localnets" are predefined. More information on those names can be found in the description of the acl statement.
The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term "address match list" is still used throughout the documentation.
When a given IP address or prefix is compared to an address match list, the comparison takes place in approximately O(1) time. However, key comparisons require that the list of keys be traversed until a matching key is found, and therefore may be somewhat slower.
The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated.
When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the server to refuse queries on any of the machine's addresses which do not match the list.
Order of insertion is significant. If more than one element in an ACL is found to match a given IP address or prefix, preference will be given to the one that came first in the ACL definition. Because of this first-match behavior, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through.
The BIND 9 comment syntax allows for comments to appear anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style.
/* This is a BIND comment as in C */
// This is a BIND comment as in C++
# This is a BIND comment as in common UNIX shells # and perl
Comments may appear anywhere that whitespace may appear in a BIND configuration file.
C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.
C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */:
/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */
C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example:
// This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment.
Shell-style (or perl-style, if you prefer) comments start
with the character # (number sign)
and continue to the end of the
physical line, as in C++ comments.
For example:
# This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment.
You cannot use the semicolon (`;') character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement.
A BIND 9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of sub-statements, which are also terminated with a semicolon.
The following statements are supported:
|
acl |
defines a named IP address matching list, for access control and other uses. |
|
controls |
declares control channels to be used by the rndc utility. |
|
include |
includes a file. |
|
key |
specifies key information for use in authentication and authorization using TSIG. |
|
logging |
specifies what the server logs, and where the log messages are sent. |
|
lwres |
configures named to also act as a light-weight resolver daemon (lwresd). |
|
masters |
defines a named masters list for inclusion in stub and slave zones' masters or also-notify lists. |
|
options |
controls global server configuration options and sets defaults for other statements. |
|
server |
sets certain configuration options on a per-server basis. |
|
statistics-channels |
declares communication channels to get access to named statistics. |
|
trusted-keys |
defines trusted DNSSEC keys. |
|
managed-keys |
lists DNSSEC keys to be kept up to date using RFC 5011 trust anchor maintenance. |
|
view |
defines a view. |
|
zone |
defines a zone. |
The logging and options statements may only occur once per configuration.
The acl statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).
The following ACLs are built-in:
|
any |
Matches all hosts. |
|
none |
Matches no hosts. |
|
localhost |
Matches the IPv4 and IPv6 addresses of all network interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. |
|
localnets |
Matches any host on an IPv4 or IPv6 network for which the system has an interface. When addresses are added or removed, the localnets ACL element is updated to reflect the changes. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. In such a case, localnets only matches the local IPv6 addresses, just like localhost. |
When BIND 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
This is done by specifying an ACL element of the form:
geoip [db database] field value
The field indicates which field
to search for a match. Available fields are "country",
"region", "city", "continent", "postal" (postal code),
"metro" (metro code), "area" (area code), "tz" (timezone),
"isp", "org", "asnum", "domain" and "netspeed".
value is the value to search
for within the database. A string may be quoted if it
contains spaces or other special characters. If this is
an "asnum" search, then the leading "ASNNNN" string can be
used, otherwise the full description must be used (e.g.
"ASNNNN Example Company Name"). If this is a "country"
search and the string is two characters long, then it must
be a standard ISO-3166-1 two-letter country code, and if it
is three characters long then it must be an ISO-3166-1
three-letter country code; otherwise it is the full name
of the country. Similarly, if this is a "region" search
and the string is two characters long, then it must be a
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.
The database field indicates which
GeoIP database to search for a match. In most cases this is
unnecessary, because most search fields can only be found in
a single database. However, searches for country can be
answered from the "city", "region", or "country" databases,
and searches for region (i.e., state or province) can be
answered from the "city" or "region" databases. For these
search types, specifying a database
will force the query to be answered from that database and no
other. If database is not
specified, then these queries will be answered from the "city",
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
Some example GeoIP ACLs:
geoip country US; geoip country JAP; geoip db country country Canada; geoip db region region WA; geoip city "San Francisco"; geoip region Oklahoma; geoip postal 95062; geoip tz "America/Los_Angeles"; geoip org "Internet Systems Consortium";
controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] };
The controls statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are used by the rndc utility to send commands to and retrieve non-DNS results from a name server.
An inet control channel is a TCP socket
listening at the specified ip_port on the
specified ip_addr, which can be an IPv4 or IPv6
address. An ip_addr of * (asterisk) is
interpreted as the IPv4 wildcard address; connections will be
accepted on any of the system's IPv4 addresses.
To listen on the IPv6 wildcard address,
use an ip_addr of ::.
If you will only use rndc on the local host,
using the loopback address (127.0.0.1
or ::1) is recommended for maximum security.
If no port is specified, port 953 is used. The asterisk
"*" cannot be used for ip_port.
The ability to issue commands over the control channel is restricted by the allow and keys clauses. Connections to the control channel are permitted based on the address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list are ignored.
A unix control channel is a UNIX domain socket listening at the specified path in the file system. Access to the socket is specified by the perm, owner and group clauses. Note on some platforms (SunOS and Solaris) the permissions (perm) are applied to the parent directory as the permissions on the socket itself are ignored.
The primary authorization mechanism of the command channel is the key_list, which contains a list of key_ids. Each key_id in the key_list is authorized to execute commands over the control channel. See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc.
If no controls statement is present,
named will set up a default
control channel listening on the loopback address 127.0.0.1
and its IPv6 counterpart ::1.
In this case, and also when the controls statement
is present but does not have a keys clause,
named will attempt to load the command channel key
from the file rndc.key in
/etc (or whatever sysconfdir
was specified as when BIND was built).
To create a rndc.key file, run
rndc-confgen -a.
The rndc.key feature was created to
ease the transition of systems from BIND 8,
which did not have digital signatures on its command channel
messages and thus did not have a keys clause.
It makes it possible to use an existing BIND 8
configuration file in BIND 9 unchanged,
and still have rndc work the same way
ndc worked in BIND 8, simply by executing the
command rndc-confgen -a after BIND 9 is
installed.
Since the rndc.key feature
is only intended to allow the backward-compatible usage of
BIND 8 configuration files, this
feature does not
have a high degree of configurability. You cannot easily change
the key name or the size of the secret, so you should make a
rndc.conf with your own key if you
wish to change
those things. The rndc.key file
also has its
permissions set such that only the owner of the file (the user that
named is running as) can access it.
If you
desire greater flexibility in allowing other users to access
rndc commands, then you need to create
a
rndc.conf file and make it group
readable by a group
that contains the users who should have access.
To disable the command channel, use an empty controls statement: controls { };.
The include statement inserts the specified file at the point where the include statement is encountered. The include statement facilitates the administration of configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private keys that are readable only by the name server.
The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) or the command channel (see the section called “controls Statement Definition and Usage”).
The key statement can occur at the top level of the configuration file or inside a view statement. Keys defined in top-level key statements can be used in all views. Keys intended for use in a controls statement (see the section called “controls Statement Definition and Usage”) must be defined at the top level.
The key_id, also known as the
key name, is a domain name uniquely identifying the key. It can
be used in a server
statement to cause requests sent to that
server to be signed with this key, or in address match lists to
verify that incoming requests have been signed with a key
matching this name, algorithm, and secret.
The algorithm_id is a string
that specifies a security/authentication algorithm. Named
supports hmac-md5,
hmac-sha1, hmac-sha224,
hmac-sha256, hmac-sha384
and hmac-sha512 TSIG authentication.
Truncated hashes are supported by appending the minimum
number of required bits preceded by a dash, e.g.
hmac-sha1-80. The
secret_string is the secret
to be used by the algorithm, and is treated as a Base64
encoded string.
logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... };
The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be:
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
In BIND 9, the logging configuration
is only established when
the entire configuration file has been parsed. In BIND 8, it was
established as soon as the logging
statement
was parsed. When the server is starting up, all logging messages
regarding syntax errors in the configuration file go to the default
channels, or to standard error if the "-g" option
was specified.
All log output goes to one or more channels; you can make as many of them as you want.
Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any).
The null destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless.
The file destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.
If you use the versions log file
option, then
named will retain that many backup
versions of the file by
renaming them when opening. For example, if you choose to keep
three old versions
of the file lamers.log, then just
before it is opened
lamers.log.1 is renamed to
lamers.log.2, lamers.log.0 is renamed
to lamers.log.1, and lamers.log is
renamed to lamers.log.0.
You can say versions unlimited to
not limit
the number of versions.
If a size option is associated with
the log file,
then renaming is only done when the file being opened exceeds the
indicated size. No backup versions are kept by default; any
existing
log file is simply appended.
The size option for files is used to limit log growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no versions option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the file.
Example usage of the size and versions options:
channel an_example_channel {
file "example.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored.
On Windows machines syslog messages are directed to the EventViewer.
The severity clause works like syslog's "priorities", except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.
If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.
The stderr destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example when debugging a configuration.
The server can supply extensive debugging information when
it is in debugging mode. If the server's global debug level is
greater
than zero, then debugging mode will be active. The global debug
level is set either by starting the named server
with the -d flag followed by a positive integer,
or by running rndc trace.
The global debug level
can be set to zero, and debugging mode turned off, by running rndc
notrace. All debugging messages in the server have a debug
level, and higher debug levels give more detailed output. Channels
that specify a specific debug severity, for example:
channel specific_debug_level {
file "foo";
severity debug 3;
};
will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global debug level to determine what messages to print.
If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also logs the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print- options are on:
28-Feb-2000 15:05:32.863 general: notice: running
There are four predefined channels that are used for named's default logging as follows. How they are used is described in the section called “The category Phrase”.
channel default_syslog {
// send to syslog's daemon facility
syslog daemon;
// only send priority info and higher
severity info;
channel default_debug {
// write to named.run in the working directory
// Note: stderr is used instead of "named.run" if
// the server is started with the '-f' option.
file "named.run";
// log at the server's current debug level
severity dynamic;
};
channel default_stderr {
// writes to stderr
stderr;
// only send priority info and higher
severity info;
};
channel null {
// toss anything sent to this channel
null;
};
The default_debug channel has the
special
property that it only produces output when the server's debug
level is
nonzero. It normally writes to a file called named.run
in the server's working directory.
For security reasons, when the "-u"
command line option is used, the named.run file
is created only after named has
changed to the
new UID, and any debug output generated while named is
starting up and still running as root is discarded. If you need
to capture this output, you must run the server with the "-g"
option and redirect standard error to a file.
Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.
There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following "default default" is used:
category default { default_syslog; default_debug; };
As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:
channel my_security_channel {
file "my_security_file";
severity info;
};
category security {
my_security_channel;
default_syslog;
default_debug;
};
To discard all messages in a category, specify the null channel:
category xfer-out { null; };
category notify { null; };
Following are the available categories and brief descriptions of the types of log information they contain. More categories may be added in future BIND releases.
|
client |
Processing of client requests. |
|
cname |
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records. |
|
config |
Configuration file parsing and processing. |
|
database |
Messages relating to the databases used internally by the name server to store zone and cache data. |
|
default |
The default category defines the logging options for those categories where no specific configuration has been defined. |
|
delegation-only |
Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration. |
|
dispatch |
Dispatching of incoming packets to the server modules where they are to be processed. |
|
dnssec |
DNSSEC and TSIG protocol processing. |
|
edns-disabled |
Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand. Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports. Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned. |
|
general |
The catch-all. Many things still aren't classified into categories, and they all end up here. |
|
lame-servers |
Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution. |
|
network |
Network operations. |
|
notify |
The NOTIFY protocol. |
|
queries |
Specify where queries should be logged to. At startup, specifying the category queries will also enable query logging unless querylog option has been specified. The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.) |
|
query-errors |
Information about queries that resulted in some failure. |
|
rate-limit |
The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher. Rate limiting of individual requests is logged in the query-errors category. |
|
resolver |
DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server. |
|
rpz |
Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts. |
|
security |
Approval and denial of requests. |
|
spill |
Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded. |
|
trust-anchor-telemetry |
Logs trust-anchor-telemetry requests received by named. |
|
unmatched |
Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel. |
|
update |
Dynamic updates. |
|
update-security |
Approval and denial of update requests. |
|
xfer-in |
Zone transfers the server is receiving. |
|
xfer-out |
Zone transfers the server is sending. |
The query-errors category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged with debug levels.
At the debug levels of 1 or higher, each response with the rcode of SERVFAIL is logged as follows:
client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880
This means an error resulting in SERVFAIL was
detected at line 3880 of source file
query.c.
Log messages of this level will particularly
help identify the cause of SERVFAIL for an
authoritative server.
At the debug levels of 2 or higher, detailed context information of recursive resolutions that resulted in SERVFAIL is logged. The log message will look like as follows:
fetch completed at resolver.c:2970 for www.example.com/A
in 30.000183: timed out/success [domain:example.com,
referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
badresp:1,adberr:0,findfail:0,valfail:0]
The first part before the colon shows that a recursive
resolution for AAAA records of www.example.com completed
in 30.000183 seconds and the final result that led to the
SERVFAIL was determined at line 2970 of source file
resolver.c.
The following part shows the detected final result and the latest result of DNSSEC validation. The latter is always success when no validation attempt is made. In this example, this query resulted in SERVFAIL probably because all name servers are down or unreachable, leading to a timeout in 30 seconds. DNSSEC validation was probably not attempted.
The last part enclosed in square brackets shows statistics
information collected for this particular resolution
attempt.
The domain field shows the deepest zone
that the resolver reached;
it is the zone where the error was finally detected.
The meaning of the other fields is summarized in the
following table.
|
|
The number of referrals the resolver received throughout the resolution process. In the above example this is 2, which are most likely com and example.com. |
|
|
The number of cycles that the resolver tried
remote servers at the |
|
|
The number of queries the resolver sent at the
|
|
|
The number of timeouts since the resolver received the last response. |
|
|
The number of lame servers the resolver detected
at the |
|
|
The number of erroneous results that the
resolver encountered in sending queries
at the |
|
|
The number of unexpected responses (other than
|
|
|
Failures in finding remote server addresses
of the |
|
|
Failures of resolving remote server addresses. This is a total number of failures throughout the resolution process. |
|
|
Failures of DNSSEC validation.
Validation failures are counted throughout
the resolution process (not limited to
the |
At the debug levels of 3 or higher, the same messages as those at the debug 1 level are logged for other errors than SERVFAIL. Note that negative responses such as NXDOMAIN are not regarded as errors here.
At the debug levels of 4 or higher, the same messages as those at the debug 2 level are logged for other errors than SERVFAIL. Unlike the above case of level 3, messages are logged for negative responses. This is because any unexpected results can be difficult to debug in the recursion case.
This is the grammar of the lwres
statement in the named.conf file:
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] };
The lwres statement configures the name server to also act as a lightweight resolver server. (See the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring lightweight resolver servers with different properties.
The listen-on statement specifies a list of IPv4 addresses (and ports) that this instance of a lightweight resolver daemon should accept requests on. If no port is specified, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, port 921.
The view statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the response will be constructed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is used, and if there is no default view, an error is triggered.
The search statement is equivalent to
the
search statement in
/etc/resolv.conf. It provides a
list of domains
which are appended to relative names in queries.
The ndots statement is equivalent to
the
ndots statement in
/etc/resolv.conf. It indicates the
minimum
number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
mastersname[ portip_port] [ dscpip_dscp] { (masters_list; ) | (ip_addr[ portip_port] [ keykey] ; ) ... };
masters lists allow for a common set of masters to be easily used by multiple stub and slave zones in their masters or also-notify lists.
This is the grammar of the options
statement in the named.conf file:
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] [ trust-anchor-telemetryyes_or_no; ] } ; ]
The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If there is no options statement, an options block with each option set to its default will be used.
Allows multiple views to share a single cache database. Each view has its own cache database by default, but if multiple views have the same operational policy for name resolution and caching, those views can share a single cache to save memory and possibly improve resolution efficiency by using this option.
The attach-cache option may also be specified in view statements, in which case it overrides the global attach-cache option.
The cache_name specifies
the cache to be shared.
When the named server configures
views which are supposed to share a cache, it
creates a cache with the specified name for the
first view of these sharing views.
The rest of the views will simply refer to the
already created cache.
One common configuration to share a cache would be to allow all views to share a single cache. This can be done by specifying the attach-cache as a global option with an arbitrary name.
Another possible operation is to allow a subset of all views to share a cache while the others to retain their own caches. For example, if there are three views A, B, and C, and only A and B should share a cache, specify the attach-cache option as a view A (or B)'s option, referring to the other view name:
view "A" {
// this view has its own cache
...
};
view "B" {
// this view refers to A's cache
attach-cache "A";
};
view "C" {
// this view has its own cache
...
};
Views that share a cache must have the same policy on configurable parameters that may affect caching. The current implementation requires the following configurable options be consistent among these views: check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl.
Note that there may be other parameters that may cause confusion if they are inconsistent for different views that share a single cache. For example, if these views define different sets of forwarders that can return different answers for the same question, sharing the answer does not make sense or could even be harmful. It is administrator's responsibility to ensure configuration differences in different views do not cause disruption with a shared cache.
The working directory of the server.
Any non-absolute pathnames in the configuration file will
be taken as relative to this directory. The default
location for most server output files
(e.g. named.run) is this directory.
If a directory is not specified, the working directory
defaults to `.', the directory from
which the server was started. The directory specified
should be an absolute path. It is
strongly recommended
that the directory be writable by the effective user
ID of the named process.
Specifies the directory containing GeoIP
.dat database files for GeoIP
initialization. By default, this option is unset
and the GeoIP support will use libGeoIP's
built-in directory.
(For details, see the section called “acl Statement Definition and
Usage” about the
geoip ACL.)
When performing dynamic update of secure zones, the
directory where the public and private DNSSEC key files
should be found, if different than the current working
directory. (Note that this option has no effect on the
paths for files containing non-DNSSEC keys such as
bind.keys,
rndc.key or
session.key.)
Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory. The directory must be writable by the effective user ID of the named process.
If named is not configured to use views,
then managed keys for the server will be tracked in a single
file called managed-keys.bind.
Otherwise, managed keys will be tracked in separate files,
one file per view; each file name will be the SHA256 hash
of the view name, followed by the extension
.mkeys.
This option is obsolete. It was used in BIND 8 to specify the pathname to the named-xfer program. In BIND 9, no separate named-xfer program is needed; its functionality is built into the name server.
The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab.
The security credential with which the server should
authenticate keys requested by the GSS-TSIG protocol.
Currently only Kerberos 5 authentication is available
and the credential is a Kerberos principal which the
server can acquire through the default system key
file, normally /etc/krb5.keytab.
The location keytab file can be overridden using the
tkey-gssapi-keytab option. Normally this principal is
of the form "DNS/server.domain".
To use GSS-TSIG, tkey-domain must
also be set if a specific keytab is not set with
tkey-gssapi-keytab.
The domain appended to the names of all shared keys
generated with TKEY. When a
client requests a TKEY exchange,
it may or may not specify the desired name for the
key. If present, the name of the shared key will
be client specified part +
tkey-domain. Otherwise, the
name of the shared key will be random hex
digits + tkey-domain.
In most cases, the domainname
should be the server's domain name, or an otherwise
non-existent subdomain like
"_tkey.domainname". If you are
using GSS-TSIG, this variable must be defined, unless
you specify a specific keytab using tkey-gssapi-keytab.
The Diffie-Hellman key used by the server
to generate shared keys with clients using the Diffie-Hellman
mode
of TKEY. The server must be
able to load the
public and private keys from files in the working directory.
In
most cases, the key_name should be the server's host name.
This is for testing only. Do not use.
The pathname of the file the server dumps
the database to when instructed to do so with
rndc dumpdb.
If not specified, the default is named_dump.db.
The pathname of the file the server writes memory
usage statistics to on exit. If not specified,
the default is named.memstats.
The pathname of the file the server writes its process ID
in. If not specified, the default is
/var/run/named/named.pid.
The PID file is used by programs that want to send signals to
the running
name server. Specifying pid-file none disables the
use of a PID file — no file will be written and any
existing one will be removed. Note that none
is a keyword, not a filename, and therefore is not enclosed
in
double quotes.
The pathname of the file the server dumps
the queries that are currently recursing when instructed
to do so with rndc recursing.
If not specified, the default is named.recursing.
The pathname of the file the server appends statistics
to when instructed to do so using rndc stats.
If not specified, the default is named.stats in the
server's current directory. The format of the file is
described
in the section called “The Statistics File”.
The pathname of a file to override the built-in trusted
keys provided by named.
See the discussion of dnssec-validation
for details. If not specified, the default is
/etc/bind.keys.
The pathname of the file the server dumps
security roots to when instructed to do so with
rndc secroots.
If not specified, the default is
named.secroots.
The pathname of the file into which to write a TSIG
session key generated by named for use by
nsupdate -l. If not specified, the
default is /var/run/named/session.key.
(See the section called “Dynamic Update Policies”, and in
particular the discussion of the
update-policy statement's
local option for more
information about this feature.)
The key name to use for the TSIG session key. If not specified, the default is "local-ddns".
The algorithm to use for the TSIG session key. Valid values are hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512 and hmac-md5. If not specified, the default is hmac-sha256.
The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS.
The global Differentiated Services Code Point (DSCP) value to classify outgoing DNS traffic on operating systems that support DSCP. Valid values are 0 through 63. It is not configured by default.
The source of entropy to be used by the server. Entropy is
primarily needed
for DNSSEC operations, such as TKEY transactions and dynamic
update of signed
zones. This options specifies the device (or file) from which
to read
entropy. If this is a file, operations requiring entropy will
fail when the
file has been exhausted. If not specified, the default value
is
/dev/random
(or equivalent) when present, and none otherwise. The
random-device option takes
effect during
the initial configuration load at server startup time and
is ignored on subsequent reloads.
If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6.
Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional exclude list.
DS queries are expected to be made to and be answered by delegation only zones. Such queries and responses are treated as an exception to delegation-only processing and are not converted to NXDOMAIN responses provided a CNAME is not discovered at the query name.
If a delegation only zone server also serves a child zone it is not always possible to determine whether an answer comes from the delegation only zone or the child zone. SOA NS and DNSKEY records are apex only records and a matching response that contains these records or DS is treated as coming from a child zone. RRSIG records are also examined to see if they are signed by a child zone or not. The authority section is also examined to see if there is evidence that the answer is from the child zone. Answers that are determined to be from a child zone are not converted to NXDOMAIN responses. Despite all these checks there is still a possibility of false negatives when a child zone is being served.
Similarly false positives can arise from empty nodes (no records at the name) in the delegation only zone when the query type is not ANY.
Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). This list is not exhaustive.
options {
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
Disable the specified DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. Only the best match disable-algorithms clause will be used to determine which algorithms are used.
If all supported algorithms are disabled, the zones covered by the disable-algorithms will be treated as insecure.
Disable the specified DS/DLV digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. Only the best match disable-ds-digests clause will be used to determine which digest types are used.
If all supported digest types are disabled, the zones covered by the disable-ds-digests will be treated as insecure.
When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
If dnssec-lookaside is set to
no, then dnssec-lookaside
is not used.
NOTE: The ISC-provided DLV service at
dlv.isc.org, has been shut down.
The dnssec-lookaside auto;
configuration option, which set named
up to use ISC DLV with minimal configuration, has
accordingly been removed.
Specify hierarchies which must be or may not be secure
(signed and validated). If yes,
then named will only accept answers if
they are secure. If no, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be under a
trusted-keys or
managed-keys statement, or
dnssec-validation auto must be active.
This directive instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. It is intended to be used in conjunction with a NAT64. Each dns64 defines one DNS64 prefix. Multiple DNS64 prefixes can be defined.
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, 64 and 96 as per RFC 6052.
Additionally a reverse IP6.ARPA zone will be created for the prefix to provide a mapping from the IP6.ARPA names to the corresponding IN-ADDR.ARPA names using synthesized CNAMEs. dns64-server and dns64-contact can be used to specify the name of the server and contact for the zones. These are settable at the view / options level. These are not settable on a per-prefix basis.
Each dns64 supports an optional
clients ACL that determines which
clients are affected by this directive. If not defined,
it defaults to any;.
Each dns64 supports an optional
mapped ACL that selects which
IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
any;.
Normally, DNS64 won't apply to a domain name that owns one or more AAAA records; these records will simply be returned. The optional exclude ACL allows specification of a list of IPv6 addresses that will be ignored if they appear in a domain name's AAAA records, and DNS64 will be applied to any A records the domain name owns. If not defined, exclude defaults to ::ffff:0.0.0.0/96.
A optional suffix can also
be defined to set the bits trailing the mapped
IPv4 address bits. By default these bits are
set to ::. The bits
matching the prefix and mapped IPv4 address
must be zero.
If recursive-only is set to yes the DNS64 synthesis will only happen for recursive queries. The default is no.
If break-dnssec is set to yes the DNS64 synthesis will happen even if the result, if validated, would cause a DNSSEC validation failure. If this option is set to no (the default), the DO is set on the incoming query, and there are RRSIGs on the applicable records, then synthesis will not happen.
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
dns64 64:FF9B::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
When a zone is configured with auto-dnssec
maintain; its key repository must be checked
periodically to see if any new keys have been added
or any existing keys' timing metadata has been updated
(see dnssec-keygen(8) and
dnssec-settime(8)). The
dnssec-loadkeys-interval option
sets the frequency of automatic repository checks, in
minutes. The default is 60 (1 hour),
the minimum is 1 (1 minute), and the
maximum is 1440 (24 hours); any higher
value is silently reduced.
If this option is set to its default value of
maintain in a zone of type
master which is DNSSEC-signed
and configured to allow dynamic updates (see
the section called “Dynamic Update Policies”), and
if named has access to the
private signing key(s) for the zone, then
named will automatically sign all new
or changed records and maintain signatures for the zone
by regenerating RRSIG records whenever they approach
their expiration date.
If the option is changed to no-resign,
then named will sign all new or
changed records, but scheduled maintenance of
signatures is disabled.
With either of these settings, named
will reject updates to a DNSSEC-signed zone when the
signing keys are inactive or unavailable to
named. (A planned third option,
external, will disable all automatic
signing and allow DNSSEC data to be submitted into a zone
via dynamic update; this is not yet implemented.)
Specifies a maximum permissible TTL value.
When loading a zone file using a
masterfile-format of
text or raw,
any record encountered with a TTL higher than
max-zone-ttl will cause the zone to
be rejected.
This is useful in DNSSEC-signed zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from
caches. Themax-zone-ttl option guarantees
that the largest TTL in the zone will be no higher
the set value.
(NOTE: Because map-format files
load directly into memory, this option cannot be
used with them.)
The default value is unlimited.
A max-zone-ttl of zero is treated as
unlimited.
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
If full, the server will collect
statistical data on all zones (unless specifically
turned off on a per-zone basis by specifying
zone-statistics terse or
zone-statistics none
in the zone statement).
The default is terse, providing
minimal statistics on zones (including name and
current serial number, but not query type
counters).
These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions
of BIND 9, the zone-statistics
option can also accept yes
or no; yes
has the same meaning as full.
As of BIND 9.10,
no has the same meaning
as none; previously, it
was the same as terse.
If yes and supported by the OS,
automatically rescan network interfaces when the interface
addresses are added or removed. The default is
yes.
Currently the OS needs to support routing sockets for automatic-interface-scan to be supported.
If yes, then zones can be
added at runtime via rndc addzone
or deleted via rndc delzone.
The default is no.
If yes, then the AA bit
is always set on NXDOMAIN responses, even if the server is
not actually
authoritative. The default is no;
this is
a change from BIND 8. If you
are using very old DNS software, you
may need to set it to yes.
This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs the checks.
Write memory statistics to the file specified by
memstatistics-file at exit.
The default is no unless
'-m record' is specified on the command line in
which case it is yes.
If yes, then the
server treats all zones as if they are doing zone transfers
across
a dial-on-demand dialup link, which can be brought up by
traffic
originating from this server. This has different effects
according
to zone type and concentrates the zone maintenance so that
it all
happens in a short interval, once every heartbeat-interval and
hopefully during the one call. It also suppresses some of
the normal
zone maintenance traffic. The default is no.
The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup option.
If the zone is a master zone, then the server will send out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by notify and also-notify.
If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only perform them when the heartbeat-interval expires in addition to sending NOTIFY requests.
Finer control can be achieved by using
notify which only sends NOTIFY
messages,
notify-passive which sends NOTIFY
messages and
suppresses the normal refresh queries, refresh
which suppresses normal refresh processing and sends refresh
queries
when the heartbeat-interval
expires, and
passive which just disables normal
refresh
processing.
|
dialup mode |
normal refresh |
heart-beat refresh |
heart-beat notify |
|
no (default) |
yes |
no |
no |
|
yes |
no |
yes |
yes |
|
notify |
yes |
no |
yes |
|
refresh |
no |
yes |
no |
|
passive |
no |
no |
no |
|
notify-passive |
no |
no |
yes |
Note that normal NOTIFY processing is not affected by dialup.
In BIND 8, this option enabled simulating the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation.
This option is obsolete.
In BIND 8, fetch-glue yes
caused the server to attempt to fetch glue resource records
it
didn't have when constructing the additional
data section of a response. This is now considered a bad
idea
and BIND 9 never does it.
When the nameserver exits due receiving SIGTERM,
flush or do not flush any pending zone writes. The default
is
flush-zones-on-shutdown no.
This option was incorrectly implemented
in BIND 8, and is ignored by BIND 9.
To achieve the intended effect
of
has-old-clients yes, specify
the two separate options auth-nxdomain yes
and rfc2308-type1 no instead.
In BIND 8, this enabled keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9.
This option is obsolete.
It was used in BIND 8 to
determine whether a transaction log was
kept for Incremental Zone Transfer. BIND 9 maintains a transaction
log whenever possible. If you need to disable outgoing
incremental zone
transfers, use provide-ixfr no.
If yes, then when generating
responses the server will only add records to the authority
and additional data sections when they are required (e.g.
delegations, negative responses). This may improve the
performance of the server.
The default is no.
This option was used in BIND 8 to allow a domain name to have multiple CNAME records in violation of the DNS standards. BIND 9.2 onwards always strictly enforces the CNAME rules both in master files and dynamic updates.
If yes (the default),
DNS NOTIFY messages are sent when a zone the server is
authoritative for
changes, see the section called “Notify”. The messages are
sent to the
servers listed in the zone's NS records (except the master
server identified
in the SOA MNAME field), and to any servers listed in the
also-notify option.
If master-only, notifies are only
sent
for master zones.
If explicit, notifies are sent only
to
servers explicitly listed using also-notify.
If no, no notifies are sent.
The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash.
If yes do not check the nameservers
in the NS RRset against the SOA MNAME. Normally a NOTIFY
message is not sent to the SOA MNAME (SOA ORIGIN) as it is
supposed to contain the name of the ultimate master.
Sometimes, however, a slave is listed as the SOA MNAME in
hidden master configurations and in that case you would
want the ultimate master to still send NOTIFY messages to
all the nameservers listed in the NS RRset.
If yes, and a
DNS query requests recursion, then the server will attempt
to do
all the work required to answer the query. If recursion is
off
and the server does not already know the answer, it will
return a
referral response. The default is
yes.
Note that setting recursion no does not prevent
clients from getting data from the server's cache; it only
prevents new data from being cached as an effect of client
queries.
Caching may still occur as an effect the server's internal
operation, such as NOTIFY address lookups.
If yes, then an empty EDNS(0)
NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the resolver category at level
info.
The default is no.
If yes, then a SIT (Source
Identity Token) EDNS option is sent along with
the query. If the resolver has previously talked
to the server, the SIT returned in the previous
transaction is sent. This is used by the server
to determine whether the resolver has talked to
it before. A resolver sending the correct SIT is
assumed not to be an off-path attacker sending a
spoofed-source query; the query is therefore
unlikely to be part of a reflection/amplification
attack, so resolvers sending a correct SIT option
are not subject to response rate limiting (RRL).
Resolvers which do not send a correct SIT option
may be limited to receiving smaller responses via
the nosit-udp-size option.
Sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. A value below 128 will be silently raised to 128. The default value is 4096, but the max-udp-size option may further limit the response size.
If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options within a anycast cluster. If not set the system will generate a random secret at startup. The shared secret is encoded as a hex string and needs to be 128 bits for AES128, 160 bits for SHA1 and 256 bits for SHA256.
Setting this to yes will
cause the server to send NS records along with the SOA
record for negative
answers. The default is no.
Not yet implemented in BIND 9.
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, or dnssec-validation auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is yes.
This option is obsolete. BIND 9 always allocates query IDs from a pool.
This option is obsolete. If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option in the section called “server Statement Definition and Usage”. See also the section called “Incremental Zone Transfers (IXFR)”.
See the description of provide-ixfr in the section called “server Statement Definition and Usage”.
See the description of request-ixfr in the section called “server Statement Definition and Usage”.
This option was used in BIND 8 to make the server treat carriage return ("\r") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines are always accepted, and the option is ignored.
These options control the behavior of an authoritative server when answering queries which have additional data, or when following CNAME and DNAME chains.
When both of these options are set to yes
(the default) and a
query is being answered from authoritative data (a zone
configured into the server), the additional data section of
the
reply will be filled in using data from other authoritative
zones
and from the cache. In some situations this is undesirable,
such
as when there is concern over the correctness of the cache,
or
in servers where slave zones may be added and modified by
untrusted third parties. Also, avoiding
the search for this additional data will speed up server
operations
at the possible expense of additional queries to resolve
what would
otherwise be provided in the additional section.
For example, if a query asks for an MX record for host foo.example.com,
and the record found is "MX 10 mail.example.net", normally the address
records (A and AAAA) for mail.example.net will be provided as well,
if known, even though they are not in the example.com zone.
Setting these options to no
disables this behavior and makes
the server only search for additional data in the zone it
answers from.
These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set them to no without also specifying recursion no will cause the server to ignore the options and log a warning message.
Specifying additional-from-cache no actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue.
When a name server is non-recursively queried for a name that is not below the apex of any served zone, it normally answers with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server will not be able to provide upwards referrals when additional-from-cache no has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals are not required for the resolution process.
If yes, then an
IPv4-mapped IPv6 address will match any address match
list entries that match the corresponding IPv4 address.
This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, named now solves this problem internally. The use of this option is discouraged.
This option is only available when
BIND 9 is compiled with the
--enable-filter-aaaa option on the
"configure" command line. It is intended to help the
transition from IPv4 to IPv6 by not giving IPv6 addresses
to DNS clients unless they have connections to the IPv6
Internet. This is not recommended unless absolutely
necessary. The default is no.
The filter-aaaa-on-v4 option
may also be specified in view statements
to override the global filter-aaaa-on-v4
option.
If yes,
the DNS client is at an IPv4 address, in filter-aaaa,
and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
If break-dnssec,
then AAAA records are deleted even when DNSSEC is enabled.
As suggested by the name, this makes the response not verify,
because the DNSSEC protocol is designed detect deletions.
This mechanism can erroneously cause other servers to not give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is using IPv6.
This mechanism is applied to authoritative as well as non-authoritative records. A client using IPv4 that is not allowed recursion can erroneously be given AAAA records because the server is not allowed to check for A records.
Some AAAA records are given to IPv4 clients in glue records. IPv4 clients that are servers can then erroneously answer requests for AAAA records received via IPv4.
Identical to filter-aaaa-on-v4,
except it filters AAAA responses to queries from IPv6
clients instead of IPv4 clients. To filter all
responses, set both options to yes.
When yes and the server loads a new
version of a master zone from its zone file or receives a
new version of a slave file via zone transfer, it will
compare the new version to the previous one and calculate
a set of differences. The differences are then logged in
the zone's journal file such that the changes can be
transmitted to downstream slaves as an incremental zone
transfer.
By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different from the previous one, the set of differences will be of a size comparable to the combined size of the old and new zone version, and the server will need to temporarily allocate memory to hold this complete difference set.
ixfr-from-differences also accepts master and slave at the view and options levels which causes ixfr-from-differences to be enabled for all master or slave zones respectively. It is off by default.
This should be set when you have multiple masters for a zone
and the
addresses refer to different machines. If yes, named will
not log
when the serial number on the master is less than what named
currently
has. The default is no.
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits
keys to be updated and the zone fully re-signed
whenever the user issues the command rndc sign
zonename.
auto-dnssec maintain; includes the
above, but also automatically adjusts the zone's DNSSEC
keys on schedule, according to the keys' timing metadata
(see dnssec-keygen(8) and
dnssec-settime(8)). The command
rndc sign
zonename causes
named to load keys from the key
repository and sign the zone with all keys that are
active.
rndc loadkeys
zonename causes
named to load keys from the key
repository and schedule key maintenance events to occur
in the future, but it does not sign the full zone
immediately. Note: once keys have been loaded for a
zone the first time, the repository will be searched
for changes periodically, regardless of whether
rndc loadkeys is used. The recheck
interval is defined by
dnssec-loadkeys-interval.)
The default setting is auto-dnssec off.
This indicates whether DNSSEC-related resource
records are to be returned by named.
If set to no,
named will not return DNSSEC-related
resource records unless specifically queried for.
The default is yes.
Enable DNSSEC validation in named.
Note dnssec-enable also needs to be
set to yes to be effective.
If set to no, DNSSEC validation
is disabled.
If set to auto, DNSSEC validation
is enabled, and a default trust anchor for the DNS root
zone is used. If set to yes,
DNSSEC validation is enabled, but a trust anchor must be
manually configured using a trusted-keys
or managed-keys statement. The default
is yes.
The default root trust anchor is stored in the file
bind.keys.
named will load that key at
startup if dnssec-validation is
set to auto. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
bind.keys can be downloaded
from https://www.isc.org/bind-keys.
To prevent problems if bind.keys is
not found, the current trust anchor is also compiled in
to named. Relying on this is not
recommended, however, as it requires named
to be recompiled with a new key when the root key expires.)
named only
loads the root key from bind.keys.
The file cannot be used to store keys for other zones.
The root key in bind.keys is ignored
if dnssec-validation auto is not in
use.
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
Accept expired signatures when verifying DNSSEC signatures.
The default is no.
Setting this option to yes
leaves named vulnerable to
replay attacks.
Specify whether query logging should be started when named starts. If querylog is not specified, then the query logging is determined by the presence of the logging category queries.
This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore.
The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.
check-names applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
Check master zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. The default is to warn. Other possible values are fail and ignore.
Check whether the MX record appears to refer to a IP address. The default is to warn. Other possible values are fail and ignore.
This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option affects master zones. The default (yes) is to check for non-terminal wildcards and issue a warning.
Perform post load zone integrity checks on master zones. This checks that MX and SRV records refer to address (A or AAAA) records and that glue address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use named-checkzone). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency checks use named-checkzone). The default is yes.
The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with check-spf.
If check-integrity is set then fail, warn or ignore MX records that refer to CNAMES. The default is to warn.
If check-integrity is set then fail, warn or ignore SRV records that refer to CNAMES. The default is to warn.
When performing integrity checks, also check that sibling glue exists. The default is yes.
If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn.
When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. The default is yes.
When caching a negative response to a SOA query set the TTL to zero. The default is no.
When set to the default value of yes,
check the KSK bit in each key to determine how the key
should be used when generating RRSIGs for a secure zone.
Ordinarily, zone-signing keys (that is, keys without the
KSK bit set) are used to sign the entire zone, while
key-signing keys (keys with the KSK bit set) are only
used to sign the DNSKEY RRset at the zone apex.
However, if this option is set to no,
then the KSK bit is ignored; KSKs are treated as if they
were ZSKs and are used to sign the entire zone. This is
similar to the dnssec-signzone -z
command line option.
When this option is set to yes, there
must be at least two active keys for every algorithm
represented in the DNSKEY RRset: at least one KSK and one
ZSK per algorithm. If there is any algorithm for which
this requirement is not met, this option will be ignored
for that algorithm.
When this option and update-check-ksk
are both set to yes, only key-signing
keys (that is, keys with the KSK bit set) will be used
to sign the DNSKEY RRset at the zone apex. Zone-signing
keys (keys without the KSK bit set) will be used to sign
the remainder of the zone, but not the DNSKEY RRset.
This is similar to the
dnssec-signzone -x command line option.
The default is no. If
update-check-ksk is set to
no, this option is ignored.
Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is yes.
Allow a dynamic zone to transition from secure to insecure (i.e., signed to unsigned) by deleting all of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset at the zone apex is deleted, all RRSIG and NSEC records will be removed from the zone as well.
If the zone uses NSEC3, then it is also necessary to delete the NSEC3PARAM RRset from the zone apex; this will cause the removal of all corresponding NSEC3 records. (It is expected that this requirement will be eliminated in a future release.)
Note that if a zone has been configured with auto-dnssec maintain and the private keys remain accessible in the key repository, then the zone will be automatically signed again the next time named is started.
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
This option is only meaningful if the
forwarders list is not empty. A value of first,
the default, causes the server to query the forwarders
first — and
if that doesn't answer the question, the server will then
look for
the answer itself. If only is
specified, the
server will only query the forwarders.
Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have a different forward only/first behavior, or not forward at all, see the section called “zone Statement Grammar”.
Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 on the host machine.
Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual stacked, then the dual-stack-servers have no effect unless access to a transport has been disabled on the command line (e.g. named -4).
Access to the server can be restricted based on the IP address of the requesting system. See the section called “Address Match Lists” for details on how to specify IP address lists.
Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master.
Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
allow-query-cache is now used to specify access to the cache.
Specifies which local addresses can accept ordinary DNS questions. This makes it possible, for instance, to allow queries on internal-facing interfaces but disallow them on external-facing ones, without necessarily knowing the internal network's addresses.
Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it will be refused.
allow-query-on may also be specified in the zone statement, in which case it overrides the options allow-query-on statement.
If not specified, the default is to allow queries on all addresses.
allow-query-cache is used to specify access to the cache.
Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used.
Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, localnets and localhost.
Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used.
Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses.
Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see the section called “Dynamic Update Security” for details.
Specifies which hosts are allowed to
submit Dynamic DNS updates to slave zones to be forwarded to
the
master. The default is { none; },
which
means that no update forwarding will be performed. To
enable
update forwarding, specify
allow-update-forwarding { any; };.
Specifying values other than { none; } or
{ any; } is usually
counterproductive, since
the responsibility for update access control should rest
with the
master server, not the slaves.
Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based access control to attacks; see the section called “Dynamic Update Security” for more details.
This option was introduced for the smooth transition from AAAA to A6 and from "nibble labels" to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages.
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers to all hosts.
Specifies a list of addresses that the
server will not accept queries from or use to resolve a
query. Queries
from these addresses will not be responded to. The default
is none.
Specifies a list of addresses to which
filter-aaaa-on-v4
and filter-aaaa-on-v6
apply. The default is any.
Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circumstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all responses for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
The amount of time the resolver will spend attempting
to resolve a recursive query before failing. The default
and minimum is 10 and the maximum is
30. Setting it to 0
will result in the default being used.
The interfaces and ports that the server will answer queries
from may be specified using the listen-on option. listen-on takes
an optional port and an address_match_list
of IPv4 addresses. (IPv6 addresses are ignored, with a
logged warning.)
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
Multiple listen-on statements are allowed. For example,
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.
If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces.
The listen-on-v6 option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6. If not specified, the server will listen on port 53 on all IPv6 interfaces.
When
{ any; }
is
specified
as the address_match_list for the
listen-on-v6 option,
the server does not bind a separate socket to each IPv6 interface
address as it does for IPv4 if the operating system has enough API
support for IPv6 (specifically if it conforms to RFC 3493 and RFC
3542).
Instead, it listens on the IPv6 wildcard address.
If the system only has incomplete API support for IPv6, however,
the behavior is the same as that for IPv4.
A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system. IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning.
Multiple listen-on-v6 options can be used. For example,
listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };
will enable the name server on port 53 for any IPv6 addresses (with a single wildcard socket), and on port 1234 of IPv6 addresses that is not in the prefix 2001:db8::/32 (with separate sockets for each matched address.)
To make the server not listen on any IPv6 address, use
listen-on-v6 { none; };
If the server doesn't know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) will be used.
If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.
The defaults of the query-source and query-source-v6 options are:
query-source address * port *; query-source-v6 address * port *;
If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, named will use the corresponding system default range; otherwise, it will use its own defaults:
use-v4-udp-ports { range 1024 65535; };
use-v6-udp-ports { range 1024 65535; };
Note: make sure the ranges be sufficiently large for security. A desirable size depends on various parameters, but we generally recommend it contain at least 16384 ports (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be changed while named is running; the new range will automatically be applied when named is reloaded. It is encouraged to configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications.
Note: the operational configuration where named runs may prohibit the use of some ports. For example, UNIX systems will not allow named running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay. It is therefore important to configure the set of ports that can be safely used in the expected operational environment.
The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are:
avoid-v4-udp-ports {};
avoid-v6-udp-ports {};
Note: BIND 9.5.0 introduced the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the query-source or query-source-v6 options; it implicitly disables the use of randomized port numbers.
This option is obsolete.
This option is obsolete.
This option is obsolete.
The address specified in the query-source option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port.
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
See also transfer-source and notify-source.
BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers.
Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views. In place of explicit addresses, one or more named masters lists can be used.
If an also-notify list is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list).
Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one.
In addition to controlling the rate SOA refresh queries are issued at, serial-query-rate also controls the rate at which NOTIFY messages are sent from both master and slave zones.
In BIND 8, the serial-queries option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined using the serial-query-rate option.
Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the master server to determine which format it sends. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only supported by relatively new slave servers, such as BIND 9, BIND 8.x and BIND 4.9.5 onwards. The many-answers format is also supported by recent Microsoft Windows nameservers. The default is many-answers. transfer-format may be overridden on a per-server basis by using the server statement.
The maximum number of inbound zone transfers
that can be running concurrently. The default value is 10.
Increasing transfers-in may
speed up the convergence
of slave zones, but it also may increase the load on the
local system.
The maximum number of outbound zone transfers
that can be running concurrently. Zone transfer requests in
excess
of the limit will be refused. The default value is 10.
The maximum number of inbound zone transfers
that can be concurrently transferring from a given remote
name server.
The default value is 2.
Increasing transfers-per-ns
may
speed up the convergence of slave zones, but it also may
increase
the load on the remote name server. transfers-per-ns may
be overridden on a per-server basis by using the transfers phrase
of the server statement.
transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
The same as transfer-source, except zone transfers are performed using IPv6.
An alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set.
If you do not wish the alternate transfer source to be used, you should set use-alt-transfer-source appropriately and you should not depend upon getting an answer back to the first refresh query.
An alternate transfer source if the one listed in transfer-source-v6 fails and use-alt-transfer-source is set.
Use the alternate transfer sources or not. If views are specified this defaults to no otherwise it defaults to yes (for BIND 8 compatibility).
notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
Like notify-source, but applies to notify messages sent to IPv6 addresses.
use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. See the section called “Query Address” about how the available ports are determined. For example, with the following configuration
use-v6-udp-ports { range 32768 65535; };
avoid-v6-udp-ports { 40000; range 50000 60000; };
UDP ports of IPv6 messages sent from named will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535.
avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a firewall, the answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification.
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See the description of size_spec in the section called “Configuration File Elements”.
The following options set operating system resource limits for the name server process. Some operating systems don't support some or any of the limits. On such systems, a warning will be issued if the unsupported limit is used.
The maximum size of a core dump. The default
is default.
The maximum amount of data memory the server
may use. The default is default.
This is a hard limit on server memory usage.
If the server attempts to allocate memory in excess of this
limit, the allocation will fail, which may in turn leave
the server unable to perform DNS service. Therefore,
this option is rarely useful as a way of limiting the
amount of memory used by the server, but it can be used
to raise an operating system data size limit that is
too small by default. If you wish to limit the amount
of memory used by the server, use the
max-cache-size and
recursive-clients
options instead.
The maximum number of files the server
may have open concurrently. The default is unlimited.
The maximum amount of stack memory the server
may use. The default is default.
The following options set limits on the server's resource consumption that are enforced internally by the server rather than the operating system.
This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option max-journal-size performs a similar function in BIND 9.
Sets a maximum size for each journal file
(see the section called “The journal file”). When the journal file
approaches
the specified size, some of the oldest transactions in the
journal
will be automatically removed. The largest permitted
value is 2 gigabytes. The default is
unlimited, which also
means 2 gigabytes.
This may also be set on a per-zone basis.
The maximum number of records permitted in a zone. The default is zero which means unlimited.
In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9.
The maximum number ("hard quota") of simultaneous
recursive lookups the server will perform on behalf
of clients. The default is
1000. Because each recursing
client uses a fair
bit of memory (on the order of 20 kilobytes), the
value of the
recursive-clients option may
have to be decreased on hosts with limited memory.
recursive-clients defines a "hard
quota" limit for pending recursive clients: when more
clients than this are pending, new incoming requests
will not be accepted, and for each incoming request
a previous pending request will also be dropped.
A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
for each one, a pending request will be dropped.
If recursive-clients is greater than
1000, the soft quota is set to
recursive-clients minus 100;
otherwise it is set to 90% of
recursive-clients.
The maximum number of simultaneous client TCP
connections that the server will accept.
The default is 100.
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
The maximum number of simultaneous iterative
queries to any one domain that the server will
permit before blocking new queries for data
in or beneath that zone.
This value should reflect how many fetches would
normally be sent to any one zone in the time it
would take to resolve them. It should be smaller
than recursive-clients.
When many clients simultaneously query for the
same name and type, the clients will all be attached
to the same fetch, up to the
max-clients-per-query limit,
and only one iterative query will be sent.
However, when clients are simultaneously
querying for different names
or types, multiple queries will be sent and
max-clients-per-query is not
effective as a limit.
Optionally, this value may be followed by the keyword
drop or fail,
indicating whether queries which exceed the fetch
quota for a zone will be dropped with no response,
or answered with SERVFAIL. The default is
drop.
If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by
running rndc recursing. The list
includes the number of active fetches for each
domain and the number of queries that have been
passed or dropped as a result of the
fetches-per-zone limit. (Note:
these counters are not cumulative over time; whenever
the number of active fetches for a domain drops to
zero, the counter for that domain is deleted, and the
next time a fetch is sent to that domain, it is
recreated with the counters set to zero.)
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
The maximum number of simultaneous iterative
queries that the server will allow to be sent to
a single upstream name server before blocking
additional queries.
This value should reflect how many fetches would
normally be sent to any one server in the time it
would take to resolve them. It should be smaller
than recursive-clients.
Optionally, this value may be followed by the keyword
drop or fail,
indicating whether queries will be dropped with no
response, or answered with SERVFAIL, when all of the
servers authoritative for a zone are found to have
exceeded the per-server quota. The default is
fail.
If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
Sets the parameters to use for dynamic resizing of
the fetches-per-server quota in
response to detected congestion.
The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
interfaces named listens on, tcp-clients as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is 512.
The minimum value is 128 and the
maximum value is 128 less than
maxsockets (-S). This option may be removed in the future.
This option has little effect on Windows.
The maximum amount of memory to use for the
server's cache, in bytes.
When the amount of data in the cache
reaches this limit, the server will cause records to
expire prematurely based on an LRU based strategy so
that the limit is not exceeded.
The keyword unlimited,
or the value 0, will place no limit on cache size;
records will be purged from the cache only when their
TTLs expire.
Any positive values less than 2MB will be ignored
and reset to 2MB.
In a server with multiple views, the limit applies
separately to the cache of each view.
The default is unlimited.
The listen queue depth. The default and minimum is 10. If the kernel supports the accept filter "dataready" this also controls how many TCP connections that will be queued in kernel space waiting for some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also be used; on most platforms this sets the listen queue length to a system-defined default value.
This interval is effectively obsolete. Previously, the server would remove expired resource records from the cache every cleaning-interval minutes. BIND 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior.
The server will perform zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur.
The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, the server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the listen-on configuration), and will stop listening on interfaces that have gone away.
Name server statistics will be logged every statistics-interval minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged.
Not yet implemented in BIND 9.
In BIND 8, this option indicated network topology so that preferential treatment could be given to the topologicaly closest name servers when sending queries. It is not implemented in BIND 9.
The response to a DNS query may consist of multiple resource records (RRs) forming a resource record set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in the section called “RRset Ordering”). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client's address. This only requires configuring the name servers, not all the clients.
The sortlist statement (see below) takes an address_match_list and interprets it in a special way. Each top level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of the query until a match is found.
Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is interpreted as a topology preference list. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.
In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on their directly connected networks.
sortlist {
// IF the local host
// THEN first fit on the following nets
{ localhost;
{ localnets;
192.168.1/24;
{ 192.168.2/24; 192.168.3/24; }; }; };
// IF on class C 192.168.1 THEN use .1, or .2 or .3
{ 192.168.1/24;
{ 192.168.1/24;
{ 192.168.2/24; 192.168.3/24; }; }; };
// IF on class C 192.168.2 THEN use .2, or .1 or .3
{ 192.168.2/24;
{ 192.168.2/24;
{ 192.168.1/24; 192.168.3/24; }; }; };
// IF on class C 192.168.3 THEN use .3, or .1 or .2
{ 192.168.3/24;
{ 192.168.3/24;
{ 192.168.1/24; 192.168.2/24; }; }; };
// IF .4 or .5 THEN prefer that net
{ { 192.168.4/24; 192.168.5/24; };
};
};
The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted.
sortlist {
{ localhost; localnets; };
{ localnets; };
};
When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. The rrset-order statement permits configuration of the ordering of the records in a multiple record response. See also the sortlist statement, the section called “The sortlist Statement”.
An order_spec is defined as follows:
[class class_name]
[type type_name]
[name "domain_name"]
order ordering
If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk).
The legal values for ordering are:
|
fixed |
Records are returned in the order they are defined in the zone file. |
|
random |
Records are returned in some random order. |
|
cyclic |
Records are returned in a cyclic round-robin order. If BIND is configured with the "--enable-fixed-rrset" option at compile time, then the initial ordering of the RRset will match the one specified in the zone file. |
For example:
rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
will cause any responses for type A records in class IN that
have "host.example.com" as a
suffix, to always be returned
in random order. All other records are returned in cyclic order.
If multiple rrset-order statements appear, they are not combined — the last one applies.
By default, all records are returned in random order.
In this release of BIND 9, the rrset-order statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line.
Sets the number of seconds to cache a
lame server indication. 0 disables caching. (This is
NOT recommended.)
The default is 600 (10 minutes) and the
maximum value is
1800 (30 minutes).
Lame-ttl also controls the amount of time DNSSEC validation failures are cached. There is a minimum of 30 seconds applied to bad cache entries if the lame-ttl is set to less than 30 seconds.
To reduce network traffic and increase performance,
the server stores negative answers. max-ncache-ttl is
used to set a maximum retention time for these answers in
the server
in seconds. The default
max-ncache-ttl is 10800 seconds (3 hours).
max-ncache-ttl cannot exceed
7 days and will
be silently truncated to 7 days if set to a greater value.
Sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). A value of zero may cause all queries to return SERVFAIL, because of lost caches of intermediate RRsets (such as NS and glue AAAA/A records) in the resolution process.
The minimum number of root servers that
is required for a request for the root servers to be
accepted. The default
is 2.
Not implemented in BIND 9.
Specifies the number of days into the future when
DNSSEC signatures automatically generated as a
result of dynamic updates (the section called “Dynamic Update”) will expire. There
is an optional second field which specifies how
long before expiry that the signatures will be
regenerated. If not specified, the signatures will
be regenerated at 1/4 of base interval. The second
field is specified in days if the base interval is
greater than 7 days otherwise it is specified in hours.
The default base interval is 30 days
giving a re-signing interval of 7 1/2 days. The maximum
values are 10 years (3660 days).
The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.
The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates.
Specify the maximum number of nodes to be
examined in each quantum when signing a zone with
a new DNSKEY. The default is
100.
Specify a threshold number of signatures that
will terminate processing a quantum when signing
a zone with a new DNSKEY. The default is
10.
Specify a private RDATA type to be used when generating
signing state records. The default is
65534.
It is expected that this parameter may be removed in a future version once there is a standard type.
Signing state records are used to internally by
named to track the current state of
a zone-signing process, i.e., whether it is still active
or has been completed. The records can be inspected
using the command
rndc signing -list zone.
Once named has finished signing
a zone with a particular key, the signing state
record associated with that key can be removed from
the zone by running
rndc signing -clear keyid/algorithm zone.
To clear all of the completed signing state
records for a zone, use
rndc signing -clear all zone.
These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, up to a hard-coded maximum expiry of 24 weeks. However, these values are set by the master, giving slave server administrators little control over their contents.
These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.
The following defaults apply. min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds (2 weeks).
Sets the maximum advertised EDNS UDP buffer size in bytes, to control the size of packets received from authoritative servers in response to recursive queries. Valid values are 512 to 4096 (values outside this range will be silently adjusted to the nearest value within it). The default value is 4096.
The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP DNS packets that are greater than 512 bytes.
When named first queries a remote server, it will advertise a UDP buffer size of 512, as this has the greatest chance of success on the first try.
If the initial response times out, named will try again with plain DNS, and if that is successful, it will be taken as evidence that the server does not support EDNS. After enough failures using EDNS and successes using plain DNS, named will default to plain DNS for future communications with that server. (Periodically, named will send an EDNS query to see if the situation has improved.)
However, if the initial query is successful with EDNS advertising a buffer size of 512, then named will advertise progressively larger buffer sizes on successive queries, until responses begin timing out or edns-udp-size is reached.
The default buffer sizes used by named are 512, 1232, 1432, and 4096, but never exceeding edns-udp-size. (The values 1232 and 1432 are chosen to allow for an IPv4/IPv6 encapsulated UDP message to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.)
Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted to the nearest value within it). The default value is 4096.
This value applies to responses sent by a server; to set the advertised buffer size in queries, see edns-udp-size.
The usual reason for setting max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive buffer (edns-udp-size).
Setting this to a low value will encourage additional TCP traffic to the nameserver.
Specifies
the file format of zone files (see
the section called “Additional File Formats”).
The default value is text, which is the
standard textual representation, except for slave zones,
in which the default value is raw.
Files in other formats than text are
typically expected to be generated by the
named-compilezone tool, or dumped by
named.
Note that when a zone file in a different format than
text is loaded, named
may omit some of the checks which would be performed for a
file in the text format. In particular,
check-names checks do not apply
for the raw format. This means
a zone file in the raw format
must be generated with the same check level as that
specified in the named configuration
file. Also, map format files are
loaded directly into memory via memory mapping, with only
minimal checking.
This statement sets the masterfile-format for all zones, but can be overridden on a per-zone or per-view basis by including a masterfile-format statement within the zone or view block in the configuration file.
Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75.
The delay, in seconds, between sending sets of notify messages for a zone. The default is five (5) seconds.
The overall rate that NOTIFY messages are sent for all zones is controlled by serial-query-rate.
The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
When a query is received for cached data which is to expire shortly, named can refresh the data from the authoritative server immediately, ensuring that the cache always has an answer available.
The prefetch specifies the
"trigger" TTL value at which prefetch of the current
query will take place: when a cache record with a
lower TTL value is encountered during query processing,
it will be refreshed. Valid trigger TTL values are 1 to
10 seconds. Values larger than 10 seconds will be silently
reduced to 10.
Setting a trigger TTL to zero (0) causes
prefetch to be disabled.
The default trigger TTL is 2.
An optional second argument specifies the "eligibility"
TTL: the smallest original
TTL value that will be accepted for a record to be
eligible for prefetching. The eligibility TTL must
be at least six seconds longer than the trigger TTL;
if it isn't, named will silently
adjust it upward.
The default eligibility TTL is 9.
The server provides some helpful diagnostic information
through a number of built-in zones under the
pseudo-top-level-domain bind in the
CHAOS class. These zones are part
of a
built-in view (see the section called “view Statement Grammar”) of
class
CHAOS which is separate from the
default view of class IN. Most global
configuration options (allow-query,
etc) will apply to this view, but some are locally
overridden: notify,
recursion and
allow-new-zones are
always set to no, and
rate-limit is set to allow
three responses per second.
If you need to disable these zones, use the options below, or hide the built-in CHAOS view by defining an explicit view of class CHAOS that matches all clients.
The version the server should report
via a query of the name version.bind
with type TXT, class CHAOS.
The default is the real version number of this server.
Specifying version none
disables processing of the queries.
The hostname the server should report via a query of
the name hostname.bind
with type TXT, class CHAOS.
This defaults to the hostname of the machine hosting the
name server as
found by the gethostname() function. The primary purpose of such queries
is to
identify which of a group of anycast servers is actually
answering your queries. Specifying hostname none;
disables processing of the queries.
The ID the server should report when receiving a Name
Server Identifier (NSID) query, or a query of the name
ID.SERVER with type
TXT, class CHAOS.
The primary purpose of such queries is to
identify which of a group of anycast servers is actually
answering your queries. Specifying server-id none;
disables processing of the queries.
Specifying server-id hostname; will cause named to
use the hostname as found by the gethostname() function.
The default server-id is none.
Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally and which queries should not be sent to the Internet's root servers. The official servers which cover these namespaces return NXDOMAIN responses to these queries. In particular, these cover the reverse namespaces for addresses from RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address.
Named will attempt to determine if a built-in zone already exists or is active (covered by a forward-only forwarding declaration) and will not create an empty zone in that case.
The current list of empty zones is:
Empty zones are settable at the view level and only apply to views of class IN. Disabled empty zones are only inherited from options if there are no disabled empty zones specified at the view level. To override the options list of disabled zones, you can disable the root zone at the view level, for example:
disable-empty-zone ".";
If you are using the address ranges covered here, you should already have reverse zones covering the addresses you use. In practice this appears to not be the case with many queries being made to the infrastructure servers for names in these spaces. So many in fact that sacrificial servers were needed to be deployed to channel the query load away from the infrastructure servers.
The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree.
Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used.
Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used.
Enable or disable all empty zones. By default, they are enabled.
Disable individual empty zones. By default, none are disabled. This option can be specified multiple times.
The additional section cache, also called acache, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. Note that acache is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function.
Additional section caching does not change the response content (except the RRsets ordering of the additional section, see below), but can improve the response performance significantly. It is particularly effective when BIND 9 acts as an authoritative server for a zone that has many delegations with many glue RRs.
In order to obtain the maximum performance improvement from additional section caching, setting additional-from-cache to no is recommended, since the current implementation of acache does not short-cut of additional section information from the DNS cache data.
One obvious disadvantage of acache is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the acache mechanism can be disabled by setting acache-enable to no. It is also possible to specify the upper limit of memory consumption for acache by using max-acache-size.
Additional section caching also has a minor effect on the RRset ordering in the additional section. Without acache, cyclic order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the setting of rrset-order. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases it only contains a single RR), in which case the ordering does not matter much.
The following is a summary of options related to acache.
If yes, additional section caching is enabled. The default value is no.
The server will remove stale cache entries, based on an LRU based algorithm, every acache-cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur.
The maximum amount of memory in bytes to use for the server's acache.
When the amount of data in the acache reaches this limit,
the server
will clean more aggressively so that the limit is not
exceeded.
In a server with multiple views, the limit applies
separately to the
acache of each view.
The default is 16M.
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
certain types of data in the answer section.
Specifically, it can reject address (A or AAAA) records if
the corresponding IPv4 or IPv6 addresses match the given
address_match_list of the
deny-answer-addresses option.
It can also reject CNAME or DNAME records if the "alias"
name (i.e., the CNAME alias or the substituted query name
due to DNAME) matches the
given namelist of the
deny-answer-aliases option, where
"match" means the alias name is a subdomain of one of
the name_list elements.
If the optional namelist is specified
with except-from, records whose query name
matches the list will be accepted regardless of the filter
setting.
Likewise, if the alias name is a subdomain of the
corresponding zone, the deny-answer-aliases
filter will not apply;
for example, even if "example.com" is specified for
deny-answer-aliases,
www.example.com. CNAME xxx.example.com.
returned by an "example.com" server will be accepted.
In the address_match_list of the
deny-answer-addresses option, only
ip_addr
and ip_prefix
are meaningful;
any key_id will be silently ignored.
If a response message is rejected due to the filtering, the entire message is discarded without being cached, and a SERVFAIL error will be returned to the client.
This filtering is intended to prevent "DNS rebinding attacks," in which an attacker, in response to a query for a domain name the attacker controls, returns an IP address within your own network or an alias name within your own domain. A naive web browser or script could then serve as an unintended proxy, allowing the attacker to get access to an internal node of your local network that couldn't be externally accessed otherwise. See the paper available at http://portal.acm.org/citation.cfm?id=1315245.1315298 for more details about the attacks.
For example, if you own a domain named "example.net" and your internal network uses an IPv4 prefix 192.0.2.0/24, you might specify the following rules:
deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
deny-answer-aliases { "example.net"; };
If an external attacker lets a web browser in your local network look up an IPv4 address of "attacker.example.com", the attacker's DNS server would return a response like this:
attacker.example.com. A 192.0.2.1
in the answer section. Since the rdata of this record (the IPv4 address) matches the specified prefix 192.0.2.0/24, this response will be ignored.
On the other hand, if the browser looks up a legitimate internal web server "www.example.net" and the following response is returned to the BIND 9 server
www.example.net. A 192.0.2.2
it will be accepted since the owner name "www.example.net" matches the except-from element, "example.net".
Note that this is not really an attack on the DNS per se. In fact, there is nothing wrong for an "external" name to be mapped to your "internal" IP address or domain name from the DNS point of view. It might actually be provided for a legitimate purpose, such as for debugging. As long as the mapping is provided by the correct owner, it is not possible or does not make sense to detect whether the intent of the mapping is legitimate or not within the DNS. The "rebinding" attack must primarily be protected at the application that uses the DNS. For a large site, however, it may be difficult to protect all possible applications at once. This filtering feature is provided only to help such an operational environment; it is generally discouraged to turn it on unless you are very sure you have no other choice and the attack is a real threat for your applications.
Care should be particularly taken if you want to use this option for addresses within 127.0.0.0/8. These addresses are obviously "internal", but many applications conventionally rely on a DNS mapping from some name to such an address. Filtering out DNS records containing this address spuriously can break such applications.
BIND 9 includes a limited mechanism to modify DNS responses for requests analogous to email anti-spam DNS blacklists. Responses can be changed to deny the existence of domains (NXDOMAIN), deny the existence of IP addresses for domains (NODATA), or contain other IP addresses or data.
Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones.
A response-policy option can support multiple policy zones. To maximize performance, a radix tree is used to quickly identify response policy zones containing triggers that match the current query. This imposes an upper limit of 32 on the number of policy zones in a single response-policy option; more than that is a configuration error.
Five policy triggers can be encoded in RPZ records.
IP records are triggered by the IP address of the
DNS client.
Client IP address triggers are encoded in records that have
owner names that are subdomains of
rpz-client-ip relativized to the
policy zone origin name
and encode an address or address block.
IPv4 addresses are represented as
prefixlength.B4.B3.B2.B1.rpz-client-ip.
The IPv4 prefix length must be between 1 and 32.
All four bytes, B4, B3, B2, and B1, must be present.
B4 is the decimal value of the least significant byte of the
IPv4 address as in IN-ADDR.ARPA.
IPv6 addresses are encoded in a format similar
to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
representing 16 bits of the IPv6 address as in the standard
text representation of IPv6 addresses, but reversed as in
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
digit occupies a label.)
All 8 words must be present except when one set of consecutive
zero words is replaced with .zz.
analogous to double colons (::) in standard IPv6 text
encodings.
The IPv6 prefix length must be between 1 and 128.
QNAME policy records are triggered by query names of requests and targets of CNAME records resolved to generate the response. The owner name of a QNAME policy record is the query name relativized to the policy zone.
IP triggers are IP addresses in an A or AAAA record in the ANSWER section of a response. They are encoded like client-IP triggers except as subdomains of rpz-ip.
NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdname relativized to the RPZ origin name. NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records.
NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains.
The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses are rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. Triggers or the records that encode them are chosen for the rewriting in the following order:
When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, all response policy zones are again consulted for the DNAME or CNAME names and addresses.
RPZ record sets are any types of DNS record except DNAME or DNSSEC that encode actions or responses to individual queries. Any of the policies can be used with any of the triggers. For example, while the TCP-only policy is commonly used with client-IP triggers, it cn be used with any type of trigger to force the use of TCP for responses with owner names in a zone.
The whitelist policy is specified by a CNAME whose target is rpz-passthru. It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks.
The blacklist policy is specified by a CNAME whose target is rpz-drop. It causes the response to be discarded. Nothing is sent to the DNS client.
The "slip" policy is specified by a CNAME whose target is rpz-tcp-only. It changes UDP responses to short, truncated DNS responses that require the DNS client to try again with TCP. It is used to mitigate distributed DNS reflection attacks.
The domain undefined response is encoded by a CNAME whose target is the root domain (.)
The empty set of resource records is specified by CNAME whose target is the wildcard top-level domain (*.). It rewrites the response to NODATA or ANCOUNT=1.
A set of ordinary DNS records can be used to answer queries. Queries for record types not the set are answered with NODATA.
A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) has been replaced with the query name. The purpose for this special form is query logging in the walled garden's authority DNS server.
All of the actions specified in all of the individual records in a policy zone can be overridden with a policy clause in the response-policy option. An organization using a policy zone provided by another organization might use this mechanism to redirect domains to its own walled garden.
The placeholder policy says "do not override but perform the action specified in the zone."
The testing override policy causes policy zone records to do nothing but log what they would have done if the policy zone were not disabled. The response to the DNS query will be written (or not) according to any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first.
override with the corresponding per-record policy.
causes all RPZ policy records to act as if they were "cname domain" records.
By default, the actions encoded in a response policy zone are applied only to queries that ask for recursion (RD=1). That default can be changed for a single policy zone or all response policy zones in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values on the externally visible name server or view.
Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all response policy zones in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
No DNS records are needed for a QNAME or Client-IP trigger. The name or IP address itself is sufficient, so in principle the query name need not be recursively resolved. However, not resolving the requested name can leak the fact that response policy rewriting is in use and that the name is listed in a policy zone to operators of servers for listed names. To prevent that information leak, by default any recursion needed for a request is done before any policy triggers are considered. Because listed domains often have slow authoritative servers, this default behavior can cost significant time. The qname-wait-recurse no option overrides that default behavior when recursion cannot change a non-error response. The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution. It also does not affect DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. Using this option can cause error responses such as SERVFAIL to appear to be rewritten, since no recursion is being done to discover problems at the authoritative server.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
For example, you might use this option statement
response-policy { zone "badlist"; };
and this zone statement
zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };
with this zone file
$TTL 1H
@@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
; QNAME policy records. There are no periods (.) after the owner names.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
AAAA 2001:2::1
bzone.domain.com CNAME garden.example.com.
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME rpz-passthru.
; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
*.bzone.domain.com CNAME *.garden.example.com.
; IP policy records that rewrite all responses containing A records in 127/8
; except 127.0.0.1
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
; NSDNAME and NSIP policy records
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
; blacklist and whitelist some DNS clients
112.zz.2001.rpz-client-ip CNAME rpz-drop.
8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
; force some DNS clients and responses in the example.com zone to TCP
16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
example.com CNAME rpz-tcp-only.
*.example.com CNAME rpz-tcp-only.
RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with responses-per-second (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomains-per-second (default base responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the responses-per-second value, but it can be set separately with errors-per-second.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ;
The server statement defines
characteristics
to be associated with a remote name server. If a prefix length is
specified, then a range of servers is covered. Only the most
specific
server clause applies regardless of the order in
named.conf.
The server statement can occur at the top level of the configuration file or inside a view statement. If a view statement contains one or more server statements, only those apply to the view and any top-level ones are ignored. If a view contains no server statements, any top-level server statements are used as defaults.
If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no.
The provide-ixfr clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the view or global options block is used as a default.
The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the request-ixfr option in the view or global options block is used as a default. It may also be set in the zone block and, if set there, it will override the global or view setting for that zone.
IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used.
The edns clause determines whether the local server will attempt to use EDNS when communicating with the remote server. The default is yes.
The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted to the nearest value within it). This option is useful when you wish to advertise a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies. (Note: Currently, this sets a single UDP size for all packets sent to the server; named will not deviate from this value. This differs from the behavior of edns-udp-size in options or view statements, where it specifies a maximum value. The server statement behavior may be brought into conformance with the options/view behavior in future releases.)
The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large replies from named.
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.
transfers is used to limit the number of concurrent inbound zone transfers from the specified server. If no transfers clause is specified, the limit is set according to the transfers-per-ns option.
The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key.
Only a single key per server is currently supported.
The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. For an IPv4 remote server, only transfer-source can be specified. Similarly, for an IPv6 remote server, only transfer-source-v6 can be specified. For more details, see the description of transfer-source and transfer-source-v6 in the section called “Zone Transfers”.
The notify-source and notify-source-v6 clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an IPv4 remote server, only notify-source can be specified. Similarly, for an IPv6 remote server, only notify-source-v6 can be specified.
The query-source and query-source-v6 clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 remote server, only query-source can be specified. Similarly, for an IPv6 remote server, only query-source-v6 can be specified.
The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
The request-sit clause determines whether the local server will add a SIT EDNS option to requests sent to the server. This overrides request-sit set at the view or option level. Named may determine that SIT is not supported by the remote server and not add a SIT EDNS option to requests.
statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... };
The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server.
This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2 and/or json-c (also known as libjson0); the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error.
An inet control channel is a TCP socket
listening at the specified ip_port on the
specified ip_addr, which can be an IPv4 or IPv6
address. An ip_addr of *
(asterisk) is
interpreted as the IPv4 wildcard address; connections will be
accepted on any of the system's IPv4 addresses.
To listen on the IPv6 wildcard address,
use an ip_addr of ::.
If no port is specified, port 80 is used for HTTP channels.
The asterisk "*" cannot be used for
ip_port.
The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately.
If no statistics-channels statement is present, named will not open any communication channels.
The statistics are available in various formats and views depending on the URI used to access them. For example, if the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
Broken-out subsets of the statistics can be viewed at http://127.0.0.1:8888/xml/v3/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/xml/v3/server (server and resolver statistics), http://127.0.0.1:8888/xml/v3/zones (zone statistics), http://127.0.0.1:8888/xml/v3/net (network status and socket statistics), http://127.0.0.1:8888/xml/v3/mem (memory manager statistics), http://127.0.0.1:8888/xml/v3/tasks (task manager statistics).
The full set of statistics can also be read in JSON format at http://127.0.0.1:8888/json, with the broken-out subsets at http://127.0.0.1:8888/json/v1/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/json/v1/server (server and resolver statistics), http://127.0.0.1:8888/json/v1/zones (zone statistics), http://127.0.0.1:8888/json/v1/net (network status and socket statistics), http://127.0.0.1:8888/json/v1/mem (memory manager statistics), http://127.0.0.1:8888/json/v1/tasks (task manager statistics).
trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ;
The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned. Once a key has been configured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts DNSSEC validation on all DNS data in subdomains of a security root.
All keys (and corresponding zones) listed in trusted-keys are deemed to exist regardless of what parent zones say. Similarly for all keys listed in trusted-keys only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used.
The trusted-keys statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base64 representation of the key data. Spaces, tabs, newlines and carriage returns are ignored in the key data, so the configuration may be split up into multiple lines.
trusted-keys may be set at the top level
of named.conf or within a view. If it is
set in both places, they are additive: keys defined at the top
level are inherited by all views, but keys defined in a view
are only used within that view.
managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ;
The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator.
Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had the old key in a trusted-keys statement would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had updated the trusted-keys statement with the new key.
If, however, the zone were listed in a managed-keys statement instead, then the zone owner could add a "stand-by" key to the zone in advance. named would store the stand-by key, and when the original key was revoked, named would be able to transition smoothly to the new key. It would also recognize that the old key had been revoked, and cease using that key to validate answers, minimizing the damage that the compromised key could do.
A managed-keys statement contains a list of
the keys to be managed, along with information about how the
keys are to be initialized for the first time. The only
initialization method currently supported is
initial-key.
This means the managed-keys statement must
contain a copy of the initializing key. (Future releases may
allow keys to be initialized by other methods, eliminating this
requirement.)
Consequently, a managed-keys statement
appears similar to a trusted-keys, differing
in the presence of the second field, containing the keyword
initial-key. The difference is, whereas the
keys listed in a trusted-keys continue to be
trusted until they are removed from
named.conf, an initializing key listed
in a managed-keys statement is only trusted
once: for as long as it takes to load the
managed key database and start the RFC 5011 key maintenance
process.
The first time named runs with a managed key
configured in named.conf, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
using the key specified in the managed-keys
statement. If the DNSKEY RRset is validly signed, then it is
used as the basis for a new managed keys database.
From that point on, whenever named runs, it sees the managed-keys statement, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database.
The next time named runs after a name has been removed from the managed-keys statement, the corresponding zone will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used for that domain.
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in
use, there will be a separate managed keys database for each
view; the filename will be a hash of the view name followed by
the suffix .mkeys.
When the key database is changed, the zone is updated.
As with any other dynamic zone, changes will be written
into a journal file, e.g.,
managed-keys.bind.jnl.
Changes are committed to the master file as soon as
possible afterward; this will usually occur within 30
seconds. So, whenever named is using
automatic key maintenance, the zone file and journal file
can be expected to exist in the working directory.
(For this reason among others, the working directory
should be always be writable by named.)
If the dnssec-validation option is
set to auto, named
will automatically initialize a managed key for the
root zone. The key that is used to initialize the key
maintenance process is stored in bind.keys;
the location of this file can be overridden with the
bindkeys-file option. As a fallback
in the event no bind.keys can be
found, the initializing key is also compiled directly
into named.
viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ;
The view statement is a powerful feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers.
Each view statement defines a view
of the
DNS namespace that will be seen by a subset of clients. A client
matches
a view if its source IP address matches the
address_match_list of the view's
match-clients clause and its
destination IP address matches
the address_match_list of the
view's
match-destinations clause. If not
specified, both
match-clients and match-destinations
default to matching all addresses. In addition to checking IP
addresses
match-clients and match-destinations
can also take keys which provide an
mechanism for the
client to select the view. A view can also be specified
as match-recursive-only, which
means that only recursive
requests from matching clients will match that view.
The order of the view statements is
significant —
a client request will be resolved in the context of the first
view that it matches.
Zones defined within a view statement will only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup.
Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. When no view-specific value is given, the value in the options statement is used as a default. Also, zone options can have default values specified in the view statement; these view-specific defaults take precedence over those in the options statement.
Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, since only the IN class has compiled-in default hints.
If there are no view statements in the config file, a default view that matches any client is automatically created in class IN. Any zone statements specified on the top level of the configuration file are considered to be part of this default view, and the options statement will apply to the default view. If any explicit view statements are present, all zone statements must occur inside view statements.
Here is an example of a typical split DNS setup implemented using view statements:
view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
// Provide recursive service to internal
// clients only.
recursion yes;
// Provide a complete view of the example.com
// zone including addresses of internal hosts.
zone "example.com" {
type master;
file "example-internal.db";
};
};
view "external" {
// Match all clients not matched by the
// previous view.
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide a restricted view of the example.com
// zone containing only publicly accessible hosts.
zone "example.com" {
type master;
file "example-external.db";
};
};
zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ;
The type keyword is required
for the zone configuration unless
it is an in-view configuration. Its
acceptable values include: delegation-only,
forward, hint,
master, redirect,
slave, static-stub,
and stub.
|
|
The server has a master copy of the data for the zone and will be able to provide authoritative answers for it. |
|
|
A slave zone is a replica of a master
zone. The masters list
specifies one or more IP addresses
of master servers that the slave contacts to update
its copy of the zone.
Masters list elements can also be names of other
masters lists.
By default, transfers are made from port 53 on the
servers; this can
be changed for all servers by specifying a port number
before the
list of IP addresses, or on a per-server basis after
the IP address.
Authentication to the master can also be done with
per-server TSIG keys.
If a file is specified, then the
replica will be written to this file whenever the zone
is changed,
and reloaded from this file on a server restart. Use
of a file is
recommended, since it often speeds server startup and
eliminates
a needless waste of bandwidth. Note that for large
numbers (in the
tens or hundreds of thousands) of zones per server, it
is best to
use a two-level naming scheme for zone filenames. For
example,
a slave server for the zone |
|
|
A stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation.
Stub zones can be used to eliminate the need for glue
NS record
in a parent zone at the expense of maintaining a stub
zone entry and
a set of name server addresses in
Stub zones can also be used as a way of forcing the
resolution
of a given domain to use a particular set of
authoritative servers.
For example, the caching name servers on a private
network using
RFC1918 addressing may be configured with stub zones
for
|
|
|
A static-stub zone is similar to a stub zone with the following exceptions: the zone data is statically configured, rather than transferred from a master server; when recursion is necessary for a query that matches a static-stub zone, the locally configured data (nameserver names and glue addresses) is always used even if different authoritative information is cached. Zone data is configured via the server-addresses and server-names zone options. The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone databases by rndc dumpdb -all. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD bit off) to a static-stub zone are therefore prohibited and will be responded with REFUSED. Since the data is statically configured, no zone maintenance action takes place for a static-stub zone. For example, there is no periodic refresh attempt, and an incoming notify message will be rejected with an rcode of NOTAUTH. Each static-stub zone is configured with internally generated NS and (if necessary) glue A or AAAA RRs |
|
|
A "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders. |
|
|
The initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints. |
|
|
Redirect zones are used to provide answers to queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur.
To redirect all NXDOMAIN responses to
100.100.100.2 and
2001:ffff:ffff::100.100.100.2, one would
configure a type redirect zone named ".",
with the zone file containing wildcard records
that point to the desired addresses:
To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.". Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced
directly by name, they are not kept in the
zone lookup table with normal master and slave
zones. Consequently, it is not currently possible
to use
rndc reload
|
|
|
This is used to enforce the delegation-only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones.
See caveats in root-delegation-only. |
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
is assumed. This is correct for the vast majority of cases.
The hesiod class is
named for an information service from MIT's Project Athena. It
is
used to share information about various systems databases, such
as users, groups, printers and so on. The keyword
HS is
a synonym for hesiod.
Another MIT development is Chaosnet, a LAN protocol created
in the mid-1970s. Zone data for it can be specified with the CHAOS class.
See the description of allow-notify in the section called “Access Control”.
See the description of allow-query in the section called “Access Control”.
See the description of allow-query-on in the section called “Access Control”.
See the description of allow-transfer in the section called “Access Control”.
See the description of allow-update in the section called “Access Control”.
Specifies a "Simple Secure Update" policy. See the section called “Dynamic Update Policies”.
See the description of allow-update-forwarding in the section called “Access Control”.
Only meaningful if notify
is
active for this zone. The set of machines that will
receive a
DNS NOTIFY message
for this zone is made up of all the listed name servers
(other than
the primary master) for the zone plus any IP addresses
specified
with also-notify. A port
may be specified
with each also-notify
address to send the notify
messages to a port other than the default of 53.
A TSIG key may also be specified to cause the
NOTIFY to be signed by the
given key.
also-notify is not
meaningful for stub zones.
The default is the empty list.
This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones.
See the description of check-mx in the section called “Boolean Options”.
See the description of check-spf in the section called “Boolean Options”.
See the description of check-wildcard in the section called “Boolean Options”.
See the description of check-integrity in the section called “Boolean Options”.
See the description of check-sibling in the section called “Boolean Options”.
See the description of zero-no-soa-ttl in the section called “Boolean Options”.
See the description of update-check-ksk in the section called “Boolean Options”.
See the description of dnssec-loadkeys-interval in the section called “options Statement Definition and Usage”.
See the description of dnssec-update-mode in the section called “options Statement Definition and Usage”.
See the description of dnssec-dnskey-kskonly in the section called “Boolean Options”.
See the description of try-tcp-refresh in the section called “Boolean Options”.
Specify the type of database to be used for storing the zone data. The string following the database keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the database type.
The default is "rbt", BIND 9's
native in-memory
red-black-tree database. This database does not take
arguments.
Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default.
See the description of dialup in the section called “Boolean Options”.
The flag only applies to forward, hint and stub
zones. If set to yes,
then the zone will also be treated as if it is
also a delegation-only type zone.
See caveats in root-delegation-only.
Set the zone's filename. In master, hint, and redirect zones which do not have masters defined, zone data is loaded from this file. In slave, stub, and redirect zones which do have masters defined, zone data is retrieved from another server and saved in this file. This option is not applicable to other zone types.
Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried.
Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone and the global options are not used.
Was used in BIND 8 to
specify the name
of the transaction log (journal) file for dynamic update
and IXFR.
BIND 9 ignores the option
and constructs the name of the journal
file by appending ".jnl"
to the name of the
zone file.
Was an undocumented option in BIND 8. Ignored in BIND 9.
Allow the default journal's filename to be overridden.
The default is the zone's filename with ".jnl" appended.
This is applicable to master and slave zones.
See the description of max-journal-size in the section called “Server Resource Limits”.
See the description of max-records in the section called “Server Resource Limits”.
See the description of max-transfer-time-in in the section called “Zone Transfers”.
See the description of max-transfer-idle-in in the section called “Zone Transfers”.
See the description of max-transfer-time-out in the section called “Zone Transfers”.
See the description of max-transfer-idle-out in the section called “Zone Transfers”.
See the description of notify in the section called “Boolean Options”.
See the description of notify-delay in the section called “Tuning”.
See the description of notify-to-soa in the section called “Boolean Options”.
In BIND 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signatures on load and ignores the option.
See the description of zone-statistics in the section called “options Statement Definition and Usage”.
Only meaningful for static-stub zones. This is a list of IP addresses to which queries should be sent in recursive resolution for the zone. A non empty list for this option will internally configure the apex NS RR with associated glue A or AAAA RRs.
For example, if "example.com" is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 in a server-addresses option, the following RRs will be internally configured.
example.com. NS example.com. example.com. A 192.0.2.1 example.com. AAAA 2001:db8::1234
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server will initiate recursive resolution and send queries to 192.0.2.1 and/or 2001:db8::1234.
Only meaningful for static-stub zones. This is a list of domain names of nameservers that act as authoritative servers of the static-stub zone. These names will be resolved to IP addresses when named needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin name of static-stub zone. That is, when "example.net" is the origin of a static-stub zone, "ns.example" and "master.example.com" can be specified in the server-names option, but "ns.example.net" cannot, and will be rejected by the configuration parser.
A non empty list for this option will internally configure the apex NS RR with the specified names. For example, if "example.com" is configured as a static-stub zone with "ns1.example.net" and "ns2.example.net" in a server-names option, the following RRs will be internally configured.
example.com. NS ns1.example.net. example.com. NS ns2.example.net.
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server initiate recursive resolution, resolve "ns1.example.net" and/or "ns2.example.net" to IP addresses, and then send queries to (one or more of) these addresses.
See the description of sig-validity-interval in the section called “Tuning”.
See the description of sig-signing-nodes in the section called “Tuning”.
See the description of sig-signing-signatures in the section called “Tuning”.
See the description of sig-signing-type in the section called “Tuning”.
See the description of transfer-source in the section called “Zone Transfers”.
See the description of transfer-source-v6 in the section called “Zone Transfers”.
See the description of alt-transfer-source in the section called “Zone Transfers”.
See the description of alt-transfer-source-v6 in the section called “Zone Transfers”.
See the description of use-alt-transfer-source in the section called “Zone Transfers”.
See the description of notify-source in the section called “Zone Transfers”.
See the description of notify-source-v6 in the section called “Zone Transfers”.
See the description in the section called “Tuning”.
See the description of
ixfr-from-differences in the section called “Boolean Options”.
(Note that the ixfr-from-differences
master and
slave choices are not
available at the zone level.)
See the description of key-directory in the section called “options Statement Definition and Usage”.
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
If yes, this enables
"bump in the wire" signing of a zone, where a
unsigned zone is transferred in or loaded from
disk and a signed version of the zone is served,
with possibly, a different serial number. This
behaviour is disabled by default.
See the description of multi-master in the section called “Boolean Options”.
See the description of masterfile-format in the section called “Tuning”.
See the description of max-zone-ttl in the section called “options Statement Definition and Usage”.
See the description of dnssec-secure-to-insecure in the section called “Boolean Options”.
BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, respectively.
The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone.
The update-policy clause allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the update-policy
zone option, and are only meaningful for master zones.
When the update-policy statement
is present, it is a configuration error for the
allow-update statement to be
present. The update-policy statement
(except when set to local) only
examines the signer of a message; the source
address is not relevant.
A pre-defined update-policy rule can be
switched on with the command
update-policy local;.
Switching on this rule in a zone causes
named to generate a TSIG session key and
place it in a file. That key will then be allowed to update
the zone, if the update request is sent from localhost.
By default, the session key is stored in the file
/var/run/named/session.key; the key name
is "local-ddns" and the key algorithm is HMAC-SHA256.
These values are configurable with the
session-keyfile,
session-keyname and
session-keyalg options, respectively).
A client on the local system, if it is run with appropriate permissions, may read the session key from the key file and use the key to sign update requests. The zone's update policy will be set to allow that key to change any record within the zone. Assuming the key name is "local-ddns", this policy is:
update-policy { grant local-ddns zonesub any; };
...with an additional restriction that only clients connecting from the local system will be permitted to send updates.
Note that only one session key is generated; all zones configured to use update-policy local will accept the same key.
The command nsupdate -l implements this feature, sending requests to localhost and signing them using the key retrieved from the session key file.
Other rule definitions look like this:
( grant | deny )identitynametype[name] [types]
Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches the types specified in the type field.
No signer is required for tcp-self
or 6to4-self however the standard
reverse mapping / prefix conversion must match the identity
field.
The identity field specifies a name or a wildcard
name. Normally, this is the name of the TSIG or
SIG(0) key used to sign the update request. When a
TKEY exchange has been used to create a shared secret,
the identity of the shared secret is the same as the
identity of the key used to authenticate the TKEY
exchange. TKEY is also the negotiation method used
by GSS-TSIG, which establishes an identity that is
the Kerberos principal of the client, such as
"user@@host.domain". When the
identity field specifies
a wildcard name, it is subject to DNS wildcard
expansion, so the rule will apply to multiple identities.
The identity field must
contain a fully-qualified domain name.
For nametypes krb5-self,
ms-self, krb5-subdomain,
and ms-subdomain the
identity field specifies
the Windows or Kerberos realm of the machine belongs to.
The nametype field has 13
values:
name, subdomain,
wildcard, self,
selfsub, selfwild,
krb5-self, ms-self,
krb5-subdomain,
ms-subdomain,
tcp-self, 6to4-self,
zonesub, and external.
|
|
Exact-match semantics. This rule matches
when the name being updated is identical
to the contents of the
|
|
|
This rule matches when the name being updated
is a subdomain of, or identical to, the
contents of the |
|
|
This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the update-policy statement appears. This obviates the need to type the zone name twice, and enables the use of a standard update-policy statement in multiple zones without modification.
When this rule is used, the
|
|
|
The |
|
|
This rule matches when the name being updated
matches the contents of the
|
|
|
This rule is similar to |
|
|
This rule is similar to |
|
|
This rule takes a Windows machine principal
(machine$@@REALM) for machine in REALM and
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the |
|
|
This rule takes a Windows machine principal
(machine$@@REALM) for machine in REALM and
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
to be matched is specified in the
|
|
|
This rule takes a Kerberos machine principal
(host/machine@@REALM) for machine in REALM and
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the |
|
|
This rule takes a Kerberos machine principal
(host/machine@@REALM) for machine in REALM and
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
to be matched is specified in the
|
|
|
Allow updates that have been sent via TCP and for which the standard mapping from the initiating IP address into the IN-ADDR.ARPA and IP6.ARPA namespaces match the name to be updated. The name field should be set to "." NoteIt is theoretically possible to spoof these TCP sessions. |
|
|
Allow the 6to4 prefix to be update by any TCP connection from the 6to4 network or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to be added to the reverse tree. NoteIt is theoretically possible to spoof these TCP sessions. |
|
|
This rule allows named to defer the decision of whether to allow a given update to an external daemon.
The method of communicating with the daemon is
specified in the Requests to the external daemon are sent over the UNIX-domain socket as datagrams with the following format: Protocol version number (4 bytes, network byte order, currently 1) Request length (4 bytes, network byte order) Signer (null-terminated string) Name (null-terminated string) TCP source address (null-terminated string) Rdata type (null-terminated string) Key (null-terminated string) TKEY token length (4 bytes, network byte order) TKEY token (remainder of packet) The daemon replies with a four-byte value in network byte order, containing either 0 or 1; 0 indicates that the specified update is not permitted, and 1 indicates that it is. |
In all cases, the name
field must specify a fully-qualified domain name.
If no types are explicitly specified, this rule matches all types except RRSIG, NS, SOA, NSEC and NSEC3. Types may be specified by name, including "ANY" (ANY matches all types except NSEC and NSEC3, which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are checked for each existing record type.
When multiple views are in use, a zone may be referenced by more than one of them. Often, the views will contain different zones with the same name, allowing different clients to receive different answers for the same queries. At times, however, it is desirable for multiple views to contain identical zones. The in-view zone option provides an efficient way to do this: it allows a view to reference a zone that was defined in a previously configured view. Example:
view internal {
match-clients { 10/8; };
zone example.com {
type master;
file "example-external.db";
};
};
view external {
match-clients { any; };
zone example.com {
in-view internal;
};
};
An in-view option cannot refer to a view that is configured later in the configuration file.
A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control the behavior of the containing view, rather than changing the zone object itself.)
Zone level acls (e.g. allow-query, allow-transfer) and other configuration details of the zone are all set in the view the referenced zone is defined in. Care need to be taken to ensure that acls are wide enough for all views referencing the zone.
An in-view zone cannot be used as a response policy zone.
An in-view zone is not intended to reference a forward zone.
This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.
A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”.
The components of a Resource Record are:
|
owner name |
The domain name where the RR is found. |
|
type |
An encoded 16-bit value that specifies the type of the resource record. |
|
TTL |
The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. |
|
class |
An encoded 16-bit value that identifies a protocol family or instance of a protocol. |
|
RDATA |
The resource data. The format of the data is type (and sometimes class) specific. |
The following are types of valid RRs:
|
A |
A host address. In the IN class, this is a 32-bit IP address. Described in RFC 1035. |
|
AAAA |
IPv6 address. Described in RFC 1886. |
|
A6 |
IPv6 address. This can be a partial address (a suffix) and an indirection to the name where the rest of the address (the prefix) can be found. Experimental. Described in RFC 2874. |
|
AFSDB |
Location of AFS database servers. Experimental. Described in RFC 1183. |
|
APL |
Address prefix list. Experimental. Described in RFC 3123. |
|
ATMA |
ATM Address. |
|
AVC |
Application Visibility and Control record. |
|
CAA |
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844. |
|
CDNSKEY |
Identifies which DNSKEY records should be published as DS records in the parent zone. |
|
CDS |
Contains the set of DS records that should be published by the parent zone. |
|
CERT |
Holds a digital certificate. Described in RFC 2538. |
|
CNAME |
Identifies the canonical name of an alias. Described in RFC 1035. |
|
CSYNC |
Child-to-Parent Synchronization in DNS as described in RFC 7477. |
|
DHCID |
Is used for identifying which DHCP client is associated with this name. Described in RFC 4701. |
|
DLV |
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431. |
|
DNAME |
Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record as in the case of the CNAME RR. Described in RFC 2672. |
|
DNSKEY |
Stores a public key associated with a signed DNS zone. Described in RFC 4034. |
|
DOA |
Implements the Digital Object Architecture over DNS. Experimental. |
|
DS |
Stores the hash of a public key associated with a signed DNS zone. Described in RFC 4034. |
|
EID |
End Point Identifier. |
|
EUI48 |
A 48-bit EUI address. Described in RFC 7043. |
|
EUI64 |
A 64-bit EUI address. Described in RFC 7043. |
|
GID |
Reserved. |
|
GPOS |
Specifies the global position. Superseded by LOC. |
|
HINFO |
Identifies the CPU and OS used by a host. Described in RFC 1035. |
|
HIP |
Host Identity Protocol Address. Described in RFC 5205. |
|
IPSECKEY |
Provides a method for storing IPsec keying material in DNS. Described in RFC 4025. |
|
ISDN |
Representation of ISDN addresses. Experimental. Described in RFC 1183. |
|
KEY |
Stores a public key associated with a DNS name. Used in original DNSSEC; replaced by DNSKEY in DNSSECbis, but still used with SIG(0). Described in RFCs 2535 and 2931. |
|
KX |
Identifies a key exchanger for this DNS name. Described in RFC 2230. |
|
L32 |
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742. |
|
L64 |
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742. |
|
LOC |
For storing GPS info. Described in RFC 1876. Experimental. |
|
LP |
Identifier-Locator Network Protocol. Described in RFC 6742. |
|
MB |
Mail Box. Historical. |
|
MD |
Mail Destination. Historical. |
|
MF |
Mail Forwarder. Historical. |
|
MG |
Mail Group. Historical. |
|
MINFO |
Mail Information. |
|
MR |
Mail Rename. Historical. |
|
MX |
Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035. |
|
NAPTR |
Name authority pointer. Described in RFC 2915. |
|
NID |
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742. |
|
NINFO |
Contains zone status information. |
|
NIMLOC |
Nimrod Locator. |
|
NSAP |
A network service access point. Described in RFC 1706. |
|
NSAP-PTR |
Historical. |
|
NS |
The authoritative name server for the domain. Described in RFC 1035. |
|
NSEC |
Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Described in RFC 4034. |
|
NSEC3 |
Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. NSEC3 differs from NSEC in that it prevents zone enumeration but is more computationally expensive on both the server and the client than NSEC. Described in RFC 5155. |
|
NSEC3PARAM |
Used in DNSSECbis to tell the authoritative server which NSEC3 chains are available to use. Described in RFC 5155. |
|
NULL |
This is an opaque container. |
|
NXT |
Used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Used in original DNSSEC; replaced by NSEC in DNSSECbis. Described in RFC 2535. |
|
OPENPGPKEY |
Used to hold an OPENPGPKEY. |
|
PTR |
A pointer to another part of the domain name space. Described in RFC 1035. |
|
PX |
Provides mappings between RFC 822 and X.400 addresses. Described in RFC 2163. |
|
RKEY |
Resource key. |
|
RP |
Information on persons responsible for the domain. Experimental. Described in RFC 1183. |
|
RRSIG |
Contains DNSSECbis signature data. Described in RFC 4034. |
|
RT |
Route-through binding for hosts that do not have their own direct wide area network addresses. Experimental. Described in RFC 1183. |
|
SIG |
Contains DNSSEC signature data. Used in original DNSSEC; replaced by RRSIG in DNSSECbis, but still used for SIG(0). Described in RFCs 2535 and 2931. |
|
SINK |
The kitchen sink record. |
|
SMIMEA |
The S/MIME Security Certificate Association. |
|
SOA |
Identifies the start of a zone of authority. Described in RFC 1035. |
|
SPF |
Contains the Sender Policy Framework information for a given email domain. Described in RFC 4408. |
|
SRV |
Information about well known network services (replaces WKS). Described in RFC 2782. |
|
SSHFP |
Provides a way to securely publish a secure shell key's fingerprint. Described in RFC 4255. |
|
TA |
Trust Anchor. Experimental. |
|
TALINK |
Trust Anchor Link. Experimental. |
|
TLSA |
Transport Layer Security Certificate Association. Described in RFC 6698. |
|
TXT |
Text records. Described in RFC 1035. |
|
UID |
Reserved. |
|
UINFO |
Reserved. |
|
UNSPEC |
Reserved. Historical. |
|
URI |
Holds a URI. Described in RFC 7553. |
|
WKS |
Information about which well known network services, such as SMTP, that a domain supports. Historical. |
|
X25 |
Representation of X.25 network addresses. Experimental. Described in RFC 1183. |
The following classes of resource records are currently valid in the DNS:
|
IN |
The Internet. |
|
CH |
Chaosnet, a LAN protocol created at MIT in the
mid-1970s.
Rarely used for its historical purpose, but reused for
BIND's
built-in server information zones, e.g.,
|
|
HS |
Hesiod, an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. |
The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described.
The meaning of the TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates. While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change.
The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently used as "pointers" to other data in the DNS.
RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses.
The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR. Blank lines are often included for readability.
Following the owner, we list the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interests of clarity.
The resource data or RDATA section of the RR are given using knowledge of the typical representation for the data.
For example, we might show the RRs carried in a message as:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The MX RRs have an RDATA section which consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address format to contain a 32-bit internet address.
The above example shows six RRs, with two RRs at each of three domain names.
Similarly we might see:
|
|
|
|
|
|
|
This example shows two addresses for
XX.LCS.MIT.EDU, each of a different class.
As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name matched with a relevant datum, and stored with some additional type information to help systems determine when the RR is relevant.
MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It must have an associated address record (A or AAAA) — CNAME is not sufficient.
For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record pointed to by the CNAME. For example:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mail delivery will be attempted to mail.example.com and
mail2.example.com (in
any order), and if neither of those succeed, delivery to mail.backup.org will
be attempted.
The time-to-live of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently used in a zone file.
|
SOA |
The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain (NXDOMAIN) responses from you. The maximum time for negative caching is 3 hours (3h). |
|
$TTL |
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set. |
|
RR TTLs |
Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache it. |
All of these TTLs default to units of seconds, though units
can be explicitly specified, for example, 1h30m.
Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, in the [example.com] domain:
|
|
|
|
|
|
The $ORIGIN lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin.
The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same class.
Master File Directives include $ORIGIN, $INCLUDE, and $TTL.
When used in the label (or name) field, the asperand or
at-sign (@@) symbol represents the current origin.
At the start of the zone file, it is the
<zone_name> (followed by
trailing dot).
Syntax: $ORIGIN
domain-name
[comment]
$ORIGIN
sets the domain name that will be appended to any
unqualified records. When a zone is first read in there
is an implicit $ORIGIN
<zone_name>.
(followed by trailing dot).
The current $ORIGIN is appended to
the domain specified in the $ORIGIN
argument if it is not absolute.
$ORIGIN example.com. WWW CNAME MAIN-SERVER
is equivalent to
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
[
origin ]
[ comment ]
Read and process the file filename as
if it were included into the file at this point. If origin is
specified the file is processed with $ORIGIN set
to that value, otherwise the current $ORIGIN is
used.
The origin and the current domain name revert to the values they had prior to the $INCLUDE once the file has been read.
RFC 1035 specifies that the current origin should be restored after an $INCLUDE, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both.
Syntax: $GENERATE
range
lhs
[ttl]
[class]
type
rhs
[comment]
$GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation.
$ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 @@ NS SERVER$.EXAMPLE. $GENERATE 1-127 $ CNAME $.0
is equivalent to
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE. 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
Generate a set of A and MX records. Note the MX's right hand side is a quoted string. The quotes will be stripped when the right hand side is processed.
$ORIGIN EXAMPLE. $GENERATE 1-127 HOST-$ A 1.2.3.$ $GENERATE 1-127 HOST-$ MX "0 ."
is equivalent to
HOST-1.EXAMPLE. A 1.2.3.1 HOST-1.EXAMPLE. MX 0 . HOST-2.EXAMPLE. A 1.2.3.2 HOST-2.EXAMPLE. MX 0 . HOST-3.EXAMPLE. A 1.2.3.3 HOST-3.EXAMPLE. MX 0 . ... HOST-127.EXAMPLE. A 1.2.3.127 HOST-127.EXAMPLE. MX 0 .
|
range |
This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. |
|
lhs |
This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs string are replaced by the iterator value. To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (d), octal (o), hexadecimal (x or X for uppercase) and nibble (n or N\ for uppercase). The default modifier is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended to the name. In nibble mode the value will be treated as if it was a reversed hexadecimal string with each hexadecimal digit as a separate label. The width field includes the label separator. For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output. |
|
ttl |
Specifies the time-to-live of the generated records. If not specified this will be inherited using the normal TTL inheritance rules. class and ttl can be entered in either order. |
|
class |
Specifies the class of the generated records. This must match the zone class if it is specified. class and ttl can be entered in either order. |
|
type |
Any valid type. |
|
rhs |
rhs, optionally, quoted string. |
The $GENERATE directive is a BIND extension and not part of the standard zone file format.
BIND 8 did not support the optional TTL and CLASS fields.
In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in other formats.
The raw format is
a binary representation of zone data in a manner similar
to that used in zone transfers. Since it does not require
parsing text, load time is significantly reduced.
An even faster alternative is the map
format, which is an image of a BIND 9
in-memory zone database; it is capable of being loaded
directly into memory via the mmap()
function; the zone can begin serving queries almost
immediately.
For a primary server, a zone file in
raw or map
format is expected to be generated from a textual zone
file by the named-compilezone command.
For a secondary server or for a dynamic zone, it is automatically
generated (if this format is specified by the
masterfile-format option) when
named dumps the zone contents after
zone transfer or when applying prior updates.
If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the named-compilezone command. All necessary modification should go to the text file, which should then be converted to the binary form by the named-compilezone command again.
Note that map format is extremely
architecture-specific. A map
file cannot be used on a system
with different pointer size, endianness or data alignment
than the system on which it was generated, and should in
general be used only inside a single system.
While raw format uses
network byte order and avoids architecture-dependent
data alignment so that it is as portable as
possible, it is also primarily expected to be used
inside the same single system. To export a
zone file in either raw or
map format, or make a
portable backup of such a file, conversion to
text format is recommended.
BIND 9 maintains lots of statistics information and provides several interfaces for users to get access to the statistics. The available statistics include all statistics counters that were available in BIND 8 and are meaningful in BIND 9, and other information that is considered useful.
The statistics information is categorized into the following sections.
|
Incoming Requests |
The number of incoming DNS requests for each OPCODE. |
|
Incoming Queries |
The number of incoming queries for each RR type. |
|
Outgoing Queries |
The number of outgoing queries for each RR type sent from the internal resolver. Maintained per view. |
|
Name Server Statistics |
Statistics counters about incoming request processing. |
|
Zone Maintenance Statistics |
Statistics counters regarding zone maintenance operations such as zone transfers. |
|
Resolver Statistics |
Statistics counters about name resolution performed in the internal resolver. Maintained per view. |
|
Cache DB RRsets |
The number of RRsets per RR type and nonexistent names stored in the cache database. If the exclamation mark (!) is printed for a RR type, it means that particular type of RRset is known to be nonexistent (this is also known as "NXRRSET"). If a hash mark (#) is present then the RRset is marked for garbage collection. Maintained per view. |
|
Socket I/O Statistics |
Statistics counters about network related events. |
A subset of Name Server Statistics is collected and shown
per zone for which the server has the authority when
zone-statistics is set to
full (or yes
for backward compatibility. See the description of
zone-statistics in the section called “options Statement Definition and
Usage”
for further details.
These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.
There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified by the statistics-file configuration option. The other is remotely accessible via a statistics channel when the statistics-channels statement is specified in the configuration file (see the section called “statistics-channels Statement Grammar”.)
The text format statistics dump begins with a line, like:
+++ Statistics Dump +++ (973798949)
The number in parentheses is a standard Unix-style timestamp, measured as seconds since January 1, 1970. Following that line is a set of statistics information, which is categorized as described above. Each section begins with a line, like:
++ Name Server Statistics ++
Each section consists of lines, each containing the statistics counter value followed by its textual description. See below for available counters. For brevity, counters that have a value of 0 are not shown in the statistics file.
The statistics dump ends with the line where the number is identical to the number in the beginning line; for example:
--- Statistics Dump --- (973798949)
The following tables summarize statistics counters that BIND 9 provides. For each row of the tables, the leftmost column is the abbreviated symbol name of that counter. These symbols are shown in the statistics information accessed via an HTTP statistics channel. The rightmost column gives the description of the counter, which is also shown in the statistics file (but, in this document, possibly with slight modification for better readability). Additional notes may also be provided in this column. When a middle column exists between these two columns, it gives the corresponding counter name of the BIND 8 statistics, if applicable.
|
Symbol |
BIND8 Symbol |
Description |
|
Requestv4 |
RQ |
IPv4 requests received. Note: this also counts non query requests. |
|
Requestv6 |
RQ |
IPv6 requests received. Note: this also counts non query requests. |
|
ReqEdns0 |
|
Requests with EDNS(0) received. |
|
ReqBadEDNSVer |
|
Requests with unsupported EDNS version received. |
|
ReqTSIG |
|
Requests with TSIG received. |
|
ReqSIG0 |
|
Requests with SIG(0) received. |
|
ReqBadSIG |
|
Requests with invalid (TSIG or SIG(0)) signature. |
|
ReqTCP |
RTCP |
TCP requests received. |
|
AuthQryRej |
RUQ |
Authoritative (non recursive) queries rejected. |
|
RecQryRej |
RURQ |
Recursive queries rejected. |
|
XfrRej |
RUXFR |
Zone transfer requests rejected. |
|
UpdateRej |
RUUpd |
Dynamic update requests rejected. |
|
Response |
SAns |
Responses sent. |
|
RespTruncated |
|
Truncated responses sent. |
|
RespEDNS0 |
|
Responses with EDNS(0) sent. |
|
RespTSIG |
|
Responses with TSIG sent. |
|
RespSIG0 |
|
Responses with SIG(0) sent. |
|
QrySuccess |
|
Queries resulted in a successful answer. This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the success counter of previous versions of BIND 9. |
|
QryAuthAns |
|
Queries resulted in authoritative answer. |
|
QryNoauthAns |
SNaAns |
Queries resulted in non authoritative answer. |
|
QryReferral |
|
Queries resulted in referral answer. This corresponds to the referral counter of previous versions of BIND 9. |
|
QryNxrrset |
|
Queries resulted in NOERROR responses with no data. This corresponds to the nxrrset counter of previous versions of BIND 9. |
|
QrySERVFAIL |
SFail |
Queries resulted in SERVFAIL. |
|
QryFORMERR |
SFErr |
Queries resulted in FORMERR. |
|
QryNXDOMAIN |
SNXD |
Queries resulted in NXDOMAIN. This corresponds to the nxdomain counter of previous versions of BIND 9. |
|
QryRecursion |
RFwdQ |
Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the recursion counter of previous versions of BIND 9. |
|
QryDuplicate |
RDupQ |
Queries which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed. This corresponds to the duplicate counter of previous versions of BIND 9. |
|
QryDropped |
|
Recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the clients-per-query and max-clients-per-query options (see the description about clients-per-query.) This corresponds to the dropped counter of previous versions of BIND 9. |
|
QryFailure |
|
Other query failures. This corresponds to the failure counter of previous versions of BIND 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as AuthQryRej and RecQryRej that would also fall into this counter are provided, and so this counter would not be of much interest in practice. |
|
XfrReqDone |
|
Requested zone transfers completed. |
|
UpdateReqFwd |
|
Update requests forwarded. |
|
UpdateRespFwd |
|
Update responses forwarded. |
|
UpdateFwdFail |
|
Dynamic update forward failed. |
|
UpdateDone |
|
Dynamic updates completed. |
|
UpdateFail |
|
Dynamic updates failed. |
|
UpdateBadPrereq |
|
Dynamic updates rejected due to prerequisite failure. |
|
RateDropped |
|
Responses dropped by rate limits. |
|
RateSlipped |
|
Responses truncated by rate limits. |
|
RPZRewrites |
|
Response policy zone rewrites. |
|
Symbol |
Description |
|
NotifyOutv4 |
IPv4 notifies sent. |
|
NotifyOutv6 |
IPv6 notifies sent. |
|
NotifyInv4 |
IPv4 notifies received. |
|
NotifyInv6 |
IPv6 notifies received. |
|
NotifyRej |
Incoming notifies rejected. |
|
SOAOutv4 |
IPv4 SOA queries sent. |
|
SOAOutv6 |
IPv6 SOA queries sent. |
|
AXFRReqv4 |
IPv4 AXFR requested. |
|
AXFRReqv6 |
IPv6 AXFR requested. |
|
IXFRReqv4 |
IPv4 IXFR requested. |
|
IXFRReqv6 |
IPv6 IXFR requested. |
|
XfrSuccess |
Zone transfer requests succeeded. |
|
XfrFail |
Zone transfer requests failed. |
|
Symbol |
BIND8 Symbol |
Description |
|
Queryv4 |
SFwdQ |
IPv4 queries sent. |
|
Queryv6 |
SFwdQ |
IPv6 queries sent. |
|
Responsev4 |
RR |
IPv4 responses received. |
|
Responsev6 |
RR |
IPv6 responses received. |
|
NXDOMAIN |
RNXD |
NXDOMAIN received. |
|
SERVFAIL |
RFail |
SERVFAIL received. |
|
FORMERR |
RFErr |
FORMERR received. |
|
OtherError |
RErr |
Other errors received. |
|
EDNS0Fail |
|
EDNS(0) query failures. |
|
Mismatch |
RDupR |
Mismatch responses received. The DNS ID, response's source address, and/or the response's source port does not match what was expected. (The port must be 53 or as defined by the port option.) This may be an indication of a cache poisoning attempt. |
|
Truncated |
|
Truncated responses received. |
|
Lame |
RLame |
Lame delegations received. |
|
Retry |
SDupQ |
Query retries performed. |
|
QueryAbort |
|
Queries aborted due to quota control. |
|
QuerySockFail |
|
Failures in opening query sockets. One common reason for such failures is a failure of opening a new socket due to a limitation on file descriptors. |
|
QueryTimeout |
|
Query timeouts. |
|
GlueFetchv4 |
SSysQ |
IPv4 NS address fetches invoked. |
|
GlueFetchv6 |
SSysQ |
IPv6 NS address fetches invoked. |
|
GlueFetchv4Fail |
|
IPv4 NS address fetch failed. |
|
GlueFetchv6Fail |
|
IPv6 NS address fetch failed. |
|
ValAttempt |
|
DNSSEC validation attempted. |
|
ValOk |
|
DNSSEC validation succeeded. |
|
ValNegOk |
|
DNSSEC validation on negative information succeeded. |
|
ValFail |
|
DNSSEC validation failed. |
|
QryRTTnn |
|
Frequency table on round trip times (RTTs) of queries. Each nn specifies the corresponding frequency. In the sequence of nn_1, nn_2, ..., nn_m, the value of nn_i is the number of queries whose RTTs are between nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. For the sake of convenience we define nn_0 to be 0. The last entry should be represented as nn_m+, which means the number of queries whose RTTs are equal to or over nn_m milliseconds. |
Socket I/O statistics counters are defined per socket types, which are UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the socket module). In the following table <TYPE> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field.
|
Symbol |
Description |
|
<TYPE>Open |
Sockets opened successfully. This counter is not applicable to the FDwatch type. |
|
<TYPE>OpenFail |
Failures of opening sockets. This counter is not applicable to the FDwatch type. |
|
<TYPE>Close |
Sockets closed. |
|
<TYPE>BindFail |
Failures of binding sockets. |
|
<TYPE>ConnFail |
Failures of connecting sockets. |
|
<TYPE>Conn |
Connections established successfully. |
|
<TYPE>AcceptFail |
Failures of accepting incoming connection requests. This counter is not applicable to the UDP and FDwatch types. |
|
<TYPE>Accept |
Incoming connections successfully accepted. This counter is not applicable to the UDP and FDwatch types. |
|
<TYPE>SendErr |
Errors in socket send operations. This counter corresponds to SErr counter of BIND 8. |
|
<TYPE>RecvErr |
Errors in socket receive operations. This includes errors of send operations on a connected UDP socket notified by an ICMP error message. |
Most statistics counters that were available in BIND 8 are also supported in BIND 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables.
These counters are not supported because BIND 9 does not adopt the notion of forwarding as BIND 8 did.
This counter is accessible in the Incoming Queries section.
This counter is accessible in the Incoming Requests section.
This counter is not supported because BIND 9 does not care about IP options in the first place.
BIND 9.10.7
@ 1.17 log @merge 9.7.10 @ text @@ 1.17.2.1 log @Sync with HEAD @ text @@ 1.16 log @merge conflicts @ text @d3 1 a3 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d379 19 a397 2 Its acceptable value might further be limited by the context in which it is used. d1301 1 a1301 1 to be used by the algorithm, and is treated as a base-64 d1978 10 d2440 1 d2645 1 d2763 4 a2766 6 Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g.named.run)
is this directory.
d2769 5
a2773 3
which the server
was started. The directory specified should be an absolute
path.
d2807 3
a2809 1
directory.
d2955 2
a2956 3
See the discussion of dnssec-lookaside
and dnssec-validation for details.
If not specified, the default is
a3149 6
auto, then built-in default
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
If dnssec-lookaside is set to
d3154 6
a3159 22
The default DLV key is stored in the file
bind.keys;
named will load that key at
startup if dnssec-lookaside is set to
auto. A copy of the file is
installed along with BIND 9, and is
current as of the release date. If the DLV key expires, a
new copy of bind.keys can be downloaded
from https://www.isc.org/solutions/dlv/.
(To prevent problems if bind.keys is
not found, the current key is also compiled in to
named. Relying on this is not
recommended, however, as it requires named
to be recompiled with a new key when the DLV key expires.)
NOTE: named only loads certain specific
keys from bind.keys: those for the
DLV zone and for the DNS root zone. The file cannot be
used to store keys for other zones.
d3173 1
a3173 1
dnssec-lookaside must be active.
d3723 1
a3723 1
In BIND 8, this enables keeping of
d3905 2
a3906 3
managed-keys,
dnssec-validation auto, or
dnssec-lookaside auto.
d4247 9
a4255 7
is disabled. If set to auto,
DNSSEC validation is enabled, and a default
trust-anchor for the DNS root zone is used. If set to
yes, DNSSEC validation is enabled,
but a trust anchor must be manually configured using
a trusted-keys or
managed-keys statement. The default
d4258 18
d4279 8
d4814 2
a4815 1
is applies. The default is any.
d5917 9
a5931 50
Topology
All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example,
topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};
will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
The default topology is
topology { localhost; localnets; };
The topology option is not implemented in BIND 9.
In the following example, any queries received from any of
the addresses of the host itself will get responses preferring
addresses
on any of the locally connected networks. Next most preferred are
addresses
on the 192.168.1/24 network, and after that either the
192.168.2/24
or
192.168.3/24 network with no preference shown between these two
networks. Queries received from a host on the 192.168.1/24 network
will prefer other addresses on that network to the 192.168.2/24
and
192.168.3/24 networks. Queries received from a host on the
192.168.4/24
or the 192.168.5/24 network will only prefer other addresses on
d6011 4
a6014 4
local host and hosts on directly connected networks. It is similar
to the behavior of the address sort in BIND 4.9.x. Responses sent
to queries from the local host will favor any of the directly
connected
d6016 2
a6017 4
directly
connected network will prefer addresses on that same network.
Responses
to other queries will not be sorted.
d6288 5
a6292 7
zone
(querying for SOA changes) or retrying failed transfers.
Usually the SOA values for the zone are used, but these
values
are set by the master, giving slave server administrators
little
control over their contents.
d6296 4
a6299 6
maximum
refresh and retry time either per-zone, per-view, or
globally.
These options are valid for slave and stub zones,
and clamp the SOA refresh and retry times to the specified
values.
d8101 1
a8101 1
domain name, flags, protocol, algorithm, and the Base-64
d8165 2
a8166 2
initialization method currently supported (as of
BIND 9.7.0) is initial-key.
d8238 7
a8244 9
root zone. Similarly, if the dnssec-lookaside
option is set to auto,
named will automatically initialize
a managed key for the zone dlv.isc.org.
(Note: The ISC DLV service is expected to cease operation by
the end of 2017.) In both cases, the key that is used to
initialize the key maintenance process is built into
named, and can be overridden from
bindkeys-file.
d9181 14
d9597 2
a9598 1
only examines the signer of a message; the source
d9602 2
a9603 2
There is a pre-defined update-policy
rule which can be switched on with the command
d9606 7
a9612 6
named to generate a TSIG session
key and place it in a file, and to allow that key
to update the zone. (By default, the file is
/var/run/named/session.key, the key
name is "local-ddns" and the key algorithm is HMAC-SHA256,
but these values are configurable with the
d9618 6
a9623 5
A client running on the local system, and with appropriate
permissions, may read that file and use the key to sign update
requests. The zone's update policy will be set to allow that
key to change any record within the zone. Assuming the
key name is "local-ddns", this policy is equivalent to:
d9630 13
a9642 2
The command nsupdate -l sends update
requests to localhost, and signs them using the session key.
d9792 2
a9793 1
identity field.
d9845 1
a9845 1
field.
d9879 1
a9879 1
field.
d9896 2
a9897 1
identity field.
d9912 2
a9913 1
namespaces match the name to be updated.
d10423 13
d12160 1
a12160 1
BIND 8 does not support the optional TTL and CLASS fields.
d13808 1
a13808 1
BIND 9.10.5-P2
@ 1.16.4.1 log @Sync with HEAD, resolve some conflicts @ text @d3 1 a3 1 - Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC") d379 2 a380 19 Its acceptable value might be further limited by the context in which it is used.
fixedpoint
A non-negative real number that can be specified to the nearest one hundredth. Up to five digits can be specified before a decimal point, and up to two digits after, so the maximum value is 99999.99. Acceptable values might be further limited by the context in which it is used. d1284 1 a1284 1 to be used by the algorithm, and is treated as a Base64 a1960 10
trust-anchor-telemetry
Logs trust-anchor-telemetry requests received by named.
yes_or_no ; ]
a2616 1
[ trust-anchor-telemetry yes_or_no ; ]
d2734 6
a2739 4
Any non-absolute pathnames in the configuration file will
be taken as relative to this directory. The default
location for most server output files
(e.g. named.run) is this directory.
d2742 3
a2744 5
which the server was started. The directory specified
should be an absolute path. It is
strongly recommended
that the directory be writable by the effective user
ID of the named process.
d2778 1
a2778 3
directory. The directory must
be writable by the effective user ID of the
named process.
d2924 3
a2926 2
See the discussion of dnssec-validation
for details. If not specified, the default is
d3120 6
d3130 22
a3151 6
NOTE: The ISC-provided DLV service at
dlv.isc.org, has been shut down.
The dnssec-lookaside auto;
configuration option, which set named
up to use ISC DLV with minimal configuration, has
accordingly been removed.
d3165 1
a3165 1
dnssec-validation auto must be active.
d3715 1
a3715 1
In BIND 8, this enabled keeping of
d3897 3
a3899 2
managed-keys, or
dnssec-validation auto.
d4240 7
a4246 9
is disabled.
If set to auto, DNSSEC validation
is enabled, and a default trust anchor for the DNS root
zone is used. If set to yes,
DNSSEC validation is enabled, but a trust anchor must be
manually configured using a trusted-keys
or managed-keys statement. The default
a4248 18
The default root trust anchor is stored in the file
bind.keys.
named will load that key at
startup if dnssec-validation is
set to auto. A copy of the file is
installed along with BIND 9, and is current as of the
release date. If the root key expires, a new copy of
bind.keys can be downloaded
from https://www.isc.org/bind-keys.
To prevent problems if bind.keys is
not found, the current trust anchor is also compiled in
to named. Relying on this is not
recommended, however, as it requires named
to be recompiled with a new key when the root key expires.)
bind.keys.
The file cannot be used to store keys for other zones.
The root key in bind.keys is ignored
if dnssec-validation auto is not in
use.
d4779 1
a4779 2
and filter-aaaa-on-v6
apply. The default is any.
a5880 9
In BIND 8, this option indicated network topology so that preferential treatment could be given to the topologicaly closest name servers when sending queries. It is not implemented in BIND 9.
In the following example, any queries received from any of the
addresses of the host itself will get responses preferring
addresses on any of the locally connected networks. Next most
preferred are addresses on the 192.168.1/24 network, and after
that either the 192.168.2/24 or 192.168.3/24 network with no
preference shown between these two networks. Queries received
from a host on the 192.168.1/24 network will prefer other
addresses on that network to the 192.168.2/24 and 192.168.3/24
networks. Queries received from a host on the 192.168.4/24 or
the 192.168.5/24 network will only prefer other addresses on
d6032 4
a6035 4
local host and hosts on directly connected networks. It is
similar to the behavior of the address sort in
BIND 4.9.x. Responses sent to queries from
the local host will favor any of the directly connected
d6037 4
a6040 2
directly connected network will prefer addresses on that same
network. Responses to other queries will not be sorted.
d6311 7
a6317 5
zone (querying for SOA changes) or retrying failed
transfers. Usually the SOA values for the zone are used,
up to a hard-coded maximum expiry of 24 weeks. However,
these values are set by the master, giving slave server
administrators little control over their contents.
d6321 6
a6326 4
maximum refresh and retry time either per-zone,
per-view, or globally. These options are valid for
slave and stub zones, and clamp the SOA refresh and
retry times to the specified values.
d8128 1
a8128 1
domain name, flags, protocol, algorithm, and the Base64
d8192 2
a8193 2
initialization method currently supported is
initial-key.
d8265 9
a8273 7
root zone. The key that is used to initialize the key
maintenance process is stored in bind.keys;
the location of this file can be overridden with the
bindkeys-file option. As a fallback
in the event no bind.keys can be
found, the initializing key is also compiled directly
into named.
a9209 14
Set the zone's filename. In master, hint, and redirect zones which do not have masters defined, zone data is loaded from this file. In slave, stub, and redirect zones which do have masters defined, zone data is retrieved from another server and saved in this file. This option is not applicable to other zone types.
local) only
examines the signer of a message; the source
d9616 2
a9617 2
A pre-defined update-policy rule can be
switched on with the command
d9620 6
a9625 7
named to generate a TSIG session key and
place it in a file. That key will then be allowed to update
the zone, if the update request is sent from localhost.
By default, the session key is stored in the file
/var/run/named/session.key; the key name
is "local-ddns" and the key algorithm is HMAC-SHA256.
These values are configurable with the
d9631 5
a9635 6
A client on the local system, if it is run with appropriate
permissions, may read the session key from the key file and
use the key to sign update requests. The zone's update
policy will be set to allow that key to change any record
within the zone. Assuming the key name is "local-ddns",
this policy is:
d9642 2
a9643 13
...with an additional restriction that only clients
connecting from the local system will be permitted to send
updates.
Note that only one session key is generated; all zones configured to use update-policy local will accept the same key.
The command nsupdate -l implements this
feature, sending requests to localhost and signing them using
the key retrieved from the session key file.
d9793 1
a9793 2
identity field or
"."
d9845 1
a9845 1
field. The name field should be set to "."
d9879 1
a9879 1
field. The name field should be set to "."
d9896 1
a9896 2
identity field. The
name field should be set to "."
d9911 1
a9911 2
namespaces match the name to be updated. The
name field should be set to "."
a10420 13
DOA
Implements the Digital Object Architecture over DNS. Experimental.
d12145 1 a12145 1 BIND 8 did not support the optional TTL and CLASS fields. d13793 1 a13793 1
BIND 9.10.7
@ 1.15 log @Merge conflicts; bugs fixed since the last import: 4632. [security] The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. (CVE-2017-3141) [RT #45229] 4631. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181] 4582. [security] 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) [RT #44924] 4581. [port] Linux: Add getpid and getrandom to the list of system calls named uses for seccomp. [RT #44883] 4580. [bug] 4578 introduced a regression when handling CNAME to referral below the current domain. [RT #44850] 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] 4571. [bug] Out-of-tree builds of backtrace_test failed. 4570. [cleanup] named did not correctly fall back to the built-in initializing keys if the bind.keys file was present but empty. [RT #44531] 4568. [contrib] Added a --with-bind option to the dnsperf configure script to specify BIND prefix path. 4567. [port] Call getprotobyname and getservbyname prior to calling chroot so that shared libraries get loaded. [RT #44537] 4564. [maint] Update the built in managed keys to include the upcoming root KSK. [RT #44579] 4563. [bug] Modified zones would occasionally fail to reload. [RT #39424] 4561. [port] Silence a warning in strict C99 compilers. [RT #44414] 4560. [bug] mdig: add -m option to enable memory debugging rather than having it on all the time. [RT #44509] 4559. [bug] openssl_link.c didn't compile if ISC_MEM_TRACKLINES was turned off. [RT #44509] 4554. [bug] Remove double unlock in dns_dispatchmgr_setudp. [RT #44336] 4553. [bug] Named could deadlock there were multiple changes to NSEC/NSEC3 parameters for a zone being processed at the same time. [RT #42770] 4552. [bug] Named could trigger a assertion when sending notify messages. [RT #44019] 4551. [test] Add system tests for integrity checks of MX and SRV records. [RT #43953] 4550. [cleanup] Increased the number of available master file output style flags from 32 to 64. [RT #44043] 4547. [port] Add support for --enable-native-pkcs11 on the AEP Keyper HSM. [RT #42463] 4543. [bug] dns_client_startupdate now delays sending the update request until isc_app_ctxrun has been called. [RT #43976] 4541. [bug] rndc addzone should properly reject non master/slave zones. [RT #43665] 4539. [bug] Referencing a nonexistent zone with RPZ could lead to a assertion failure when configuring. [RT #43787] 4538. [bug] Call dns_client_startresolve from client->task. [RT #43896] 4537. [bug] Handle timeouts better in dig/host/nslookup. [RT #43576] 4536. [bug] ISC_SOCKEVENTATTR_USEMINMTU was not being cleared when reusing the event structure. [RT #43885] 4535. [bug] Address race condition in setting / testing of DNS_REQUEST_F_SENDING. [RT #43889] 4534. [bug] Only set RD, RA and CD in QUERY responses. [RT #43879] 4533. [bug] dns_client_update should terminate on prerequisite failures (NXDOMAIN, YXDOMAIN, NXRRSET, YXRRSET) and also on BADZONE. [RT #43865] 4532. [contrib] Make gen-data-queryperf.py python 3 compatible. [RT #43836] 4529. [cleanup] Silence noisy log warning when DSCP probe fails due to firewall rules. [RT #43847] 4527. [doc] Support DocBook XSL Stylesheets v1.79.1. [RT #43831] 4526. [doc] Corrected errors and improved formatting of grammar definitions in the ARM. [RT #43739] 4525. [doc] Fixed outdated documentation on managed-keys. [RT #43810] 4524. [bug] The net zero test was broken causing IPv4 servers with addresses ending in .0 to be rejected. [RT #43776] 4523. [doc] Expand config doc forBIND 9.10.5-P1
@ 1.14 log @merge conflicts. @ text @d1 1 d3 1 a3 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d18 1 a18 1 d110 2 a111 1d121 2 a122 1
d128 1 a128 1
d136 2 a137 1
address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | key key_id | acl_name | { address_match_list } ) d520 3 a522 2
d533 7 a539 3
d562 2 a563 1
d570 2 a571 1
d578 2 a579 1
d584 2 a585 1
d604 2 a605 1
d621 4 a624 3
d635 2 a636 1
d652 2 a653 2
d661 1 a661 1
d667 1 a667 1
d671 1 a671 1
d682 2 a683 1
d690 1 a690 1
d700 1 a700 1
d707 2 a708 1
d718 2 a719 1
d727 6 a732 5
d744 2 a745 1
d748 3 a750 1
d918 2 a919 1
acl acl-name {
address_match_list
};
d927 3
a929 2
d939 2 a940 1
d943 3 a945 1
d1014 1 a1014 1
d1021 1 a1021 1
d1037 1 a1037 1
d1052 1 a1052 1
d1055 1 a1055 1
geoip country US; d1065 4 a1068 2
controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} keys {key_list}; ] [ inet ...; ] [ unixpathpermnumberownernumbergroupnumberkeys {key_list}; ] [ unix ...; ] }; d1081 4 a1084 2
d1096 2 a1097 1
d1110 2 a1111 1
d1115 2 a1116 1
d1126 2 a1127 1
d1136 2 a1137 1
d1146 2 a1147 1
d1161 2 a1162 1
d1175 2 a1176 1
d1197 2 a1198 1
d1203 3 a1205 2
include filename;
d1225 3 a1227 2
keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1236 4 a1239 2
d1250 2 a1251 1
d1262 2 a1263 1
d1272 2 a1273 1
d1287 3 a1289 2
logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice|info|debug[level] |dynamic); ] [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] }; ] [ categorycategory_name{channel_name; [channel_name; ... ] }; ] ... }; d1313 4 a1316 2
d1328 1 a1328 1
d1334 1 d1340 2 a1341 1
d1352 2 a1353 1
d1361 2 a1362 1
d1373 2 a1374 1
d1379 2 a1380 1
d1388 2 a1389 1
d1412 2 a1413 1
d1429 2 a1430 1
d1434 1 d1441 2 a1442 1
d1464 1 a1464 1
d1467 1 a1467 1
d1476 1 a1476 1
d1488 2 a1489 1
d1498 2 a1499 1
d1513 1 d1519 2 a1520 1
d1527 1 a1527 1
d1545 2 a1546 1
d1549 2 a1550 1
d1556 1 d1584 2 a1585 1
d1593 2 a1594 1
d1604 2 a1605 1
d1611 3 a1613 2
d1626 1 d1629 2 a1630 1
d1635 1 d1645 2 a1646 1
d1649 1 d1653 2 a1654 1
d1659 2 a1660 1
d2030 2 a2031 1
d2035 1 a2035 1
d2038 1 a2038 1
d2046 1 a2046 1
d2052 1 a2052 1
d2063 1 a2063 1
d2070 1 a2070 1
d2080 1 a2080 1
d2090 3 a2092 1
d2240 1 a2240 1
d2249 4 a2252 3
d2260 10 a2269 7
lwres { [ listen-on {ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ viewview_name; ] [ search {domain_name; [domain_name; ... ] }; ] [ ndotsnumber; ] }; d2271 3 a2273 2
d2285 2 a2286 1
d2297 2 a2298 1
d2309 2 a2310 1
d2318 2 a2319 1
d2328 2 a2329 2
name [port ip_port] [dscp ip_dscp] { ( masters_list |
ip_addr [port ip_port] [key key] ) ; [...] };
d2340 4
a2343 2
masters d2353 3 a2355 2
d2363 255 a2617 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomainname; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statisticsfull|terse|none; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notifyyes_or_no|explicit|master-only; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave); ] [ auto-dnssecallow|maintain|off; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto); ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain); ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first); ] [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ dual-stack-servers [portip_port] [dscpip_dscp] { (domain_name[portip_port] [dscpip_dscp] |ip_addr[portip_port] [dscpip_dscp]) ; ... }; ] [ check-names (master|slave|response) (warn|fail|ignore); ] [ check-dup-records (warn|fail|ignore); ] [ check-mx (warn|fail|ignore); ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore); ] [ check-srv-cname (warn|fail|ignore); ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore); ] [ allow-new-zones {yes_or_no}; ] [ allow-notify {address_match_list}; ] [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-query-cache {address_match_list}; ] [ allow-query-cache-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-recursion {address_match_list}; ] [ allow-recursion-on {address_match_list}; ] [ allow-update {address_match_list}; ] [ allow-update-forwarding {address_match_list}; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign); ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no;] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list}; ] [ blackhole {address_match_list}; ] [ no-case-compress {address_match_list}; ] [ use-v4-udp-ports {port_list}; ] [ avoid-v4-udp-ports {port_list}; ] [ use-v6-udp-ports {port_list}; ] [ avoid-v6-udp-ports {port_list}; ] [ listen-on [ portip_port] [dscpip_dscp] {address_match_list}; ] [ listen-on-v6 [ portip_port] [dscpip_dscp] {address_match_list}; ] [ query-source ( (ip4_addr|*) [ port (ip_port|*) ] [ dscpip_dscp] | [ address (ip4_addr|*) ] [ port (ip_port|*) ] ) [ dscpip_dscp] ; ] [ query-source-v6 ( (ip6_addr|*) [ port (ip_port|*) ] [ dscpip_dscp] | [ address (ip6_addr|*) ] [ port (ip_port|*) ] ) [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format( one-answer | many-answers ); ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr[portip_port] ) [keykeyname] ; ... }; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list}]; [ sortlist {address_match_list}]; [ rrset-order {order_spec; [order_spec; ... ] ] }; [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number; ] [ serial-update-methodincrement|unixtime|date; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp] ; [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec); ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec); ] [ filter-aaaa {address_match_list}; ] [ dns64ipv6-prefix{ [ clients {address_match_list}; ] [ mapped {address_match_list}; ] [ exclude {address_match_list}; ] [ suffixIPv6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] }; ]; [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|NONE); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; [algorithm; ] }; ] [ disable-ds-digestsdomain{digest_type; [digest_type; ] }; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ];] [ deny-answer-aliases {namelist} [ except-from {namelist} ];] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy(given | disabled | passthru | drop | nxdomain | nodata | cname domain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; [...] } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] [ automatic-interface-scanyes_or_no] ; ] }; d2619 4 a2622 2
d2636 2 a2637 1
d2649 2 a2650 1
d2656 2 a2657 1
d2667 2 a2668 1
d2675 2 a2676 1
d2685 1 d2700 2 a2701 1
d2716 2 a2717 1
d2729 1 a2729 1 d2731 2 a2732 1
d2745 2 a2746 1
d2758 2 a2759 1
d2771 2 a2772 1
d2780 1 a2780 1
d2789 1 a2789 1 d2791 2 a2792 1
d2799 2 a2800 1
d2808 2 a2809 1
d2825 2 a2826 1
d2845 2 a2846 1
d2857 3 a2859 2 most cases, the keyname should be the server's host name.
d2864 2 a2865 1
d2873 2 a2874 1
d2881 2 a2882 1
d2897 2 a2898 1
d2906 2 a2907 1
d2917 2 a2918 1
d2928 2 a2929 1
d2938 2 a2939 1
d2952 2 a2953 1
d2959 2 a2960 1
d2968 2 a2969 1
d2980 2 a2981 1
d2989 2 a2990 1
d3010 2 a3011 1
d3021 2 a3022 1
d3032 1 a3032 1
d3039 1 a3039 1
d3055 1 a3055 1
d3060 1 a3060 1
d3064 1 d3070 2 a3071 1 d3074 1 a3074 1
d3082 1 a3082 1
d3087 1 a3087 1 d3090 1 a3090 1
d3098 1 a3098 1
d3103 1 a3103 1 d3106 1 a3106 1
d3118 1 a3118 1
d3124 1 a3124 1
d3129 1 a3129 1
d3140 1 a3140 1
d3147 1 a3147 1
d3153 1 a3153 1 d3155 2 a3156 1
d3166 2 a3167 1
d3178 1 a3178 1
d3182 1 a3182 1
d3192 1 a3192 1
d3198 1 a3198 1
d3205 1 a3205 1
d3214 1 a3214 1 defaults to none. d3216 1 a3216 1
d3224 1 a3224 1
d3230 1 a3230 1
d3249 1 a3249 1 d3251 2 a3252 1
d3265 2 a3266 1
d3282 1 a3282 1
d3288 1 a3288 1
d3297 1 a3297 1 d3300 1 a3300 1
d3309 1 a3309 1
d3317 1 a3317 1
d3322 1 a3322 1
d3327 1 a3327 1 d3330 1 a3330 1
d3335 1 a3335 1
d3341 1 a3341 1
d3349 1 a3349 1 d3352 1 a3352 1
d3364 1 a3364 1
d3372 1 a3372 1
d3383 1 a3383 1 d3385 2 a3386 1
d3399 1 a3399 1
d3404 1 a3404 1 d3406 2 a3407 1
d3412 2 a3413 1
d3425 2 a3426 1
d3434 2 a3435 1
d3444 2 a3445 1
d3463 1 a3463 1
d3470 1 a3470 1
d3482 1 a3482 1
d3492 1 a3492 1
d3507 3 a3509 1
d3667 2 a3668 1 d3670 2 a3671 1
d3676 2 a3677 1
d3689 2 a3690 1
d3698 2 a3699 1
d3710 2 a3711 1
d3719 2 a3720 1
d3731 2 a3732 1
d3742 2 a3743 1
d3752 2 a3753 1
d3767 1 a3767 1
d3776 1 a3776 1
d3785 1 a3785 1 d3787 2 a3788 1
d3797 2 a3798 1
d3817 2 a3818 1
d3830 2 a3831 1
d3850 2 a3851 1
d3861 2 a3862 1
d3873 2 a3874 1
d3883 1 a3883 1
d3889 30 a3918 2
d3925 2 a3926 1
d3938 2 a3939 1
d3947 2 a3948 1
d3956 2 a3957 1
d3971 2 a3972 1
d3985 2 a3986 1
d4006 2 a4007 1
d4017 2 a4018 1
d4027 2 a4028 1
d4038 2 a4039 1
d4057 2 a4058 1 d4061 1 a4061 1
d4066 1 a4066 1
d4075 1 a4075 1 d4078 1 a4078 1
d4092 1 a4092 1
d4100 1 a4100 1
d4106 1 a4106 1
d4114 1 a4114 1
d4121 1 a4121 1
d4126 1 a4126 1 d4128 2 a4129 1
d4134 2 a4135 1
d4148 1 a4148 1
d4160 1 a4160 1
ixfr-from-differences d4169 1 a4169 1 d4171 2 a4172 1
d4180 2 a4181 1
d4189 1 a4189 1
d4195 1 a4195 1
d4218 1 a4218 1
d4221 1 a4221 1 d4223 2 a4224 1
d4231 2 a4232 1
d4249 1 a4249 1
d4257 2 a4258 2
d4267 2 a4268 1
d4277 2 a4278 1
d4294 1 a4294 1
d4298 1 a4298 1
check-names d4306 1 a4306 1 d4308 2 a4309 1
d4315 2 a4316 1
d4324 2 a4325 1
d4336 2 a4337 1
d4353 1 a4353 1
d4363 1 a4363 1 d4365 2 a4366 1
d4370 2 a4371 1
d4378 2 a4379 1
d4385 2 a4386 1
d4395 2 a4396 1
d4404 2 a4405 1
d4412 2 a4413 1
d4421 1 a4421 1
d4432 1 a4432 1
d4440 1 a4440 1 d4443 1 a4443 1
d4453 1 a4453 1
d4458 1 a4458 1 d4460 2 a4461 1
d4465 2 a4466 1
d4477 1 a4477 1
d4484 1 a4484 1
d4491 1 a4491 1 d4493 4 a4496 2
d4510 2 a4511 1
d4524 2 a4525 1
d4532 2 a4533 1
d4545 3 a4547 2
d4558 2 a4559 1
d4571 2 a4572 1
d4586 2 a4587 1
d4603 2 a4604 1
d4616 1 a4616 1
d4622 2 a4623 2
d4633 1 a4633 1
d4639 1 a4639 1
d4645 1 a4645 1
d4649 1 a4649 1
d4655 2 a4656 2
d4668 2 a4669 1
d4678 2 a4679 1
d4691 2 a4692 1
d4699 2 a4700 1
d4710 2 a4711 1
d4731 1 a4731 1
d4739 1 a4739 1 d4741 2 a4742 1
d4750 2 a4751 1
d4762 2 a4763 1
d4772 2 a4773 1
d4780 2 a4781 1
d4792 1 a4792 1
d4800 1 a4800 1
d4812 1 a4812 1
d4817 1 a4817 1
d4832 1 a4832 1 d4834 2 a4835 1
d4841 2 a4842 1
d4860 1 a4860 1
d4865 1 d4869 2 a4870 1
d4875 2 a4876 1
d4880 2 a4881 1
d4887 2 a4888 1
d4903 2 a4904 1
d4913 2 a4914 1
d4919 1 d4923 2 a4924 1
d4930 2 a4931 1
d4934 1 d4937 4 a4940 2
d4953 2 a4954 1
d4965 2 a4966 1
d4971 1 d4975 2 a4976 1
d4986 1 d4990 2 a4991 1
d5007 2 a5008 1
d5020 2 a5021 1
d5026 1 d5030 2 a5031 1
d5043 2 a5044 1
d5049 2 a5050 1
d5055 2 a5056 1
d5061 2 a5062 1
d5072 2 a5073 2
d5079 2 a5080 2
d5086 4 a5089 3
d5099 2 a5100 1
d5121 1 a5121 1
d5134 1 a5134 1 d5136 2 a5137 1
d5142 2 a5143 1
d5151 2 a5152 1
d5160 2 a5161 1
d5169 2 a5170 1
d5186 1 a5186 1
d5193 1 a5193 1 d5195 2 a5196 1
d5205 2 a5206 1
d5230 3 a5232 1
d5242 2 a5243 1
d5251 2 a5252 1
d5267 2 a5268 1
transfer-source d5292 1 a5292 1
d5298 2 a5299 2
d5305 2 a5306 1
d5315 1 a5315 1
d5334 2 a5335 1
d5344 2 a5345 1
notify-source d5362 1 a5362 1
d5368 2 a5369 2
d5375 2 a5376 1
d5396 1 d5401 2 a5402 1
d5408 2 a5409 1
d5426 3 a5428 2
d5445 2 a5446 1
d5454 2 a5455 1
d5461 2 a5462 1
d5480 2 a5481 1
d5487 2 a5488 1
d5494 2 a5495 1
d5509 2 a5510 1
d5518 2 a5519 1
d5533 9 a5541 1
d5548 2 a5549 1
d5563 1 a5563 1
d5570 1 a5570 1
d5580 1 a5580 1 d5582 2 a5583 1
d5587 2 a5588 1
These set the d5601 1 a5601 1
d5611 1 a5611 1
d5616 1 a5616 1
d5621 1 a5621 1 d5626 1 a5626 1
d5636 1 a5636 1
d5648 1 a5648 1
d5656 1 a5656 1
d5661 1 a5661 1
d5674 1 a5674 1
d5678 1 a5678 1 d5683 1 a5683 1
d5693 1 a5693 1
d5702 1 a5702 1
d5707 1 a5707 1
d5723 1 a5723 1
d5727 1 a5727 1 d5730 1 a5730 1
d5735 1 a5735 1
d5743 1 a5743 1
d5758 1 a5758 1
d5762 1 a5762 1 d5765 1 a5765 1
d5775 1 a5775 1
d5778 1 a5778 1 d5780 2 a5781 1
d5797 2 a5798 1
d5811 2 a5812 1
d5833 2 a5834 1
d5845 2 a5846 1
d5862 2 a5863 1
d5875 1 a5875 1
d5879 2 a5880 2
d5906 1 d5912 2 a5913 1
d5919 1 a5919 1
d5922 1 d5925 2 a5926 1
d5932 4 a5935 3
d5955 2 a5956 1
d5972 1 a5972 1
d5987 1 a5987 1
d6005 1 d6029 2 a6030 1
d6042 1 d6048 3 a6050 2
d6064 2 a6065 1
d6069 1 a6069 1
d6075 1 a6075 1
d6080 1 a6080 1
d6083 2 a6084 1
d6133 1 d6139 2 a6140 1
d6146 1 a6146 1
d6150 1 a6150 1
d6153 2 a6154 1
d6163 4 a6166 3
d6181 2 a6182 1
d6188 2 a6189 1 d6191 2 a6192 1
d6202 2 a6203 1
d6214 2 a6215 1
d6224 1 a6224 1
d6229 2 a6230 2
d6247 1 a6247 1
d6252 1 a6252 1
d6258 1 a6258 1 d6260 2 a6261 1
d6266 2 a6267 1
d6275 2 a6276 1
d6284 1 a6284 1
d6288 1 a6288 1
d6304 1 a6304 1 d6309 1 a6309 1
d6319 1 a6319 1
d6328 1 a6328 1
d6336 1 a6336 1 d6339 1 a6339 1
d6347 1 a6347 1
d6354 1 a6354 1
d6359 1 a6359 1
d6370 1 a6370 1
d6378 1 a6378 1
d6386 1 a6386 1 d6389 1 a6389 1
d6396 1 a6396 1
d6401 1 a6401 1
d6410 1 a6410 1
d6414 1 a6414 1 d6417 1 a6417 1
Specifies d6428 1 a6428 1
d6442 1 a6442 1
d6451 1 a6451 1 d6455 2 a6456 1
d6465 2 a6466 1
d6479 2 a6480 1
d6487 1 a6487 1
d6491 1 a6491 1 d6493 2 a6494 1
d6499 2 a6500 1
d6510 1 a6510 1
d6522 1 a6522 1
d6532 1 a6532 1 d6534 4 a6537 2
d6560 1 a6560 1
d6567 2 a6568 1
d6578 2 a6579 1
d6593 2 a6594 1
d6609 2 a6610 1
d6631 1 a6631 1
d6636 1 a6636 1
d6740 1 a6740 1
d6752 1 a6752 1
d6761 1 a6761 1
d6777 2 a6778 1
d6785 2 a6786 1
d6792 2 a6793 1
d6799 2 a6800 1
d6819 2 a6820 1
d6828 2 a6829 1
d6838 2 a6839 1
d6852 2 a6853 1
d6869 2 a6870 1
d6874 2 a6875 1
d6881 2 a6882 1
d6891 2 a6892 1
d6905 2 a6906 1
d6941 2 a6942 1
d6945 2 a6946 1
d6954 2 a6955 1
d6960 2 a6961 1
d6976 2 a6977 1
d6982 1 d6986 2 a6987 1
d6992 1 d6994 2 a6995 1
d7001 2 a7002 1
d7008 1 d7010 2 a7011 1
d7016 2 a7017 1
d7038 2 a7039 1
d7048 3 a7050 2
d7062 2 a7063 1
d7074 2 a7075 1
d7084 2 a7085 1
d7091 1 a7091 1
d7106 2 a7107 1
d7123 1 a7123 1 d7125 2 a7126 1
d7132 2 a7133 1
d7141 2 a7142 1
d7155 2 a7156 1
d7166 2 a7167 1
d7201 2 a7202 1
d7209 2 a7210 1
d7222 2 a7223 1
d7229 2 a7230 1
d7238 2 a7239 1
d7248 2 a7249 1
d7255 2 a7256 1
d7264 2 a7265 1
d7273 2 a7274 1
d7282 1 a7282 1 d7286 2 a7287 1
d7298 2 a7299 1
The placeholder policy says "do not override but d7301 2 a7302 1
d7315 2 a7316 1
d7323 2 a7324 1
d7330 2 a7331 1
d7347 2 a7348 1
d7359 2 a7360 1
d7387 2 a7388 1
d7395 2 a7396 1
d7400 1 a7400 1
d7404 1 a7404 1
d7446 1 a7446 1
d7461 2 a7462 1
d7466 3 a7468 2
d7485 2 a7486 1
d7494 2 a7495 1
d7514 2 a7515 1
d7524 2 a7525 1
d7549 2 a7550 1
d7555 2 a7556 1
d7567 2 a7568 1
d7592 2 a7593 1
d7606 2 a7607 1
d7625 2 a7626 1
d7638 2 a7639 1
d7675 2 a7676 1
d7690 2 a7691 1
d7695 2 a7696 1
d7703 4 a7706 3
serverip_addr[/prefixlen]{ [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ transfersnumber; ] [ transfer-format( one-answer | many-answers ); ]] [ keys {key_id}; ] [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ query-source [ address (ip_addr|*) ] [ port (ip_port|*) ] [dscpip_dscp] ; ] [ query-source-v6 [ address (ip_addr|*) ] [ port (ip_port|*) ] [dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] }; d7740 4 a7743 2
d7757 2 a7758 1
d7773 2 a7774 1
d7780 1 a7780 1
d7796 2 a7797 1
d7807 2 a7808 1
d7822 2 a7823 1
d7828 2 a7829 1
d7848 2 a7849 1
d7857 9 a7865 1
d7879 2 a7880 1
transfers d7887 2 a7888 1
d7899 2 a7900 1
d7903 2 a7904 1
d7920 2 a7921 1
d7930 2 a7931 1
d7940 2 a7941 1
d7948 2 a7949 1
d7958 3 a7960 2
statistics-channels {
[ inet ( ip_addr | * ) [ port ip_port ]
[ allow { address_match_list } ]; ]
[ inet ...; ]
};
d7970 3
a7972 2
d7983 2 a7984 1
d7994 2 a7995 1
d8006 2 a8007 1
d8012 2 a8013 1
d8025 2 a8026 1
d8030 2 a8031 1
d8043 2 a8044 1
d8054 2 a8055 1
d8070 2 a8071 1
d8088 3 a8090 2
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] }; d8099 3 a8101 2
d8117 1 a8117 1
d8125 1 a8125 1
d8134 1 a8134 1
d8141 3 a8143 2
managed-keys {nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] }; d8152 3 a8154 2
d8167 1 a8167 1
d8177 1 a8177 1
d8188 1 a8188 1
d8199 1 a8199 1
d8212 1 a8212 1
d8220 1 a8220 1
d8225 3 a8227 3 key specified in the managed-keys is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d8229 1 a8229 1
d8237 18 a8254 15
named only maintains a single managed keys
database; consequently, unlike trusted-keys,
managed-keys may only be set at the top
level of named.conf, not within a view.
In the current implementation, the managed keys database is
stored as a master-format zone file called
managed-keys.bind. When the key database
is changed, the zone is updated. As with any other dynamic
zone, changes will be written into a journal file,
managed-keys.bind.jnl. They are committed
to the master file as soon as possible afterward; in the case
of the managed key database, this will usually occur within 30
d8256 4
a8259 4
automatic key maintenance, those two files can be expected to
exist in the working directory. (For this reason among others,
the working directory should be always be writable by
named.)
d8261 1
a8261 1
d8269 5 a8273 3 In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d8275 3 a8277 2
viewview_name[class] { match-clients {address_match_list}; match-destinations {address_match_list}; match-recursive-onlyyes_or_no; [view_option; ...] [zone_statement; ...] }; d8289 3 a8291 2
d8304 2 a8305 1
d8333 2 a8334 1
d8343 2 a8344 1
d8357 2 a8358 1
d8363 2 a8364 1
d8380 2 a8381 1
d8385 1 d8418 3 a8420 2
zonezone_name[class] { type master; [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-update {address_match_list}; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule[...] }; ] [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-methodincrement|unixtime; ] [ max-zone-ttlnumber; ] }; d8425 205 a8629 66 zonezone_name[class] { type slave; [ allow-notify {address_match_list}; ] [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-update-forwarding {address_match_list}; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [dscpip_dscp] [keykey] ) ; [...] }; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] }; d8631 1 a8631 63 zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. }; zonezone_name[class] { type stub; [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [dscpip_dscp] [keykey] ) ; [...] }; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statisticsfull|terse|none; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] }; zonezone_name[class] { type static-stub; [ allow-query {address_match_list}; ] [ server-addresses { [ip_addr; ... ] }; ] [ server-names { [namelist] }; ] [ zone-statisticsfull|terse|none; ] }; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ delegation-onlyyes_or_no; ] }; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list}; ] [ max-zone-ttlnumber; ] }; d8633 2 a8634 11 zonezone_name[class] { type delegation-only; }; zonezone_name[class] { [ in-viewstring; ] };
d8652 3 a8654 1
d8980 1 a8980 1
d8989 1 a8989 1
d8993 3 a8995 2
d9005 2 a9006 1
d9012 2 a9013 1
d9019 2 a9020 1
d9026 2 a9027 1
d9033 2 a9034 1
d9040 2 a9041 1
d9047 2 a9048 1
d9072 2 a9073 1
d9084 2 a9085 1
d9091 2 a9092 1
d9098 2 a9099 1
d9105 2 a9106 1
d9112 2 a9113 1
d9119 2 a9120 1
d9126 2 a9127 1
d9133 2 a9134 1
d9141 2 a9142 1
d9149 2 a9150 1
d9156 2 a9157 1
d9163 2 a9164 1
d9178 1 a9178 1
d9184 1 a9184 1
d9190 1 a9190 1 d9192 2 a9193 1
d9196 2 a9197 1
d9206 1 a9206 1
d9209 1 a9209 1 d9211 2 a9212 1
d9218 2 a9219 1
d9227 2 a9228 1
d9241 2 a9242 1
d9248 2 a9249 1
d9256 2 a9257 1
d9263 9 a9271 1
d9277 2 a9278 1
d9284 2 a9285 1
d9291 2 a9292 1
d9298 2 a9299 1
d9305 2 a9306 1
d9312 2 a9313 1
d9320 2 a9321 1
d9331 2 a9332 1
d9340 2 a9341 1
d9353 1 a9353 1
d9362 1 a9362 1
d9370 1 a9370 1 d9373 1 a9373 1
d9391 1 a9391 1
d9403 1 a9403 1
d9413 1 a9413 1 d9415 2 a9416 1
d9419 2 a9420 1
d9426 2 a9427 1
d9433 2 a9434 1
d9440 2 a9441 1
d9447 2 a9448 1
d9454 2 a9455 1
d9461 2 a9462 1
d9468 2 a9469 1
d9475 2 a9476 1
d9482 2 a9483 1
d9489 2 a9490 1
d9497 2 a9498 1
d9508 2 a9509 1
d9516 2 a9517 1
d9525 2 a9526 1
d9534 2 a9535 1
d9545 2 a9546 1
d9552 2 a9553 1
d9559 2 a9560 1
d9567 2 a9568 1
d9574 2 a9575 1
BIND 9 supports two alternative d9589 1 a9589 1
d9595 1 a9595 1
d9605 1 a9605 1
d9615 1 a9615 1
d9630 1 a9630 1
d9637 2 a9638 1
update-policy { grant local-ddns zonesub any; };
d9640 2
a9641 1
d9645 2
a9646 1
d9649 1
d9653 2
a9654 1
d9663 1
a9663 1
d9669 1
a9669 1
d9686 1
a9686 1
d9693 1
a9693 1
d9705 2
a9706 1
d9986 4
a9989 2
d9993 2
a9994 1
d10003 3
a10005 2
d10020 1 a10020 1
d10038 1 a10038 1d10042 1 a10042 1
d10050 1 a10050 1
d10057 1 a10057 1
d10061 1 a10061 1
d10065 5 a10069 4
d10084 1 a10084 1
d10098 2 a10099 1
d10102 2 a10103 1
d10183 2 a10184 1
d11195 2 a11196 1
d11263 1 a11263 1
d11283 1 a11283 1
d11289 2 a11290 2
d11307 1 a11307 1
d11313 1 a11313 1
d11324 1 a11324 1
d11328 1 a11328 1
d11331 2 a11332 1
d11444 1 a11444 1
d11448 1 a11448 1
d11451 2 a11452 1
d11496 4 a11499 3
d11512 2 a11513 1
d11530 1 a11530 1
d11539 2 a11540 1
d11698 2 a11699 1
d11760 2 a11761 2
d11780 2 a11781 1
d11823 3 a11825 3
d11837 1 a11837 1
d11841 1 a11841 1
d11852 2 a11853 2
d11862 1 a11862 1
$ORIGIN d11872 1 d11877 2 a11878 1
d11881 1 d11885 3 a11887 2
d11898 1 a11898 1
d11905 1 a11905 1
d11910 1 a11910 1
d11922 3 a11924 3
d11934 1 a11934 1
d11939 1 a11939 1
$TTL d11942 3 a11944 3
d11958 1 a11958 1
$GENERATE d11966 1 d11970 2 a11971 1
d11974 1 d11982 2 a11983 1
d11988 1 d11993 2 a11994 1
d11997 1 d12008 3 a12010 1
d12144 1 a12144 1
d12147 3 a12149 2
d12158 1 a12158 1
d12164 1 a12164 1
d12172 1 a12172 1
d12183 1 a12183 1
d12191 1 a12191 1
d12208 4 a12211 3
d12224 2 a12225 1
d12229 3 a12231 1
d12343 2 a12344 1
d12348 2 a12349 1
d12359 2 a12360 1
d12367 1 a12367 1
d12370 1 a12370 1
d12379 2 a12380 1
d12383 2 a12384 1
d12391 2 a12392 1
d12396 1 a12396 1
d12399 3 a12401 2
d12421 2 a12422 1
d13587 3 a13589 1
d13739 2 a13740 1
d13748 2 a13749 1
d13754 2 a13755 1
d13760 2 a13761 1
d13768 2 a13769 1
BIND 9.10.4-P8
@ 1.14.4.1 log @Pull up following revision(s) (requested by spz in ticket #47): doc/3RDPARTY: 1.1452 distrib/sets/lists/base/shl.mi: 1.818 distrib/sets/lists/debug/shl.mi: 1.177 external/bsd/bind/dist/CHANGES: up to 1.27 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.12 external/bsd/bind/dist/Makefile.in: up to 1.4 external/bsd/bind/dist/README: up to 1.15 external/bsd/bind/dist/acconfig.h: up to 1.10 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.14 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.11 external/bsd/bind/dist/bin/check/win32/checkconf.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checktool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checkzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.c: up to 1.9 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.8 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.5 external/bsd/bind/dist/bin/delv/delv.c: up to 1.6 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/win32/delv.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dig.1: up to 1.13 external/bsd/bind/dist/bin/dig/dig.c: up to 1.13 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.19 external/bsd/bind/dist/bin/dig/host.1: up to 1.7 external/bsd/bind/dist/bin/dig/host.c: up to 1.12 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/win32/dig.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/dighost.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/host.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/nslookup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dnssec/dnssectool.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssectool.h: up to 1.8 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/importkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/settime.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/verify.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/bin/named/client.c: up to 1.17 external/bsd/bind/dist/bin/named/config.c: up to 1.14 external/bsd/bind/dist/bin/named/control.c: up to 1.12 external/bsd/bind/dist/bin/named/geoip.c: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/config.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/globals.h: up to 1.10 external/bsd/bind/dist/bin/named/include/named/seccomp.h: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.12 external/bsd/bind/dist/bin/named/logconf.c: up to 1.9 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.7 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/bin/named/lwsearch.c: up to 1.5 external/bsd/bind/dist/bin/named/main.c: up to 1.21 external/bsd/bind/dist/bin/named/named.8: up to 1.10 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.15 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.15 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.11 external/bsd/bind/dist/bin/named/query.c: up to 1.25 external/bsd/bind/dist/bin/named/server.c: up to 1.22 external/bsd/bind/dist/bin/named/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.10 external/bsd/bind/dist/bin/named/update.c: up to 1.13 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.13 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.16 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.12 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch: delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch: delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2h-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/python/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.7 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.8 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.8 external/bsd/bind/dist/bin/python/isc/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/__init__.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/checkds.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/coverage.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/dnskey.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/eventlist.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keydict.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyevent.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyzone.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/dnskey_test.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/utils.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/setup.py: up to 1.1.1.1 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.10 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.15 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.7 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/db/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/db/win32/t_db.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/dst/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/dst/t_dst.c: up to 1.11 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/hashes/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/hashes/t_hashes.c: up to 1.6 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/master/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/master/win32/t_master.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/mdig.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/pkcs11/README: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/create.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/privrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/pubrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.10 external/bsd/bind/dist/bin/tests/resolver/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/acl/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/additional/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/addzone/ns2/hints.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/ns2/redirect.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c: delete external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/case/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/bad-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-slip.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-window.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rpz-zone.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/good-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/checkds/dig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkds/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/checknames/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/checkzone/zones/crashzone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/conf.sh.win32: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/coverage/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/database/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dialup/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/digcomp.pl: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dlv/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/dlopen.c: delete external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dns64/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dscp/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dsdigest/ns2/sign.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/feature-test.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c: delete external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/filter-aaaa.c: delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/geoip/geoip.c: delete external/bsd/bind/dist/bin/tests/system/geoip/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/glue/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/gost/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ifconfig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ifconfig.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/inline/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/integrity/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/mx-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/srv-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/legacy/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/limits/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/nosearch.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.10 external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/metadata/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/too-big.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/pending/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/pending/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11ssl/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/redirect/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/ns6/ds.example.net.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/rpz/rpz.c: delete external/bsd/bind/dist/bin/tests/system/rpz/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip21: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/spf/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c: delete external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/stop.pl: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/stub/tests.sh: up to 1.5 external/bsd/bind/dist/bin/tests/system/tcp/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tsig/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsig/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tsig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in: delete external/bsd/bind/dist/bin/tests/system/tsiggss/gssapi_krb.c: delete external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/unknown/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/v6synth/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/verify/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/views/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/ns1/axfr-too-big.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/ixfr-too-big.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/xfer/ns6/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/xferquota/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/ans5/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/win32/makejournal.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.7 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.8 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.7 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.7 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.12 external/bsd/bind/dist/bind.keys: up to 1.1.1.7 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.5 external/bsd/bind/dist/config.h.in: up to 1.14 external/bsd/bind/dist/configure: up to 1.8 external/bsd/bind/dist/configure.in: up to 1.10 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.5 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.2 external/bsd/bind/dist/contrib/queryperf/utils/gen-data-queryperf.py: up to 1.1.1.4 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.6 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.20 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.15 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.10 external/bsd/bind/dist/doc/misc/options: up to 1.9 external/bsd/bind/dist/doc/misc/sort-options.pl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.1: up to 1.7 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.9 external/bsd/bind/dist/lib/Atffile: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.19 external/bsd/bind/dist/lib/bind9/check.c: up to 1.15 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/dns/acl.c: up to 1.8 external/bsd/bind/dist/lib/dns/adb.c: up to 1.13 external/bsd/bind/dist/lib/dns/api: up to 1.15 external/bsd/bind/dist/lib/dns/client.c: up to 1.13 external/bsd/bind/dist/lib/dns/db.c: up to 1.9 external/bsd/bind/dist/lib/dns/dbtable.c: up to 1.6 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.12 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.14 external/bsd/bind/dist/lib/dns/dst_gost.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/dst_internal.h: up to 1.11 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.10 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.10 external/bsd/bind/dist/lib/dns/ecdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.10 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/events.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/keytable.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/masterdump.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/peer.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.13 external/bsd/bind/dist/lib/dns/include/dns/rdata.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/rdataslab.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/tsig.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.18 external/bsd/bind/dist/lib/dns/include/dns/zt.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/include/dst/gssapi.h: up to 1.6 external/bsd/bind/dist/lib/dns/iptable.c: up to 1.6 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.12 external/bsd/bind/dist/lib/dns/masterdump.c: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.23 external/bsd/bind/dist/lib/dns/name.c: up to 1.14 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.14 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/peer.c: up to 1.8 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.13 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.24 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.15 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.12 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdataslab.c: up to 1.12 external/bsd/bind/dist/lib/dns/request.c: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.31 external/bsd/bind/dist/lib/dns/result.c: up to 1.8 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.12 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.11 external/bsd/bind/dist/lib/dns/tests/Krsa.+005+29235.key: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.9 external/bsd/bind/dist/lib/dns/tests/acl_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/dh_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rsa_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.12 external/bsd/bind/dist/lib/dns/tsec.c: up to 1.5 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.10 external/bsd/bind/dist/lib/dns/view.c: up to 1.13 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.14 external/bsd/bind/dist/lib/dns/zone.c: up to 1.17 external/bsd/bind/dist/lib/dns/zt.c: up to 1.9 external/bsd/bind/dist/lib/irs/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.10 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.9 external/bsd/bind/dist/lib/irs/include/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.10 external/bsd/bind/dist/lib/irs/tests/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/resconf_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/domain.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v6.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-debug.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-ndots.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/port.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/resolv.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/search.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/sortlist-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/isc/aes.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.22 external/bsd/bind/dist/lib/isc/backtrace-emptytbl.c: up to 1.5 external/bsd/bind/dist/lib/isc/hash.c: up to 1.11 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.10 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.11 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/backtrace.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/errno.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/isc/event.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/hmacmd5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/hmacsha.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/md5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/sha1.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sha2.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.11 external/bsd/bind/dist/lib/isc/include/isc/types.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pk11/README.site: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pk11/pk11.h: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/pk11/site.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11f.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11t.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/lex.c: up to 1.9 external/bsd/bind/dist/lib/isc/log.c: up to 1.9 external/bsd/bind/dist/lib/isc/md5.c: up to 1.9 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/mips/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.9 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/print.c: up to 1.7 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/radix.c: up to 1.9 external/bsd/bind/dist/lib/isc/random.c: up to 1.6 external/bsd/bind/dist/lib/isc/ratelimiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/sha1.c: up to 1.9 external/bsd/bind/dist/lib/isc/sha2.c: up to 1.11 external/bsd/bind/dist/lib/isc/task.c: up to 1.14 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/tests/errno_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/netaddr_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/dir.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/unix/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.12 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/include/isc/net.h: up to 1.7 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.21 external/bsd/bind/dist/lib/isc/unix/stdio.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/app.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/condition.c: up to 1.5 external/bsd/bind/dist/lib/isc/win32/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/win32/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/include/isc/ipv6.h: up to 1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.13 external/bsd/bind/dist/lib/isc/win32/stdio.c: up to 1.6 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.12 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/win32/libisccc.def: up to 1.1.1.2 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.14 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.9 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.15 external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/lwres_grbn.c: up to 1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/win32/liblwres.def: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/win32/async.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/nsprobe.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/request.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/resolve.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/update.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/tests/t_api.c: up to 1.8 external/bsd/bind/dist/make/rules.in: up to 1.8 external/bsd/bind/dist/srcid: up to 1.21 external/bsd/bind/dist/util/bindkeys.pl: up to 1.1.1.2 external/bsd/bind/dist/version: up to 1.25 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.7 external/bsd/bind/dist/win32utils/bind9.sln.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.5 external/bsd/bind/dist/win32utils/legacy/BINDBuild.dsw.in: up to 1.5 external/bsd/bind/dist/win32utils/legacy/BuildAll.bat.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildPost.bat.in: up to 1.1.1.3 external/bsd/bind/dist/win32utils/readme1st.txt: up to 1.1.1.8 external/bsd/bind/include/config.h: up to 1.21 external/bsd/bind/include/dns/code.h: up to 1.13 external/bsd/bind/include/dns/enumclass.h: up to 1.9 external/bsd/bind/include/dns/enumtype.h: up to 1.13 external/bsd/bind/include/dns/rdatastruct.h: up to 1.13 external/bsd/bind/include/isc/platform.h: up to 1.23 external/bsd/bind/lib/libbind9/shlib_version: up to 1.17 external/bsd/bind/lib/libdns/shlib_version: up to 1.19 external/bsd/bind/lib/libirs/shlib_version: up to 1.6 external/bsd/bind/lib/libisc/shlib_version: up to 1.19 external/bsd/bind/lib/libisccc/shlib_version: up to 1.17 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.17 external/bsd/bind/lib/liblwres/shlib_version: up to 1.17 Update BIND to 9.10.5-P1. @ text @a0 1 d2 1 a2 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d109 1 a109 2d119 1 a119 2
d125 1 a125 1
d132 1 a132 2
address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} ) d512 2 a513 3
d523 3 a525 4
d541 1 a541 2
d548 1 a548 2
d555 1 a555 2
d560 1 a560 2
d579 1 a579 2
d595 3 a597 4
d607 1 a607 2
d622 2 a623 2
d630 1 a630 1
d636 1 a636 1
d640 1 a640 1
d651 1 a651 2
d658 1 a658 1
d668 1 a668 1
d675 1 a675 2
d685 1 a685 2
d693 5 a697 6
d708 1 a708 2
d711 1 a711 3
d877 1 a877 2
aclacl-name{address_match_list}; d884 2 a885 3
d894 1 a894 2
d897 1 a897 3
d964 1 a964 1
d971 1 a971 1
d987 1 a987 1
d1002 1 a1002 1
d1005 1 a1005 1
geoip country US;
d1015 2
a1016 4
controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] }; d1029 2 a1030 4
d1041 1 a1041 2
d1054 1 a1054 2
d1058 1 a1058 2
d1068 1 a1068 2
d1077 1 a1077 2
d1086 1 a1086 2
d1100 1 a1100 2
d1113 1 a1113 2
d1134 1 a1134 2
d1139 2 a1140 3
include filename;
d1158 2 a1159 3
keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1167 2 a1168 4
d1178 1 a1178 2
d1189 1 a1189 2
d1198 1 a1198 2
d1212 2 a1213 3
logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... }; d1236 2 a1237 4
d1248 1 a1248 1
a1253 1 d1259 1 a1259 2
d1270 1 a1270 2
d1277 1 a1277 2
d1288 1 a1288 2
d1293 1 a1293 2
d1301 1 a1301 2
d1324 1 a1324 2
d1340 1 a1340 2
a1343 1 d1350 1 a1350 2
d1372 1 a1372 1
d1375 1 a1375 1
d1384 1 a1384 1
d1396 1 a1396 2
d1405 1 a1405 2
a1418 1 d1424 1 a1424 2
d1431 1 a1431 1
d1449 1 a1449 2
d1452 1 a1452 2
a1457 1 d1485 1 a1485 2
d1493 1 a1493 2
d1503 1 a1503 2
d1509 2 a1510 3
a1521 1 d1524 1 a1524 2
a1528 1 d1538 1 a1538 2
a1540 1 d1544 1 a1544 2
d1549 1 a1549 2
d1917 1 a1917 2
d1921 1 a1921 1
d1924 1 a1924 1
d1932 1 a1932 1
d1938 1 a1938 1
d1949 1 a1949 1
d1956 1 a1956 1
d1966 1 a1966 1
d1976 1 a1976 3
d2123 1 a2123 1
d2132 3 a2134 4
d2141 7 a2147 10
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] }; d2149 2 a2150 3
d2161 1 a2161 2
d2172 1 a2172 2
d2183 1 a2183 2
d2191 1 a2191 2
d2200 2 a2201 2
name [ port ip_port ] [ dscp ip_dscp ] {
( masters_list ; ) |
( ip_addr [ port ip_port ] [ key key ] ; )
...
};
d2208 2
a2209 4
masters d2218 2 a2219 3
d2226 255 a2480 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] } ; ] d2482 2 a2483 4
d2496 1 a2496 2
d2508 1 a2508 2
d2514 1 a2514 2
d2524 1 a2524 2
d2531 1 a2531 2
a2539 1 d2554 1 a2554 2
d2569 1 a2569 2
d2581 1 a2581 1 d2583 1 a2583 2
d2596 1 a2596 2
d2607 1 a2607 2
d2618 1 a2618 2
d2626 1 a2626 1
d2635 1 a2635 1 d2637 1 a2637 2
d2644 1 a2644 2
d2651 1 a2651 2
d2666 1 a2666 2
d2684 1 a2684 2
d2694 2
a2695 3
most cases, the key_name should be the server's host name.
d2699 1 a2699 2
d2706 1 a2706 2
d2712 1 a2712 2
d2726 1 a2726 2
d2733 1 a2733 2
d2742 1 a2742 2
d2751 1 a2751 2
d2759 1 a2759 2
d2771 1 a2771 2
d2776 1 a2776 2
d2783 1 a2783 2
d2793 1 a2793 2
d2800 1 a2800 2
d2819 1 a2819 2
d2828 1 a2828 2
d2838 1 a2838 1
d2845 1 a2845 1
d2861 1 a2861 1
d2866 1 a2866 1
a2869 1 d2875 1 a2875 2 d2878 1 a2878 1
d2886 1 a2886 1
d2891 1 a2891 1 d2894 1 a2894 1
d2902 1 a2902 1
d2907 1 a2907 1 d2910 1 a2910 1
d2922 1 a2922 1
d2928 1 a2928 1
d2933 1 a2933 1
d2944 1 a2944 1
d2951 1 a2951 1
d2957 1 a2957 1 d2959 1 a2959 2
d2969 1 a2969 2
d2980 1 a2980 1
d2984 1 a2984 1
d2994 1 a2994 1
d3000 1 a3000 1
d3007 1 a3007 1
d3016 1 a3016 1 defaults to ::ffff:0.0.0.0/96. d3018 1 a3018 1
d3026 1 a3026 1
d3032 1 a3032 1
d3051 1 a3051 1 d3053 1 a3053 2
d3066 1 a3066 2
d3082 1 a3082 1
d3088 1 a3088 1
d3097 1 a3097 1 d3100 1 a3100 1
d3109 1 a3109 1
d3117 1 a3117 1
d3122 1 a3122 1
d3127 1 a3127 1 d3130 1 a3130 1
d3135 1 a3135 1
d3141 1 a3141 1
d3149 1 a3149 1 d3152 1 a3152 1
d3164 1 a3164 1
d3172 1 a3172 1
d3183 1 a3183 1 d3185 1 a3185 2
d3197 1 a3197 1
d3202 1 a3202 1 d3204 1 a3204 2
d3209 1 a3209 2
d3220 1 a3220 2
d3227 1 a3227 2
d3235 1 a3235 2
d3253 1 a3253 1
d3260 1 a3260 1
d3272 1 a3272 1
d3282 1 a3282 1
d3297 1 a3297 3
d3453 1 a3453 2 d3455 1 a3455 2
d3460 1 a3460 2
d3471 1 a3471 2
d3478 1 a3478 2
d3488 1 a3488 2
d3495 1 a3495 2
d3505 1 a3505 2
d3514 1 a3514 2
d3522 1 a3522 2
d3536 1 a3536 1
d3545 1 a3545 1
d3554 1 a3554 1 d3556 1 a3556 2
d3565 1 a3565 2
d3583 1 a3583 2
d3594 1 a3594 2
d3612 1 a3612 2
d3621 1 a3621 2
d3631 1 a3631 2
d3640 1 a3640 1
d3646 2 a3647 30
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is yes.
d3653 1 a3653 2
d3664 1 a3664 2
d3671 1 a3671 2
d3678 1 a3678 2
d3691 1 a3691 2
d3703 1 a3703 2
d3723 1 a3723 2
d3733 1 a3733 2
d3742 1 a3742 2
d3752 1 a3752 2
d3770 1 a3770 2 d3773 1 a3773 1
d3778 1 a3778 1
d3787 1 a3787 1 d3790 1 a3790 1
d3804 1 a3804 1
d3812 1 a3812 1
d3818 1 a3818 1
d3826 1 a3826 1
d3833 1 a3833 1
d3838 1 a3838 1 d3840 1 a3840 2
d3845 1 a3845 2
d3858 1 a3858 1
d3870 1 a3870 1
ixfr-from-differences d3879 1 a3879 1 d3881 1 a3881 2
d3889 1 a3889 2
d3897 1 a3897 1
d3903 1 a3903 1
d3926 1 a3926 1
d3929 1 a3929 1 d3931 1 a3931 2
d3938 1 a3938 2
d3955 1 a3955 1
d3963 2 a3964 2
d3972 1 a3972 2
d3980 1 a3980 2
d3996 1 a3996 1
d4000 1 a4000 1
check-names d4008 1 a4008 1 d4010 1 a4010 2
d4016 1 a4016 2
d4023 1 a4023 2
d4033 1 a4033 2
d4049 1 a4049 1
d4059 1 a4059 1 d4061 1 a4061 2
d4065 1 a4065 2
d4071 1 a4071 2
d4076 1 a4076 2
d4084 1 a4084 2
d4091 1 a4091 2
d4097 1 a4097 2
d4105 1 a4105 1
d4116 1 a4116 1
d4124 1 a4124 1 d4127 1 a4127 1
d4137 1 a4137 1
d4142 1 a4142 1 d4144 1 a4144 2
d4148 1 a4148 2
d4159 1 a4159 1
d4166 1 a4166 1
d4173 1 a4173 1 d4175 2 a4176 4
d4189 1 a4189 2
d4201 1 a4201 2
d4207 1 a4207 2
d4218 2 a4219 3
d4229 1 a4229 2
d4240 1 a4240 2
d4251 1 a4251 2
d4266 1 a4266 2
d4278 1 a4278 1
d4284 2 a4285 2
d4295 1 a4295 1
d4301 1 a4301 1
d4307 1 a4307 1
d4311 1 a4311 1
d4317 2 a4318 2
d4329 1 a4329 2
d4337 1 a4337 2
d4348 1 a4348 2
d4354 1 a4354 2
d4363 1 a4363 2
d4383 1 a4383 1
d4391 1 a4391 1 d4393 1 a4393 2
d4401 1 a4401 2
d4411 1 a4411 2
d4419 1 a4419 2
d4425 1 a4425 2
d4436 1 a4436 1
d4444 1 a4444 1
d4456 1 a4456 1
d4461 1 a4461 1
d4476 1 a4476 1 d4478 1 a4478 2
d4484 1 a4484 2
d4499 1 a4499 1
a4503 1 d4507 1 a4507 2
d4512 1 a4512 2
d4516 1 a4516 2
d4522 1 a4522 2
d4537 1 a4537 2
d4546 1 a4546 2
a4550 1 d4554 1 a4554 2
d4560 1 a4560 2
a4562 1 d4565 2 a4566 4
d4578 1 a4578 2
d4589 1 a4589 2
a4593 1 d4597 1 a4597 2
a4606 1 d4610 1 a4610 2
d4626 1 a4626 2
d4638 1 a4638 2
a4642 1 d4646 1 a4646 2
d4658 1 a4658 2
d4662 1 a4662 2
d4666 1 a4666 2
d4670 1 a4670 2
d4680 2 a4681 2
d4687 2 a4688 2
d4694 3 a4696 4
d4705 1 a4705 2
d4726 1 a4726 1
d4739 1 a4739 1 d4741 1 a4741 2
d4746 1 a4746 2
d4753 1 a4753 2
d4760 1 a4760 2
d4767 1 a4767 2
d4783 1 a4783 1
d4790 1 a4790 1 d4792 1 a4792 2
d4801 1 a4801 2
d4823 1 a4823 3
d4832 1 a4832 2
d4839 1 a4839 2
d4853 1 a4853 2
transfer-source d4877 1 a4877 1
d4883 2 a4884 2
d4889 1 a4889 2
d4898 1 a4898 1
d4916 1 a4916 2
d4924 1 a4924 2
notify-source d4941 1 a4941 1
d4947 2 a4948 2
d4953 1 a4953 2
a4969 1 d4974 1 a4974 2
d4980 1 a4980 2
d4997 2 a4998 3
d5014 1 a5014 2
d5022 1 a5022 2
d5027 1 a5027 2
d5044 1 a5044 2
d5049 1 a5049 2
d5054 1 a5054 2
d5065 1 a5065 2
d5072 1 a5072 2
d5085 1 a5085 9
The maximum number of records permitted in a zone. The default is zero which means unlimited.
d5091 1 a5091 2
d5105 1 a5105 1
d5112 1 a5112 1
d5122 1 a5122 1 d5124 1 a5124 2
d5128 1 a5128 2
These set the d5141 1 a5141 1
d5151 1 a5151 1
d5156 1 a5156 1
d5161 1 a5161 1 d5166 1 a5166 1
d5176 1 a5176 1
d5188 1 a5188 1
d5196 1 a5196 1
d5201 1 a5201 1
d5214 1 a5214 1
d5218 1 a5218 1 d5223 1 a5223 1
d5233 1 a5233 1
d5242 1 a5242 1
d5247 1 a5247 1
d5263 1 a5263 1
d5267 1 a5267 1 d5270 1 a5270 1
d5275 1 a5275 1
d5283 1 a5283 1
d5298 1 a5298 1
d5302 1 a5302 1 d5305 1 a5305 1
d5315 1 a5315 1
d5318 1 a5318 1 d5320 1 a5320 2
d5336 1 a5336 2
d5348 1 a5348 2
d5365 1 a5365 2
d5375 1 a5375 2
d5390 1 a5390 2
d5402 1 a5402 1
d5406 2 a5407 2
a5429 1 d5435 1 a5435 2
d5441 1 a5441 1
a5443 1 d5446 1 a5446 2
d5452 3 a5454 4
d5473 1 a5473 2
d5489 1 a5489 1
d5504 1 a5504 1
a5521 1 d5545 1 a5545 2
a5556 1 d5562 2 a5563 3
d5576 1 a5576 2
d5580 1 a5580 1
d5586 1 a5586 1
d5591 1 a5591 1
d5594 1 a5594 2
a5641 1 d5647 1 a5647 2
d5653 1 a5653 1
d5657 1 a5657 1
d5660 1 a5660 2
d5669 3 a5671 4
d5685 1 a5685 2
d5691 1 a5691 2 d5693 1 a5693 2
d5703 1 a5703 2
d5713 1 a5713 2
d5722 1 a5722 1
d5727 2 a5728 2
d5745 1 a5745 1
d5750 1 a5750 1
d5756 1 a5756 1 d5758 1 a5758 2
d5763 1 a5763 2
d5770 1 a5770 2
d5778 1 a5778 1
d5782 1 a5782 1
d5798 1 a5798 1 d5803 1 a5803 1
d5813 1 a5813 1
d5822 1 a5822 1
d5830 1 a5830 1 d5833 1 a5833 1
d5841 1 a5841 1
d5848 1 a5848 1
d5853 1 a5853 1
d5864 1 a5864 1
d5872 1 a5872 1
d5880 1 a5880 1 d5883 1 a5883 1
d5890 1 a5890 1
d5895 1 a5895 1
d5904 1 a5904 1
d5908 1 a5908 1 d5911 1 a5911 1
Specifies d5922 1 a5922 1
d5936 1 a5936 1
d5945 1 a5945 1 d5949 1 a5949 2
d5958 1 a5958 2
d5970 1 a5970 2
d5977 1 a5977 1
d5981 1 a5981 1 d5983 1 a5983 2
d5988 1 a5988 2
d5998 1 a5998 1
d6010 1 a6010 1
d6020 1 a6020 1 d6022 2 a6023 4
d6045 1 a6045 1
d6052 1 a6052 2
d6061 1 a6061 2
d6074 1 a6074 2
d6088 1 a6088 2
d6106 1 a6106 1
d6111 1 a6111 1
d6215 1 a6215 1
d6227 1 a6227 1
d6236 1 a6236 1
d6251 1 a6251 2
d6257 1 a6257 2
d6262 1 a6262 2
d6267 1 a6267 2
d6283 1 a6283 2
d6291 1 a6291 2
d6300 1 a6300 2
d6313 1 a6313 2
d6329 1 a6329 2
d6333 1 a6333 2
d6338 1 a6338 2
d6346 1 a6346 2
d6358 1 a6358 2
d6390 1 a6390 2
d6393 1 a6393 2
d6401 1 a6401 2
d6406 1 a6406 2
d6421 1 a6421 2
a6425 1 d6429 1 a6429 2
a6433 1 d6435 1 a6435 2
d6441 1 a6441 2
a6446 1 d6448 1 a6448 2
d6453 1 a6453 2
d6474 1 a6474 2
d6483 2 a6484 3
d6495 1 a6495 2
d6506 1 a6506 2
d6515 1 a6515 2
d6521 1 a6521 1
d6536 1 a6536 2
d6552 1 a6552 1 d6554 1 a6554 2
d6560 1 a6560 2
d6567 1 a6567 2
d6579 1 a6579 2
d6588 1 a6588 2
d6621 1 a6621 2
d6628 1 a6628 2
d6640 1 a6640 2
d6646 1 a6646 2
d6653 1 a6653 2
d6661 1 a6661 2
d6666 1 a6666 2
d6673 1 a6673 2
d6681 1 a6681 2
d6689 1 a6689 1 d6693 1 a6693 2
d6704 1 a6704 2
The placeholder policy says "do not override but d6706 1 a6706 2
d6718 1 a6718 2
d6724 1 a6724 2
d6729 1 a6729 2
d6744 1 a6744 2
d6755 1 a6755 2
d6782 1 a6782 2
d6789 1 a6789 2
d6793 1 a6793 1
d6797 1 a6797 1
d6839 1 a6839 1
d6854 1 a6854 2
d6858 2 a6859 3
d6875 1 a6875 2
d6883 1 a6883 2
d6902 1 a6902 2
d6911 1 a6911 2
d6935 1 a6935 2
d6940 1 a6940 2
d6951 1 a6951 2
d6975 1 a6975 2
d6988 1 a6988 2
d7006 1 a7006 2
d7018 1 a7018 2
d7054 1 a7054 2
d7068 1 a7068 2
d7072 1 a7072 2
d7079 3 a7081 4
server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ; d7109 2 a7110 4
d7123 1 a7123 2
d7138 1 a7138 2
d7144 1 a7144 1
d7160 1 a7160 2
d7170 1 a7170 2
d7184 1 a7184 2
d7189 1 a7189 2
d7208 1 a7208 2
d7216 1 a7216 9
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
d7230 1 a7230 2
transfers d7237 1 a7237 2
d7248 1 a7248 2
d7251 1 a7251 2
d7267 1 a7267 2
d7276 1 a7276 2
d7285 1 a7285 2
d7292 1 a7292 2
d7301 2 a7302 3
statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... }; d7311 2 a7312 3
d7322 1 a7322 2
d7332 1 a7332 2
d7343 1 a7343 2
d7348 1 a7348 2
d7360 1 a7360 2
d7364 1 a7364 2
d7376 1 a7376 2
d7386 1 a7386 2
d7401 1 a7401 2
d7418 2 a7419 3
trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ; d7427 2 a7428 3
d7443 1 a7443 1
d7451 1 a7451 1
d7460 1 a7460 1
d7467 2 a7468 3
managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ; d7476 2 a7477 3
d7489 1 a7489 1
d7499 1 a7499 1
d7510 1 a7510 1
d7521 1 a7521 1
d7534 1 a7534 1
d7542 1 a7542 1
d7547 3 a7549 3 key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d7551 1 a7551 1
d7559 15 a7573 18
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in
use, there will be a separate managed keys database for each
view; the filename will be a hash of the view name followed by
the suffix .mkeys.
When the key database is changed, the zone is updated.
As with any other dynamic zone, changes will be written
into a journal file, e.g.,
managed-keys.bind.jnl.
Changes are committed to the master file as soon as
possible afterward; this will usually occur within 30
d7575 4
a7578 4
automatic key maintenance, the zone file and journal file
can be expected to exist in the working directory.
(For this reason among others, the working directory
should be always be writable by named.)
d7580 1
a7580 1
d7588 3 a7590 5 (Note: The ISC DLV service is expected to cease operation by the end of 2017.) In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d7592 2 a7593 3
viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ; d7605 2 a7606 3
d7618 1 a7618 2
d7646 1 a7646 2
d7655 1 a7655 2
d7668 1 a7668 2
d7673 1 a7673 2
d7689 1 a7689 2
a7692 1 d7725 2 a7726 3
zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ; d7927 2 a7928 3
d7944 1 a7944 3
d8267 1 a8267 1
d8276 1 a8276 1
d8280 2 a8281 3
d8289 1 a8289 2
d8294 1 a8294 2
d8299 1 a8299 2
d8304 1 a8304 2
d8309 1 a8309 2
d8314 1 a8314 2
d8319 1 a8319 2
d8342 1 a8342 2
d8352 1 a8352 2
d8357 1 a8357 2
d8362 1 a8362 2
d8367 1 a8367 2
d8372 1 a8372 2
d8377 1 a8377 2
d8382 1 a8382 2
d8387 1 a8387 2
d8393 1 a8393 2
d8399 1 a8399 2
d8404 1 a8404 2
d8409 1 a8409 2
d8423 1 a8423 1
d8429 1 a8429 1
d8435 1 a8435 1 d8437 1 a8437 2
d8440 1 a8440 2
d8449 1 a8449 1
d8452 1 a8452 1 d8454 1 a8454 2
d8460 1 a8460 2
d8467 1 a8467 2
d8479 1 a8479 2
d8484 1 a8484 2
d8490 1 a8490 2
d8495 1 a8495 9
See the description of max-records in the section called “Server Resource Limits”.
d8500 1 a8500 2
d8505 1 a8505 2
d8510 1 a8510 2
d8515 1 a8515 2
d8520 1 a8520 2
d8525 1 a8525 2
d8531 1 a8531 2
d8540 1 a8540 2
d8547 1 a8547 2
d8559 1 a8559 1
d8568 1 a8568 1
d8576 1 a8576 1 d8579 1 a8579 1
d8597 1 a8597 1
d8609 1 a8609 1
d8619 1 a8619 1 d8621 1 a8621 2
d8624 1 a8624 2
d8629 1 a8629 2
d8634 1 a8634 2
d8639 1 a8639 2
d8644 1 a8644 2
d8649 1 a8649 2
d8654 1 a8654 2
d8659 1 a8659 2
d8664 1 a8664 2
d8669 1 a8669 2
d8674 1 a8674 2
d8680 1 a8680 2
d8689 1 a8689 2
d8695 1 a8695 2
d8702 1 a8702 2
d8709 1 a8709 2
d8718 1 a8718 2
d8723 1 a8723 2
d8728 1 a8728 2
d8734 1 a8734 2
d8739 1 a8739 2
BIND 9 supports two alternative d8751 1 a8751 1
d8757 1 a8757 1
d8767 1 a8767 1
d8777 1 a8777 1
d8792 1 a8792 1
d8799 1 a8799 2
update-policy { grant local-ddns zonesub any; };
d8801 1
a8801 2
d8805 1
a8805 2
a8807 1
d8811 1
a8811 2
d8820 1
a8820 1
d8826 1
a8826 1
d8843 1
a8843 1
d8850 1
a8850 1
d8862 1
a8862 2
d9142 2
a9143 4
d9147 1
a9147 2
d9156 2
a9157 3
d9171 1 a9171 1
d9189 1
a9189 1
d9193 1
a9193 1
d9201 1
a9201 1
d9208 1
a9208 1
d9212 1
a9212 1
d9216 4
a9219 5
d9232 1 a9232 1
d9245 1 a9245 2
d9248 1 a9248 2
d9327 1 a9327 2
d10337 1 a10337 2
d10402 1 a10402 1
d10422 1 a10422 1
d10428 2 a10429 2
d10445 1 a10445 1
d10451 1 a10451 1
d10462 1 a10462 1
d10466 1 a10466 1
d10469 1 a10469 2
d10580 1 a10580 1
d10584 1 a10584 1
d10587 1 a10587 2
d10630 3 a10632 4
d10644 1 a10644 2
d10661 1 a10661 1
d10670 1 a10670 2
d10826 1 a10826 2
d10886 2 a10887 2
d10905 1 a10905 2
d10946 3 a10948 3
d10959 1 a10959 1
d10963 1 a10963 1
d10973 2 a10974 2
d10982 1 a10982 1
$ORIGIN a10991 1 d10996 1 a10996 2
a10998 1 d11002 2 a11003 3
d11013 1 a11013 1
d11020 1 a11020 1
d11025 1 a11025 1
d11037 3 a11039 3
d11048 1 a11048 1
d11053 1 a11053 1
$TTL d11056 3 a11058 3
d11071 1 a11071 1
$GENERATE a11078 1 d11082 1 a11082 2
a11084 1 d11092 1 a11092 2
a11096 1 d11101 1 a11101 2
a11103 1 d11114 1 a11114 3
d11247 1 a11247 1
d11250 2 a11251 3
d11259 1 a11259 1
d11265 1 a11265 1
d11273 1 a11273 1
d11284 1 a11284 1
d11292 1 a11292 1
d11309 3 a11311 4
d11323 1 a11323 2
d11327 1 a11327 3
d11437 1 a11437 2
d11441 1 a11441 2
d11451 1 a11451 2
d11457 1 a11457 1
d11460 1 a11460 1
d11469 1 a11469 2
d11472 1 a11472 2
d11479 1 a11479 2
d11483 1 a11483 1
d11486 2 a11487 3
d11506 1 a11506 2
d12657 1 a12657 3
d12804 1 a12804 2
d12811 1 a12811 2
d12815 1 a12815 2
d12819 1 a12819 2
d12825 1 a12825 2
BIND 9.10.5-P1
@ 1.13 log @Merge 9.10.4-P6 4558. [bug] Synthesised CNAME before matching DNAME was still being cached when it should have been. [RT #44318] 4557. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434] @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.12 log @merge bind-9.10.4-P5 @ text @d12848 1 a12848 1BIND 9.10.4-P5
@ 1.12.2.1 log @Sync with HEAD @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.11 log @merge conflicts @ text @d12848 1 a12848 1BIND 9.10.4-P4
@ 1.10 log @Merge conflicts. @ text @d12848 1 a12848 1BIND 9.10.4-P3
@ 1.9 log @merge conflicts @ text @d12848 1 a12848 1BIND 9.10.4-P1
@ 1.9.2.1 log @Sync with HEAD @ text @d12848 1 a12848 1BIND 9.10.4-P4
@ 1.9.2.2 log @Sync with HEAD @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.9.2.3 log @Sync with HEAD @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.8 log @merge conflicts @ text @a16 1 d21 2 a22 2 d41 3 a43 3acl
d730 1 a730 1controls
d735 1 a735 1 by the rndc utility. d741 1 a741 1include
d751 1 a751 1key
d762 1 a762 1logging
d773 1 a773 1lwres
d777 2 a778 2 configures named to also act as a light-weight resolver daemon (lwresd). d784 1 a784 1masters
d790 2 a791 2 masters or also-notify lists. d797 1 a797 1options
d808 1 a808 1server
d819 1 a819 1statistics-channels
d824 1 a824 1 named statistics. d830 1 a830 1trusted-keys
d840 1 a840 1managed-keys
d851 1 a851 1view
d861 1 a861 1zone
d872 2 a873 2 The logging and options statements may only occur once d877 1 a877 1acl acl-name { d885 1 a885 1d887 1 a887 1 acl Statement Definition and d890 1 a890 1 The acl statement assigns a symbolic d899 2 a900 2d905 1 a905 1 any
d915 1 a915 1none
d925 1 a925 1localhost
d931 1 a931 1 added or removed, the localhost d938 1 a938 1localnets
d945 1 a945 1 the localnets d950 1 a950 1 In such a case, localnets d952 1 a952 1 IPv6 addresses, just like localhost. d962 1 a962 1 geoip [dbdatabase]fieldvalued1016 1 a1016 1
controls { d1030 1 a1030 1d1032 1 a1032 1 controls Statement Definition and d1035 1 a1035 1 The controls statement declares control d1038 1 a1038 1 used by the rndc utility to send d1042 4 a1045 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d1049 2 a1050 2 use an ip_addr of::. If you will only use rndc on the local host, d1056 1 a1056 1 "*" cannot be used for ip_port. d1060 2 a1061 2 restricted by the allow and keys clauses. d1063 3 a1065 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1069 1 a1069 1 A unix control channel is a UNIX domain d1071 2 a1072 2 Access to the socket is specified by the perm, owner and group clauses. d1074 1 a1074 1 (perm) are applied to the parent directory d1079 3 a1081 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1083 2 a1084 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1087 2 a1088 2 If no controls statement is present, named will set up a default d1091 3 a1093 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1104 1 a1104 1 messages and thus did not have a keys clause. d1108 2 a1109 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1125 1 a1125 1 named is running as) can access it. d1128 1 a1128 1 rndc commands, then you need to create d1136 2 a1137 2 controls statement: controls { };. d1140 1 a1140 1
include filename;
d1145 1
a1145 1
key key_id {
d1168 1
a1168 1
logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1226 3 a1228 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1230 1 a1230 1 [ categorycategory_name{ d1237 1 a1237 1
default
The default category defines the logging options for those categories where no specific configuration has been defined.
d1578 2 a1579 2general
d1581 4 a1584 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1588 2 a1589 2database
d1591 6 a1596 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1600 2 a1601 2security
d1603 7 a1609 4Approval and denial of requests.
d1613 2 a1614 2config
d1616 8 a1623 4Configuration file parsing and processing.
d1627 2 a1628 2resolver
d1630 5 a1634 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1638 2 a1639 2xfer-in
d1641 4 a1644 4Zone transfers the server is receiving.
d1648 2 a1649 2xfer-out
d1651 28 a1678 4Zone transfers the server is sending.
d1682 2 a1683 2notify
d1685 5 a1689 4The NOTIFY protocol.
d1693 2 a1694 2client
d1696 6 a1701 4Processing of client requests.
d1705 2 a1706 2unmatched
d1708 4 a1711 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1715 2 a1716 2network
d1718 4 a1721 4Network operations.
d1725 2 a1726 2update
d1728 35 a1762 4Dynamic updates.
d1766 2 a1767 2update-security
d1769 5 a1773 4Approval and denial of update requests.
d1777 2 a1778 2queries
d1780 20 a1799 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE
(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1803 2 a1804 2query-errors
d1806 6 a1811 5Information about queries that resulted in some failure.
d1815 2 a1816 2dispatch
d1818 7 a1824 5Dispatching of incoming packets to the server modules where they are to be processed.
d1828 2 a1829 2dnssec
d1831 4 a1834 4DNSSEC and TSIG protocol processing.
d1838 2 a1839 2lame-servers
d1841 6 a1846 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1850 2 a1851 2delegation-only
d1853 9 a1861 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1865 2 a1866 2edns-disabled
d1868 4 a1871 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1875 2 a1876 2RPZ
d1878 4 a1881 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1885 2 a1886 2rate-limit
d1888 4 a1891 20The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1895 2 a1896 2cname
d1898 4 a1901 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1906 1 a1906 1 d1910 1 a1910 1 The query-errors category is d1915 1 a1915 1 with debug levels. d1978 2 a1979 2lwres { d2150 1 a2150 1 d2154 1 a2154 1 The lwres statement configures the d2157 2 a2158 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2162 1 a2162 1 The listen-on statement specifies a d2173 1 a2173 1 The view statement binds this d2184 1 a2184 1 The search statement is equivalent to d2186 1 a2186 1 search statement in d2192 1 a2192 1 The ndots statement is equivalent to d2194 1 a2194 1 ndots statement in d2201 1 a2201 1 d2205 1 a2205 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2209 1 a2209 1d2211 1 a2211 1 masters Statement Definition and d2213 1 a2213 1d2223 1 a2223 1 This is the grammar of the options d2226 1 a2226 1masters d2215 2 a2216 2 multiple stub and slave zones in their masters or also-notify lists. d2219 1 a2219 1
options { d2267 2 d2274 1 d2351 1 a2351 1 [ fetches-per-zonenumber[(drop | fail)]; ] d2368 2 a2369 3 [ also-notify {ip_addr[portip_port] [dscpip_dscp] [keykeyname] ; [ip_addr[portip_port] [dscpip_dscp] [keykeyname] ; ... ] }; ] d2386 2 a2387 1 [ max-zone-ttlnumber; ] d2415 1 a2415 1 [ suffix IPv6-address; ] d2478 1 d2483 1 a2483 1d2485 1 a2485 1 options Statement Definition and d2488 1 a2488 1 The options statement sets up global d2492 1 a2492 1 once in a configuration file. If there is no options d2496 2 a2497 2d7946 2 a7947 2d4229 2 a4230 2
- attach-cache
d2509 2 a2510 2 The attach-cache option may also be specified in view d2512 1 a2512 1 global attach-cache option. d2517 1 a2517 1 When the named server configures d2528 1 a2528 1 the attach-cache as a global d2537 1 a2537 1 attach-cache option as a view A (or d2560 8 a2567 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2582 1 a2582 1- directory
d2597 1 a2597 1- geoip-directory
d2604 1 a2604 2 (For details, see the section called “acl Statement Definition and d2606 1 a2606 1 geoip ACL.) d2608 1 a2608 1- key-directory
d2619 1 a2619 1- managed-keys-directory
d2627 1 a2627 1 If named is not configured to use views, d2636 1 a2636 1- named-xfer
d2640 1 a2640 1 the pathname to the named-xfer d2642 1 a2642 1 named-xfer program is needed; d2645 1 a2645 1- tkey-gssapi-keytab
d2652 1 a2652 1- tkey-gssapi-credential
d2663 1 a2663 1 To use GSS-TSIG, tkey-domain must d2667 1 a2667 1- tkey-domain
d2670 2 a2671 2 generated with TKEY. When a client requests a TKEY exchange, d2678 1 a2678 1 In most cases, the domainname d2685 1 a2685 1- tkey-dhkey
d2690 1 a2690 1 of TKEY. The server must be d2696 1 a2696 1- cache-file
d2700 1 a2700 1- dump-file
d2704 1 a2704 1 rndc dumpdb. d2707 1 a2707 1- memstatistics-file
d2713 1 a2713 1- pid-file
d2720 1 a2720 1 name server. Specifying pid-file none disables the d2722 1 a2722 1 existing one will be removed. Note that none d2727 1 a2727 1- recursing-file
d2731 1 a2731 1 to do so with rndc recursing. d2734 1 a2734 1- statistics-file
d2737 1 a2737 1 to when instructed to do so using rndc stats. d2741 1 a2741 1 in the section called “The Statistics File”. d2743 1 a2743 1- bindkeys-file
d2746 3 a2748 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2752 1 a2752 1- secroots-file
d2756 1 a2756 1 rndc secroots. d2760 1 a2760 1- session-keyfile
d2763 2 a2764 2 session key generated by named for use by nsupdate -l. If not specified, the d2766 1 a2766 1 (See the section called “Dynamic Update Policies”, and in d2768 1 a2768 1 update-policy statement's d2772 1 a2772 1- session-keyname
d2777 1 a2777 1- session-keyalg
d2784 1 a2784 1- port
d2794 1 a2794 1- dscp
d2801 1 a2801 1- random-device
d2815 1 a2815 1 random-device option takes d2820 1 a2820 1- preferred-glue
d2825 3 a2827 1 The default is not to prefer any type (NONE). d2830 1 a2830 1 root-delegation-only d2876 1 a2876 1- disable-algorithms
d2881 1 a2881 1 Multiple disable-algorithms d2883 1 a2883 1 Only the best match disable-algorithms d2888 1 a2888 1 by the disable-algorithms will be treated d2892 1 a2892 1- disable-ds-digests
d2897 1 a2897 1 Multiple disable-ds-digests d2899 1 a2899 1 Only the best match disable-ds-digests d2904 1 a2904 1 by the disable-ds-digests will be treated d2908 1 a2908 1- dnssec-lookaside
d2911 1 a2911 1 When set, dnssec-lookaside provides the d2915 1 a2915 1 dnssec-lookaside, and the normal DNSSEC d2923 1 a2923 1 If dnssec-lookaside is set to d2929 1 a2929 1 If dnssec-lookaside is set to d2936 2 a2937 2 named will load that key at startup if dnssec-lookaside is set to d2942 1 a2942 1 from https://www.isc.org/solutions/dlv/. d2947 2 a2948 2 named. Relying on this is not recommended, however, as it requires named d2952 1 a2952 1 NOTE: named only loads certain specific d2958 1 a2958 1- dnssec-must-be-secure
d2962 1 a2962 1 then named will only accept answers if d2966 3 a2968 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2970 1 a2970 1- dns64
d2973 1 a2973 1 This directive instructs named to d2977 1 a2977 1 dns64 defines one DNS64 prefix. d2988 2 a2989 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2995 2 a2996 2 Each dns64 supports an optional clients ACL that determines which d3001 2 a3002 2 Each dns64 supports an optional mapped ACL that selects which d3011 1 a3011 1 exclude ACL allows specification d3015 1 a3015 1 name owns. If not defined, exclude d3019 1 a3019 1 A optional suffix can also d3027 2 a3028 2 If recursive-only is set to yes the DNS64 synthesis will d3030 1 a3030 1 is no. d3033 2 a3034 2 If break-dnssec is set to yes the DNS64 synthesis will d3037 1 a3037 1 is set to no (the default), the DO d3052 16 a3067 1- dnssec-update-mode
d3074 2 a3075 2 the section called “Dynamic Update Policies”), and if named has access to the d3077 1 a3077 1 named will automatically sign all new d3084 1 a3084 1 then named will sign all new or d3089 1 a3089 1 With either of these settings, named d3092 1 a3092 1 named. (A planned third option, d3098 1 a3098 1- max-zone-ttl
d3122 27 d3150 1 a3150 1- zone-statistics
d3156 3 a3158 3 zone-statistics terse or zone-statistics none in the zone statement). d3166 2 a3167 2 statistics-channel or using rndc stats, which d3169 2 a3170 2 in the statistics-file. See also the section called “The Statistics File”. d3174 1 a3174 1 of BIND 9, the zone-statistics d3185 1 a3185 1d3188 2 a3189 2d4189 2 a4190 2
- automatic-interface-scan
d3199 1 a3199 1 automatic-interface-scan to be d3203 1 a3203 1- allow-new-zones
d3206 2 a3207 2 added at runtime via rndc addzone or deleted via rndc delzone. d3210 1 a3210 1- auth-nxdomain
d3212 1 a3212 1 Ifyes, then the AA bit d3221 1 a3221 1- deallocate-on-exit
d3228 1 a3228 1- memstatistics
d3231 1 a3231 1 memstatistics-file at exit. d3236 1 a3236 1- dialup
d3248 1 a3248 1 happens in a short interval, once every heartbeat-interval and d3254 4 a3257 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3270 1 a3270 1 notify and also-notify. d3278 1 a3278 1 heartbeat-interval expires in d3291 1 a3291 1 when the heartbeat-interval d3299 4 a3302 4d3329 1 a3329 1 no (default)
d3349 1 a3349 1yes
d3369 1 a3369 1notify
d3389 1 a3389 1refresh
d3409 1 a3409 1passive
d3429 1 a3429 1notify-passive
d3451 1 a3451 1 dialup. d3454 1 a3454 1- fake-iquery
d3461 1 a3461 1- fetch-glue
d3472 1 a3472 1- flush-zones-on-shutdown
d3477 1 a3477 1 flush-zones-on-shutdownno. d3479 1 a3479 1- has-old-clients
d3485 3 a3487 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3489 1 a3489 1- host-statistics
d3496 1 a3496 1- maintain-ixfr-base
d3504 1 a3504 1 transfers, use provide-ixfrno. d3506 1 a3506 1- minimal-responses
d3515 1 a3515 1- multiple-cnames
d3523 1 a3523 1- notify
d3529 1 a3529 1 changes, see the section called “Notify”. The messages are d3534 1 a3534 1 also-notify option. d3542 1 a3542 1 servers explicitly listed using also-notify. d3546 2 a3547 2 The notify option may also be specified in the zone d3549 1 a3549 1 in which case it overrides the options notify statement. d3555 1 a3555 1- notify-to-soa
d3566 1 a3566 1- recursion
d3577 1 a3577 1 Note that setting recursion no does not prevent a3582 1 See also fetch-glue above. d3584 1 a3584 1- request-nsid
d3591 2 a3592 2 the resolver category at level info. d3595 1 a3595 1- request-sit
d3611 1 a3611 1 the nosit-udp-size option. d3613 10 a3622 1- sit-secret
d3632 1 a3632 1- rfc2308-type1
d3648 1 a3648 1- use-id-pool
d3654 1 a3654 1- use-ixfr
d3659 2 a3660 3 the information on the provide-ixfr option in the section called “server Statement Definition and d3663 1 a3663 1 the section called “Incremental Zone Transfers (IXFR)”. d3665 1 a3665 1- provide-ixfr
d3668 2 a3669 3 provide-ixfr in the section called “server Statement Definition and d3672 1 a3672 1- request-ixfr
d3675 2 a3676 3 request-ixfr in the section called “server Statement Definition and d3679 1 a3679 1- treat-cr-as-space
d3683 1 a3683 1 the server treat carriage return ("\r") characters the same way d3687 2 a3688 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3693 1 a3693 1 additional-from-auth, additional-from-cache d3728 1 a3728 1 Setting these options to no d3736 1 a3736 1 them to no without also d3738 1 a3738 1 recursion no will cause the d3743 1 a3743 1 Specifying additional-from-cache no actually d3763 1 a3763 1 referrals when additional-from-cache no d3771 1 a3771 1- match-mapped-addresses
d3784 1 a3784 1 named now solves this problem d3788 1 a3788 1- filter-aaaa-on-v4
d3799 3 a3801 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3806 1 a3806 1 the DNS client is at an IPv4 address, in filter-aaaa, d3839 1 a3839 1- filter-aaaa-on-v6
d3841 1 a3841 1 Identical to filter-aaaa-on-v4, d3846 1 a3846 1- ixfr-from-differences
d3870 3 a3872 3ixfr-from-differences also accepts master and slave at the view and options d3874 3 a3876 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3880 1 a3880 1
- multi-master
d3884 1 a3884 1 addresses refer to different machines. Ifyes, named will d3886 1 a3886 1 when the serial number on the master is less than what named d3890 41 a3930 1- dnssec-enable
d3933 1 a3933 1 records are to be returned by named. d3935 1 a3935 1 named will not return DNSSEC-related d3939 1 a3939 1- dnssec-validation
d3942 2 a3943 2 Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3951 2 a3952 2 a trusted-keys or managed-keys statement. The default d3961 1 a3961 1 dnssec-validation is off. d3965 1 a3965 1- dnssec-accept-expired
d3970 1 a3970 1 leaves named vulnerable to d3973 1 a3973 1- querylog
d3975 1 a3975 1 Specify whether query logging should be started when named d3977 1 a3977 1 If querylog is not specified, d3979 1 a3979 1 is determined by the presence of the logging category queries. d3981 1 a3981 1- check-names
d3990 5 a3994 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d4000 1 a4000 1check-names d4009 1 a4009 1
- check-dup-records
d4013 3 a4015 3 default is to warn. Other possible values are fail and ignore. d4017 1 a4017 1- check-mx
d4020 3 a4022 3 The default is to warn. Other possible values are fail and ignore. d4024 1 a4024 1- check-wildcard
d4031 1 a4031 1 affects master zones. The default (yes) is to check d4034 1 a4034 1- check-integrity
d4043 1 a4043 1 named-checkzone). d4046 2 a4047 2 checks use named-checkzone). The default is yes. d4057 1 a4057 1 check-spf. d4060 1 a4060 1- check-mx-cname
d4062 1 a4062 1 If check-integrity is set then d4064 1 a4064 1 to CNAMES. The default is to warn. d4066 1 a4066 1- check-srv-cname
d4068 1 a4068 1 If check-integrity is set then d4070 1 a4070 1 to CNAMES. The default is to warn. d4072 1 a4072 1- check-sibling
d4075 1 a4075 1 sibling glue exists. The default is yes. d4077 1 a4077 1- check-spf
d4079 1 a4079 1 If check-integrity is set then d4083 1 a4083 1 warn. d4085 1 a4085 1- zero-no-soa-ttl
d4090 1 a4090 1 The default is yes. d4092 1 a4092 1- zero-no-soa-ttl-cache
d4096 1 a4096 1 The default is no. d4098 1 a4098 1- update-check-ksk
d4113 1 a4113 1 similar to the dnssec-signzone -z d4125 1 a4125 1- dnssec-dnskey-kskonly
d4128 1 a4128 1 When this option and update-check-ksk d4135 1 a4135 1 dnssec-signzone -x command line option. d4138 2 a4139 2 The default is no. If update-check-ksk is set to d4143 1 a4143 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- try-tcp-refresh
d4147 1 a4147 1 yes. d4149 1 a4149 1- dnssec-secure-to-insecure
d4154 2 a4155 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d4168 1 a4168 1 auto-dnssec maintain and the d4171 1 a4171 1 next time named is started. d4176 1 a4176 1
- forward
d4202 1 a4202 1- forwarders
d4214 2 a4215 3 or have a different forward only/first behavior, or not forward at all, see the section called “zone d4219 1 a4219 1d5004 2 a5005 2 example, 1G can be used instead of 1073741824 to specify a limit of d5007 1 a5007 1 gigabyte. unlimited requests d5009 1 a5009 1 maximum available amount. default d5012 1 a5012 1 of size_spec in the section called “Configuration File Elements”. d5022 2 a5023 2
- dual-stack-servers
d4237 1 a4237 1 stacked, then the dual-stack-servers have no effect unless d4239 1 a4239 1 (e.g. named -4). d4243 1 a4243 1d4248 1 a4248 1 of the requesting system. See the section called “Address Match Lists” for d4251 2 a4252 2d4492 1 a4492 1 from may be specified using the listen-on option. listen-on takes d4500 1 a4500 1 Multiple listen-on statements are d4513 1 a4513 1 If no listen-on is specified, the d4517 1 a4517 1 The listen-on-v6 option is used to d4528 1 a4528 1 listen-on-v6 option, d4543 1 a4543 1 IPv4 addresses specified in listen-on-v6 d4547 1 a4547 1 Multiple listen-on-v6 options can d4566 1 a4566 1
- allow-notify
d4257 1 a4257 1 allow-notify may also be d4259 1 a4259 1 zone statement, in which case d4261 1 a4261 1 options allow-notify d4267 1 a4267 1- allow-query
d4271 2 a4272 2 DNS questions. allow-query may also be specified in the zone d4274 1 a4274 1 options allow-query statement. d4281 1 a4281 1 allow-query-cache is now d4286 1 a4286 1- allow-query-on
d4296 1 a4296 1 Note that allow-query-on is only d4298 1 a4298 1 allow-query. A query must be d4302 2 a4303 2 allow-query-on may also be specified in the zone d4305 1 a4305 1 options allow-query-on statement. d4314 1 a4314 1 allow-query-cache is d4319 1 a4319 1- allow-query-cache
d4322 7 a4328 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4330 1 a4330 1- allow-query-cache-on
d4335 2 a4336 2 localnets and localhost. d4338 1 a4338 1- allow-recursion
d4342 3 a4344 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4346 2 a4347 2 (localnets; localhost;) is used. d4349 1 a4349 1- allow-recursion-on
d4355 1 a4355 1- allow-update
d4362 1 a4362 1 the section called “Dynamic Update Security” for details. d4364 1 a4364 1- allow-update-forwarding
d4388 1 a4388 1 access control to attacks; see the section called “Dynamic Update Security” d4392 1 a4392 1- allow-v6-synthesis
d4402 1 a4402 1- allow-transfer
d4405 2 a4406 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4408 1 a4408 1 case it overrides the options allow-transfer statement. d4412 1 a4412 1- blackhole
d4420 1 a4420 1- filter-aaaa
d4423 1 a4423 1 filter-aaaa-on-v4 d4426 1 a4426 1- no-case-compress
d4431 1 a4431 1 used when named needs to work with d4438 1 a4438 1 none: case-insensitive compression d4462 1 a4462 1 There are circumstances in which named d4477 1 a4477 1- resolver-query-timeout
d4487 1 a4487 1d4571 1 a4571 1 query other name servers. query-source specifies d4573 3 a4575 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4579 1 a4579 1 If port is * or is omitted, d4583 2 a4584 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4586 2 a4587 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4590 2 a4591 2 The defaults of the query-source and query-source-v6 options d4598 3 a4600 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4604 1 a4604 1 named will use the corresponding system d4617 2 a4618 2 changed while named is running; the new range will automatically be applied when named d4621 2 a4622 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4628 1 a4628 1 where named runs may prohibit the use d4630 1 a4630 1 named running without a root privilege d4639 2 a4640 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4648 1 a4648 1 the use-queryport-pool d4654 2 a4655 2 query-source or query-source-v6 options; d4658 2 a4659 2d4960 4 a4963 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4966 1 a4966 1 See the section called “Query Address” about how the d4976 1 a4976 1 from named will be in one d4981 3 a4983 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4991 3 a4993 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4998 1 a4998 1
- use-queryport-pool
d4663 1 a4663 1- queryport-pool-ports
d4667 1 a4667 1- queryport-pool-updateinterval
d4675 1 a4675 1 The address specified in the query-source option d4691 2 a4692 2 See also transfer-source and notify-source. d4696 1 a4696 1d4705 2 a4706 2d4910 1 a4910 1
- also-notify
d4717 1 a4717 1 also-notify address to send d4724 1 a4724 1 masters lists can be used. d4727 2 a4728 2 If an also-notify list is given in a zone statement, d4730 2 a4731 2 the options also-notify statement. When a zone notify d4733 2 a4734 2 is set to no, the IP addresses in the global also-notify list will d4740 1 a4740 1- max-transfer-time-in
d4747 1 a4747 1- max-transfer-idle-in
d4754 1 a4754 1- max-transfer-time-out
d4761 1 a4761 1- max-transfer-idle-out
d4768 1 a4768 1- serial-query-rate
d4777 1 a4777 1 serial-query-rate option, an d4786 1 a4786 1 serial-query-rate also controls d4791 1 a4791 1- serial-queries
d4793 1 a4793 1 In BIND 8, the serial-queries d4798 1 a4798 1 serial queries and ignores the serial-queries option. d4800 1 a4800 1 as defined using the serial-query-rate option. d4802 1 a4802 1- transfer-format
d4805 3 a4807 3 one-answer and many-answers. The transfer-format option is used d4809 1 a4809 1 one-answer uses one DNS message per d4811 1 a4811 1 many-answers packs as many resource d4813 1 a4813 1 many-answers is more efficient, but is d4817 1 a4817 1 The many-answers format is also supported by d4819 3 a4821 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4824 1 a4824 1- transfers-in
d4828 1 a4828 1 Increasing transfers-in may d4833 1 a4833 1- transfers-out
d4840 1 a4840 1- transfers-per-ns
d4846 1 a4846 1 Increasing transfers-per-ns d4850 3 a4852 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4854 1 a4854 1- transfer-source
d4856 1 a4856 1transfer-source d4866 1 a4866 1 allow-transfer option for the d4869 1 a4869 1 transfer-source for all zones, d4872 3 a4874 3 transfer-source statement within the view or zone block in the configuration d4885 1 a4885 1
- transfer-source-v6
d4887 1 a4887 1 The same as transfer-source, d4890 1 a4890 1- alt-transfer-source
d4894 2 a4895 2 transfer-source fails and use-alt-transfer-source is d4900 1 d4903 1 a4903 1 use-alt-transfer-source d4907 2 a4908 1- alt-transfer-source-v6
d4913 2 a4914 2 transfer-source-v6 fails and use-alt-transfer-source is d4917 1 a4917 1- use-alt-transfer-source
d4920 1 a4920 1 specified this defaults to no d4922 1 a4922 1 yes (for BIND 8 d4925 1 a4925 1- notify-source
d4927 1 a4927 1notify-source d4931 3 a4933 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4936 3 a4938 3 notify-source statement within the zone or view block in the configuration d4949 1 a4949 1
- notify-source-v6
d4951 1 a4951 1 Like notify-source, d4956 1 a4956 1d7610 1 a7610 1 The view statement is a powerful d7619 1 a7619 1 Each view statement defines a view d7625 1 a7625 1 match-clients clause and its d7629 1 a7629 1 match-destinations clause. If not d7631 1 a7631 1 match-clients and match-destinations d7634 2 a7635 2 match-clients and match-destinations can also take keys which provide an d7638 1 a7638 1 as match-recursive-only, which d7641 1 a7641 1 The order of the view statements is d7644 1 a7644 1 view that it matches. d7647 1 a7647 1 Zones defined within a view d7649 1 a7649 1 only be accessible to clients that match the view. d7656 2 a7657 2 Many of the options given in the options statement can also be used within a view d7661 1 a7661 1 value is given, the value in the options statement d7664 1 a7664 1 in the view statement; these d7666 1 a7666 1 take precedence over those in the options statement. d7674 1 a7674 1 If there are no view statements in d7678 1 a7678 1 in class IN. Any zone statements d7682 1 a7682 1 this default view, and the options d7684 2 a7685 2 apply to the default view. If any explicit view statements are present, all zone d7687 1 a7687 1 occur inside view statements. d7691 1 a7691 1 using view statements: d7726 1 a7726 1
- coresize
d5028 1 a5028 1- datasize
d5041 2 a5042 2 max-cache-size and recursive-clients d5045 1 a5045 1- files
d5050 1 a5050 1- stacksize
d5057 1 a5057 1d5065 2 a5066 2
- max-ixfr-log-size
d5070 1 a5070 1 max-journal-size performs a d5073 1 a5073 1- max-journal-size
d5076 1 a5076 1 (see the section called “The journal file”). When the journal file d5086 1 a5086 1- host-statistics-max
d5092 1 a5092 1- recursive-clients
d5102 1 a5102 1 recursive-clients option may d5123 1 a5123 1- tcp-clients
d5130 1 a5130 1 clients-per-query, max-clients-per-query d5137 1 a5137 1 before dropping additional clients. named will attempt to d5144 1 a5144 1 If the number of queries exceed this value, named will d5152 1 a5152 1 If clients-per-query is set to zero, d5157 1 a5157 1 If max-clients-per-query is set to zero, d5159 1 a5159 1 recursive-clients. d5163 1 a5163 1 fetches-per-zone d5197 1 a5197 1 If fetches-per-zone is set to zero, d5203 1 a5203 1 running rndc recursing. The list d5216 1 a5216 1 built with configure --enable-fetchlimit.) d5220 1 a5220 1 fetches-per-server d5243 1 a5243 1 If fetches-per-server is set to zero, d5248 1 a5248 1 The fetches-per-server quota is d5255 1 a5255 1 threshold, then fetches-per-server d5258 2 a5259 2 fetches-per-server is increased. The fetch-quota-params options d5265 1 a5265 1 built with configure --enable-fetchlimit.) d5268 1 a5268 1- fetch-quota-params
d5300 1 a5300 1 built with configure --enable-fetchlimit.) d5303 1 a5303 1- reserved-sockets
d5308 1 a5308 1 interfaces named listens on, tcp-clients as well as d5319 1 a5319 1- max-cache-size
d5337 1 a5337 1- tcp-listen-queue
d5351 1 a5351 1d5462 2 a5463 2 (but see the rrset-order statement in the section called “RRset Ordering”). d5474 1 a5474 1 The sortlist statement (see below) d5476 1 a5476 1 an address_match_list and d5478 1 a5478 1 more specifically than the topology d5480 3 a5482 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5485 1 a5485 1 an IP prefix, an ACL name or a nested address_match_list) d5497 2 a5498 2 treated the same as the address_match_list in a topology statement. Each top d5563 1 a5563 1
- cleaning-interval
d5359 1 a5359 1 from the cache every cleaning-interval minutes. d5366 1 a5366 1- heartbeat-interval
d5369 1 a5369 1 for all zones marked as dialup whenever this d5376 1 a5376 1- interface-interval
d5379 1 a5379 1 every interface-interval d5387 1 a5387 1 listen-on configuration), and d5391 1 a5391 1- statistics-interval
d5395 1 a5395 1 every statistics-interval d5410 1 a5410 1d5570 1 a5570 1 The rrset-order statement permits d5573 2 a5574 2 See also the sortlist statement, the section called “The sortlist Statement”. d5577 1 a5577 1 An order_spec is defined as d5587 3 a5589 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5592 1 a5592 1 The legal values for ordering are: d5596 2 a5597 2d5602 1 a5602 1 fixed
d5613 1 a5613 1random
d5623 1 a5623 1cyclic
d5654 1 a5654 1 If multiple rrset-order statements d5664 1 a5664 1 rrset-order statement does not support d5671 1 a5671 1d5674 2 a5675 2
- lame-ttl
d5692 1 a5692 1- max-ncache-ttl
d5695 1 a5695 1 the server stores negative answers. max-ncache-ttl is d5699 2 a5700 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5704 1 a5704 1- max-cache-ttl
d5714 1 a5714 1- min-roots
d5729 1 a5729 1- sig-validity-interval
d5734 1 a5734 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5751 1 a5751 1 The sig-validity-interval d5757 1 a5757 1- sig-signing-nodes
d5764 1 a5764 1- sig-signing-signatures
d5771 1 a5771 1- sig-signing-type
d5784 1 a5784 1 named to track the current state of d5788 2 a5789 2 rndc signing -listzone. Once named has finished signing d5793 1 a5793 1 rndc signing -clearkeyid/algorithmzone. d5796 1 a5796 1 rndc signing -clear allzone. d5800 1 a5800 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5824 4 a5827 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5831 1 a5831 1- edns-udp-size
d5843 1 a5843 1 edns-udp-size to a non-default value d5849 1 a5849 1 When named first queries a remote d5854 1 a5854 1 If the initial response times out, named d5858 1 a5858 1 successes using plain DNS, named d5860 1 a5860 1 with that server. (Periodically, named d5867 1 a5867 1 named will advertise progressively d5870 1 a5870 1 edns-udp-size is reached. d5873 1 a5873 1 The default buffer sizes used by named d5875 1 a5875 1 edns-udp-size. (The values 1232 and d5881 1 a5881 1- max-udp-size
d5885 1 a5885 1 named will send in bytes. d5893 1 a5893 1 edns-udp-size. d5897 1 a5897 1 max-udp-size to a non-default d5902 1 a5902 1 buffer (edns-udp-size). d5909 1 a5909 1- masterfile-format
d5913 1 a5913 1 the section called “Additional File Formats”). d5919 2 a5920 2 named-compilezone tool, or dumped by named. d5924 1 a5924 1textis loaded, named d5927 1 a5927 1 check-names checks do not apply d5931 1 a5931 1 specified in the named configuration d5938 1 a5938 1 masterfile-format for all zones, d5940 3 a5942 3 by including a masterfile-format statement within the zone or view block in the configuration d5947 1 a5947 1 max-recursion-depth d5960 1 a5960 1 max-recursion-queries d5971 1 a5971 1- notify-delay
d5979 1 a5979 1 zones is controlled by serial-query-rate. d5982 1 a5982 1- max-rsa-exponent-size
d5989 1 a5989 1- prefetch
d5993 1 a5993 1 is to expire shortly, named can d6016 1 a6016 1 if it isn't, named will silently d6023 1 a6023 1d6030 1 a6030 1 CHAOS class. These zones are part d6032 1 a6032 1 built-in view (see the section called “view Statement Grammar”) of d6034 3 a6036 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d6038 3 a6040 3 overridden: notify, recursion and allow-new-zones are d6042 1 a6042 1 rate-limit is set to allow d6047 1 a6047 1 below, or hide the built-in CHAOS d6049 1 a6049 1 defining an explicit view of class CHAOS d6052 2 a6053 2
- version
d6057 1 a6057 1 with type TXT, class CHAOS. d6059 1 a6059 1 Specifying version none d6062 1 a6062 1- hostname
d6066 1 a6066 1 with type TXT, class CHAOS. d6072 1 a6072 1 answering your queries. Specifying hostname none; d6075 1 a6075 1- server-id
d6080 1 a6080 1 TXT, class CHAOS. d6083 1 a6083 1 answering your queries. Specifying server-id none; d6085 1 a6085 1 Specifying server-id hostname; will cause named to d6087 1 a6087 1 The default server-id is none. d6091 1 a6091 1d6114 98 a6211 98d6497 1 a6497 1 response-policy option for the view or among the d6502 3 a6504 1 allow-query { localhost; };. d6507 1 a6507 1 A response-policy option can support d6512 1 a6512 1 in a single response-policy option; more d6518 2 a6519 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
d6238 1 d6243 4 a6246 3
- empty-server
d6252 1 a6252 1- empty-contact
d6258 1 a6258 1- empty-zones-enable
d6263 1 a6263 1- disable-empty-zone
d6270 1 a6270 1d6274 1 a6274 1 The additional section cache, also called acache, d6279 1 a6279 1 Note that acache is an internal caching d6294 3 a6296 3 additional-from-cache to no is recommended, since the current implementation of acache d6301 1 a6301 1 One obvious disadvantage of acache is d6306 3 a6308 3 acache mechanism can be disabled by setting acache-enable to no. d6311 1 a6311 1 for acache by using max-acache-size. d6316 2 a6317 2 Without acache, cyclic order is effective for the additional d6322 1 a6322 1 setting of rrset-order. d6331 1 a6331 1 acache. d6333 2 a6334 2d6371 1 a6371 1 deny-answer-addresses option. d6376 1 a6376 1 deny-answer-aliases option, where d6380 1 a6380 1 with except-from, records whose query name d6384 1 a6384 1 corresponding zone, the deny-answer-aliases d6387 1 a6387 1 deny-answer-aliases, d6395 1 a6395 1 deny-answer-addresses option, only d6416 1 a6416 1 d6450 1 a6450 1 matches the except-from element, d6484 1 a6484 1
- RPZ-CLIENT-IP
d6526 1 a6526 1 rpz-client-ip relativized to the d6553 1 a6553 1- QNAME
d6561 1 a6561 1- RPZ-IP
d6566 1 a6566 1 subdomains of rpz-ip. d6568 1 a6568 1- RPZ-NSDNAME
d6574 1 a6574 1 rpz-nsdname relativized d6580 1 a6580 1- RPZ-NSIP
d6583 1 a6583 1 subdomains of rpz-nsip. d6585 2 a6586 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6597 1 a6597 1 DISABLED actions) must be chosen. d6601 3 a6603 3
- Choose the triggered record in the zone that appears first in the response-policy option. d6605 1 a6605 1
- Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP d6608 1 a6608 1
- Among NSDNAME triggers, prefer the d6611 1 a6611 1
- Among IP or NSIP triggers, prefer the trigger d6614 1 a6614 1
- Among triggers with the same prefix length, d6633 2 a6634 2 For example, while the TCP-only policy is commonly used with client-IP triggers, d6638 2 a6639 2
d6865 2 a6866 2 rate-limit clause in an options or view statement. d6893 1 a6893 1 the window option to any value from d6897 1 a6897 1 or more negative than window d6908 2 a6909 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6914 1 a6914 1 with responses-per-second d6919 2 a6920 2 nodata-per-second (default responses-per-second). d6924 2 a6925 2 They are limited by nxdomains-per-second (default base responses-per-second). d6932 2 a6933 2 referrals-per-second (default responses-per-second). d6947 1 a6947 1 responses-per-second value, d6949 1 a6949 1 errors-per-second. d6959 1 a6959 1 Setting slip to 2 (its default) causes every d6965 1 a6965 1 slip must be between 0 and 10. d6973 1 a6973 1 leaked at the slip rate. d6984 1 a6984 1 slip to 1, causing all rate-limited d6990 6 a6995 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6998 1 a6998 1 qps-scale 250; responses-per-second 20; and d7009 2 a7010 2 rate-limit statements in view statements instead of the global option d7012 2 a7013 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d7016 1 a7016 1 with the exempt-clients clause. d7020 1 a7020 1 all-per-second phrase. d7022 3 a7024 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d7029 2 a7030 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d7032 1 a7032 1 An all-per-second limit should be d7040 1 a7040 1 records as it considers the STMP Mail From d7044 1 a7044 1 All-per-second is similar to the d7056 1 a7056 1 rate limit responses is set with max-table-size. d7062 1 a7062 1 min-table-size (default 500) d7064 1 a7064 1 Enable rate-limit category logging to monitor d7069 1 a7069 1 Use log-only yes to test rate limiting parameters d7074 1 a7074 1 RateDropped and QryDropped d7077 1 a7077 1 RateSlipped and RespTruncated. d7081 1 a7081 1
- PASSTHRU
d6642 1 a6642 1 by a CNAME whose target is rpz-passthru. d6647 1 a6647 1- DROP
d6650 1 a6650 1 by a CNAME whose target is rpz-drop. d6654 1 a6654 1- TCP-Only
d6657 1 a6657 1 by a CNAME whose target is rpz-tcp-only. d6662 1 a6662 1- NXDOMAIN
d6667 1 a6667 1- NODATA
d6674 1 a6674 1- Local Data
d6696 2 a6697 2 can be overridden with a policy clause in the response-policy option. d6702 2 a6703 2
- GIVEN
d6707 1 a6707 1- DISABLED
d6720 1 a6720 1 PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA d6725 1 a6725 1- CNAME domain
d6738 1 a6738 1 with a recursive-only no clause. d6750 1 a6750 1 break-dnssec yes clause. In that case, RPZ d6767 1 a6767 1 The qname-wait-recurse no option d6775 1 a6775 1 DNSSEC requests (DO=1) unless break-dnssec yes d6786 1 a6786 1 The max-policy-ttl clause changes that d6856 1 a6856 1 RPZRewrites statistics. d6859 1 a6859 1serverip_addr[/prefixlen]{ a7091 1 [ nosit-udp-sizenumber; ] d7110 1 a7110 1d7112 1 a7112 1 server Statement Definition and d7115 1 a7115 1 The server statement defines d7124 1 a7124 1 The server statement can occur at d7126 1 a7126 1 configuration file or inside a view d7128 2 a7129 2 If a view statement contains one or more server statements, only d7132 1 a7132 1 If a view contains no server d7134 1 a7134 1 any top-level server statements are d7142 1 a7142 1 value of bogus is no. d7145 1 a7145 1 The provide-ixfr clause determines d7150 1 a7150 1 If set to yes, incremental transfer d7152 1 a7152 1 whenever possible. If set to no, d7156 1 a7156 1 of the provide-ixfr option in the d7161 1 a7161 1 The request-ixfr clause determines d7165 1 a7165 1 value of the request-ixfr option in d7176 3 a7178 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d7185 1 a7185 1 The edns clause determines whether d7187 1 a7187 1 with the remote server. The default is yes. d7190 2 a7191 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named d7200 1 a7200 1 server; named will not deviate from d7202 3 a7204 3 edns-udp-size in options or view statements, where it specifies a maximum value. The server statement d7206 1 a7206 1 options/view behavior in future releases.) d7209 2 a7210 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d7214 1 a7214 8 replies from named.The nosit-udp-size option sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. The command max-udp-size option may further limit the response size. d7217 3 a7219 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d7223 3 a7225 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d7227 1 a7227 1 by the options statement will be d7230 1 a7230 1
transfers d7233 1 a7233 1 transfers clause is specified, the d7235 1 a7235 1 transfers-per-ns option. d7238 3 a7240 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d7252 2 a7253 2 The transfer-source and transfer-source-v6 clauses specify d7257 1 a7257 1 For an IPv4 remote server, only transfer-source can d7260 1 a7260 1 transfer-source-v6 can be d7263 3 a7265 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d7268 2 a7269 2 The notify-source and notify-source-v6 clauses specify the d7272 1 a7272 1 IPv4 remote server, only notify-source d7274 1 a7274 1 only notify-source-v6 can be specified. d7277 2 a7278 2 The query-source and query-source-v6 clauses specify the d7281 1 a7281 1 remote server, only query-source can d7283 1 a7283 1 only query-source-v6 can be specified. d7286 1 a7286 1 The request-nsid clause determines d7289 1 a7289 1 request-nsid set at the view or d7293 1 a7293 1 The request-sit clause determines d7296 1 a7296 1 request-sit set at the view or d7302 1 a7302 1
statistics-channels { d7312 1 a7312 1d7314 1 a7314 1 statistics-channels Statement Definition and d7317 1 a7317 1 The statistics-channels statement d7328 1 a7328 1 statistics-channels statement is d7333 4 a7336 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*d7341 1 a7341 1 use an ip_addr of::. d7346 1 a7346 1 ip_port. d7350 1 a7350 1 restricted by the optional allow clause. d7352 3 a7354 3 address_match_list. If no allow clause is present, named accepts connection d7361 2 a7362 2 If no statistics-channels statement is present, named will not open any communication channels. d7369 2 a7370 2 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is d7379 1 a7379 1 http://127.0.0.1:8888/xml/v2 for version 2 d7381 1 a7381 1 http://127.0.0.1:8888/xml/v3 for version 3. d7388 1 a7388 1 http://127.0.0.1:8888/xml/v3/status d7390 1 a7390 1 http://127.0.0.1:8888/xml/v3/server d7392 1 a7392 1 http://127.0.0.1:8888/xml/v3/zones d7394 1 a7394 1 http://127.0.0.1:8888/xml/v3/net d7396 1 a7396 1 http://127.0.0.1:8888/xml/v3/mem d7398 1 a7398 1 http://127.0.0.1:8888/xml/v3/tasks d7403 1 a7403 1 http://127.0.0.1:8888/json, d7405 1 a7405 1 http://127.0.0.1:8888/json/v1/status d7407 1 a7407 1 http://127.0.0.1:8888/json/v1/server d7409 1 a7409 1 http://127.0.0.1:8888/json/v1/zones d7411 1 a7411 1 http://127.0.0.1:8888/json/v1/net d7413 1 a7413 1 http://127.0.0.1:8888/json/v1/mem d7415 1 a7415 1 http://127.0.0.1:8888/json/v1/tasks d7419 1 a7419 1trusted-keys { d7428 1 a7428 1d7430 1 a7430 1 trusted-keys Statement Definition d7433 2 a7434 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d7445 1 a7445 1 trusted-keys are deemed to exist regardless d7447 1 a7447 1 trusted-keys only those keys are d7452 1 a7452 1 The trusted-keys statement can contain d7461 1 a7461 1 trusted-keys may be set at the top level d7468 1 a7468 1managed-keys { d7477 1 a7477 1d7479 1 a7479 1 managed-keys Statement Definition d7482 2 a7483 2 The managed-keys statement, like trusted-keys, defines DNSSEC d7485 1 a7485 1 managed-keys can be kept up to date d7493 1 a7493 1 trusted-keys statement would be d7497 1 a7497 1 trusted-keys statement with the new key. d7501 1 a7501 1 managed-keys statement instead, then the d7503 2 a7504 2 named would store the stand-by key, and when the original key was revoked, named d7511 1 a7511 1 A managed-keys statement contains a list of d7516 1 a7516 1 This means the managed-keys statement must d7522 2 a7523 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d7526 1 a7526 1 keys listed in a trusted-keys continue to be d7529 1 a7529 1 in a managed-keys statement is only trusted d7535 1 a7535 1 The first time named runs with a managed key d7538 1 a7538 1 using the key specified in the managed-keys d7543 2 a7544 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d7547 1 a7547 1 key specified in the managed-keys is not d7552 1 a7552 1 The next time named runs after a name d7554 1 a7554 1 managed-keys statement, the corresponding d7560 3 a7562 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d7574 1 a7574 1 seconds. So, whenever named is using d7578 1 a7578 1 named.) d7581 2 a7582 2 If the dnssec-validation option is set toauto, named d7584 1 a7584 1 root zone. Similarly, if the dnssec-lookaside d7586 1 a7586 1 named will automatically initialize d7589 2 a7590 2 maintenance process is built into named, and can be overridden from bindkeys-file. d7593 1 a7593 1viewview_named7606 1 a7606 1d7728 1 a7728 1 zone d7730 1 a7730 1zonezone_name[class] { d7740 3 a7742 2 [ also-notify {ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] a7801 1 [dscpip_dscp] d7886 1 a7886 1 [ zone-statisticsyes_or_no; ] d7900 1 a7900 1 [ zone-statisticsyes_or_no; ] d7928 1 a7928 1d7974 1 a7974 1 zone. The masters list d8089 2 a8090 2 server-addresses and server-names zone options. d8096 1 a8096 1 databases by rndc dumpdb -all. d8127 4 a8130 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d8134 1 a8134 1 name. If no forwarders d8136 1 a8136 1 an empty list for forwarders is given, then no d8139 1 a8139 1 any forwarders in the options statement. Thus d8142 1 a8142 1 global forward option d8184 1 a8184 1 per view. allow-query can be d8221 1 a8221 1 rndc reload d8224 1 a8224 1 rndc reload without specifying d8252 1 a8252 1 See caveats in root-delegation-only. d8259 1 a8259 1 d8281 1 a8281 1 d9167 1 a9167 1 in-view zone option provides an efficient d9190 1 a9190 1 An in-view option cannot refer to a view d9194 4 a9197 4 A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control d9209 1 a9209 1 An in-view zone cannot be used as a d9213 2 a9214 2 An in-view zone is not intended to reference a forward zone. d9219 1 a9219 1 d9243 1 a9243 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d9250 2 a9251 2
- allow-notify
d8288 1 a8288 1 allow-notify in the section called “Access Control”. d8290 1 a8290 1- allow-query
d8293 1 a8293 1 allow-query in the section called “Access Control”. d8295 1 a8295 1- allow-query-on
d8298 1 a8298 1 allow-query-on in the section called “Access Control”. d8300 1 a8300 1- allow-transfer
d8302 2 a8303 2 See the description of allow-transfer in the section called “Access Control”. d8305 1 a8305 1- allow-update
d8307 2 a8308 2 See the description of allow-update in the section called “Access Control”. d8310 1 a8310 1- update-policy
d8313 1 a8313 1 the section called “Dynamic Update Policies”. d8315 1 a8315 1- allow-update-forwarding
d8317 2 a8318 2 See the description of allow-update-forwarding in the section called “Access Control”. d8320 1 a8320 1- also-notify
d8322 1 a8322 1 Only meaningful if notify d8331 1 a8331 1 with also-notify. A port d8333 1 a8333 1 with each also-notify d8339 1 a8339 1 also-notify is not d8343 1 a8343 1- check-names
d8349 3 a8351 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d8353 1 a8353 1- check-mx
d8356 1 a8356 1 check-mx in the section called “Boolean Options”. d8358 1 a8358 1- check-spf
d8361 1 a8361 1 check-spf in the section called “Boolean Options”. d8363 1 a8363 1- check-wildcard
d8366 1 a8366 1 check-wildcard in the section called “Boolean Options”. d8368 1 a8368 1- check-integrity
d8371 1 a8371 1 check-integrity in the section called “Boolean Options”. d8373 1 a8373 1- check-sibling
d8376 1 a8376 1 check-sibling in the section called “Boolean Options”. d8378 1 a8378 1- zero-no-soa-ttl
d8381 1 a8381 1 zero-no-soa-ttl in the section called “Boolean Options”. d8383 1 a8383 1- update-check-ksk
d8386 1 a8386 1 update-check-ksk in the section called “Boolean Options”. d8388 1 a8388 1- dnssec-update-mode
d8391 1 a8391 2 dnssec-update-mode in the section called “options Statement Definition and d8394 1 a8394 1- dnssec-dnskey-kskonly
d8397 2 a8398 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d8400 1 a8400 1- try-tcp-refresh
d8403 1 a8403 1 try-tcp-refresh in the section called “Boolean Options”. d8405 6 a8410 1- database
d8414 1 a8414 1 zone data. The string following the database keyword d8436 1 a8436 1- dialup
d8439 1 a8439 1 dialup in the section called “Boolean Options”. d8441 1 a8441 1- delegation-only
d8450 1 a8450 1 See caveats in root-delegation-only. d8453 1 a8453 1- forward
d8456 1 a8456 1 list. The only value causes d8458 1 a8458 1 after trying the forwarders and getting no answer, while first would d8461 1 a8461 1- forwarders
d8464 1 a8464 1 If it is not specified in a zone of type forward, d8468 1 a8468 1- ixfr-base
d8480 1 a8480 1- ixfr-tmp-file
d8485 1 a8485 1- journal
d8489 1 a8489 1 This is applicable to master and slave zones. d8491 1 a8491 1- max-journal-size
d8494 1 a8494 1 max-journal-size in the section called “Server Resource Limits”. d8496 1 a8496 1- max-transfer-time-in
d8499 1 a8499 1 max-transfer-time-in in the section called “Zone Transfers”. d8501 1 a8501 1- max-transfer-idle-in
d8504 1 a8504 1 max-transfer-idle-in in the section called “Zone Transfers”. d8506 1 a8506 1- max-transfer-time-out
d8509 1 a8509 1 max-transfer-time-out in the section called “Zone Transfers”. d8511 1 a8511 1- max-transfer-idle-out
d8514 1 a8514 1 max-transfer-idle-out in the section called “Zone Transfers”. d8516 1 a8516 1- notify
d8519 1 a8519 1 notify in the section called “Boolean Options”. d8521 1 a8521 1- notify-delay
d8524 1 a8524 1 notify-delay in the section called “Tuning”. d8526 1 a8526 1- notify-to-soa
d8529 2 a8530 2 notify-to-soa in the section called “Boolean Options”. d8532 1 a8532 1- pubkey
d8541 1 a8541 1- zone-statistics
d8543 4 a8546 5 Ifyes, the server will keep statistical information for this zone, which can be dumped to the statistics-file defined in the server options. d8548 1 a8548 1- server-addresses
d8562 1 a8562 1 in a server-addresses option, d8577 1 a8577 1- server-names
d8585 1 a8585 1 named needs to send queries to d8593 1 a8593 1 server-names option, but d8603 1 a8603 1 in a server-names option, d8620 1 a8620 1- sig-validity-interval
d8623 1 a8623 1 sig-validity-interval in the section called “Tuning”. d8625 1 a8625 1- sig-signing-nodes
d8628 1 a8628 1 sig-signing-nodes in the section called “Tuning”. d8630 1 a8630 1- sig-signing-signatures
d8633 1 a8633 1 sig-signing-signatures in the section called “Tuning”. d8635 1 a8635 1- sig-signing-type
d8638 1 a8638 1 sig-signing-type in the section called “Tuning”. d8640 1 a8640 1- transfer-source
d8643 1 a8643 1 transfer-source in the section called “Zone Transfers”. d8645 1 a8645 1- transfer-source-v6
d8648 1 a8648 1 transfer-source-v6 in the section called “Zone Transfers”. d8650 1 a8650 1- alt-transfer-source
d8653 1 a8653 1 alt-transfer-source in the section called “Zone Transfers”. d8655 1 a8655 1- alt-transfer-source-v6
d8658 1 a8658 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d8660 1 a8660 1- use-alt-transfer-source
d8663 1 a8663 1 use-alt-transfer-source in the section called “Zone Transfers”. d8665 1 a8665 1- notify-source
d8668 1 a8668 1 notify-source in the section called “Zone Transfers”. d8670 1 a8670 1- notify-source-v6
d8673 1 a8673 1 notify-source-v6 in the section called “Zone Transfers”. d8676 1 a8676 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d8679 1 a8679 1 See the description in the section called “Tuning”. d8681 1 a8681 1- ixfr-from-differences
d8684 2 a8685 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d8690 7 a8696 1- key-directory
d8699 2 a8700 2 key-directory in the section called “options Statement Definition and d8703 8 a8710 63- auto-dnssec
Zones configured for dynamic DNS may also use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
- inline-signing
d8719 1 a8719 1- multi-master
d8721 2 a8722 2 See the description of multi-master in the section called “Boolean Options”. d8724 1 a8724 1- masterfile-format
d8726 2 a8727 2 See the description of masterfile-format in the section called “Tuning”. d8729 1 a8729 1- max-zone-ttl
d8731 2 a8732 3 See the description of max-zone-ttl in the section called “options Statement Definition and d8735 1 a8735 1- dnssec-secure-to-insecure
d8738 1 a8738 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8742 1 a8742 1d8748 2 a8749 2 allow-update and update-policy option, respectively. d8752 1 a8752 1 The allow-update clause works the d8758 1 a8758 1 The update-policy clause d8768 1 a8768 1 Rules are specified in the update-policy d8770 1 a8770 1 When the update-policy statement d8772 2 a8773 2 allow-update statement to be present. The update-policy statement d8778 1 a8778 1 There is a pre-defined update-policy d8780 1 a8780 1 update-policy local;. d8782 1 a8782 1 named to generate a TSIG session d8788 3 a8790 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8802 1 a8802 1 The command nsupdate -l sends update d8809 1 a8809 1 ( grant | deny )identitynametype[name] [types] d8864 2 a8865 2d8909 1 a8909 1 update-policy statement d8912 1 a8912 1 update-policy statement in d8932 1 a8932 1 name is a valid expansion of the wildcard. d9105 1 a9105 1 This rule allows named d9157 1 a9157 1 d9329 2 a9330 2 d9415 12 d9493 13 d9884 12 d10066 12 d10134 24 d10210 24 d10339 2 a10340 2 d10429 1 a10429 1 d10471 3 a10473 3 d10589 3 a10591 3 d10632 1 a10632 1 d10672 5 a10676 5 d10815 1 a10815 1 d10907 2 a10908 2 d10940 1 a10940 1 The $ORIGIN lines in the examples d10948 1 a10948 1 d10960 2 a10961 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d10963 1 a10963 1 d10974 1 a10974 1 d10978 1 a10978 1 Syntax: $ORIGIN d10982 1 a10982 1 $ORIGIN d10985 2 a10986 2 is an implicit $ORIGIN <
d11007 1 a11007 1 Syntax: $INCLUDE d11015 3 a11017 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d11022 1 a11022 1 revert to the values they had prior to the $INCLUDE once d11030 1 a11030 1 an $INCLUDE, but it is silent d11039 1 a11039 1 d11043 1 a11043 1 Syntax: $TTL d11053 1 a11053 1zone_name>. d10988 2 a10989 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d11003 1 a11003 1$TTL d11058 1 a11058 1
d11062 1 a11062 1 Syntax: $GENERATE d11071 1 a11071 1$GENERATE d11074 1 a11074 1 iterator. $GENERATE can be used to d11116 2 a11117 2
d11122 1 a11122 1 range
d11136 1 a11136 1lhs
d11141 1 a11141 1 to be created. Any single $ d11143 1 a11143 1 symbols within the lhs string d11147 4 a11150 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d11155 4 a11158 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d11164 3 a11166 3 (d), octal (o), hexadecimal (x or X d11168 1 a11168 1 (n or N\ d11170 3 a11172 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d11184 1 a11184 1 $$ is still recognized as d11191 1 a11191 1ttl
d11199 2 a11200 2class and ttl can be d11207 1 a11207 1
class
d11215 2 a11216 2class and ttl can be d11223 1 a11223 1
type
d11233 1 a11233 1rhs
d11237 1 a11237 1 rhs, optionally, quoted string. d11244 1 a11244 1 The $GENERATE directive is a BIND extension d11251 1 a11251 1d11269 1 a11269 1 directly into memory via the mmap() d11277 1 a11277 1 file by the named-compilezone command. d11280 2 a11281 2 masterfile-format option) when named dumps the zone contents after d11287 1 a11287 1 named-compilezone command. All d11290 1 a11290 1 named-compilezone command again. d11293 1 a11293 1 Note that map format is extremely d11311 1 a11311 1d12107 2 a12108 2d11329 2 a11330 2d11430 6 a11435 5 zone-statistics is set to yes. These statistics counters are shown with their zone and view names. In some cases the view names are omitted for the default view. d11438 4 d11445 1 a11445 1 by the statistics-file configuration option. d11447 1 a11447 1 when the statistics-channels statement d11449 1 a11449 1 (see the section called “statistics-channels Statement Grammar”.) d11451 3 a11453 3d11458 1 a11458 1 +++ Statistics Dump +++ (973798949) d11470 1 a11470 1 ++ Name Server Statistics ++ d11484 1 a11484 1 --- Statistics Dump --- (973798949) d11487 1 a11487 1d11511 3 a11513 3d11535 1 a11535 1 Requestv4
d11538 1 a11538 1RQ
d11549 1 a11549 1Requestv6
d11552 1 a11552 1RQ
d11563 1 a11563 1ReqEdns0
d11566 1 a11566 1d11576 1 a11576 1
ReqBadEDNSVer
d11579 1 a11579 1d11589 1 a11589 1
ReqTSIG
d11592 1 a11592 1d11602 1 a11602 1
ReqSIG0
d11605 1 a11605 1d11615 1 a11615 1
ReqBadSIG
d11618 1 a11618 1d11628 1 a11628 1
ReqTCP
d11631 1 a11631 1RTCP
d11641 1 a11641 1AuthQryRej
d11644 1 a11644 1RUQ
d11654 1 a11654 1RecQryRej
d11657 1 a11657 1RURQ
d11667 1 a11667 1XfrRej
d11670 1 a11670 1RUXFR
d11680 1 a11680 1UpdateRej
d11683 1 a11683 1RUUpd
d11693 1 a11693 1Response
d11696 1 a11696 1SAns
d11706 1 a11706 1RespTruncated
d11709 1 a11709 1d11719 1 a11719 1
RespEDNS0
d11722 1 a11722 1d11732 1 a11732 1
RespTSIG
d11735 1 a11735 1d11745 1 a11745 1
RespSIG0
d11748 1 a11748 1d11758 1 a11758 1
QrySuccess
d11761 1 a11761 1d11769 1 a11769 1 success counter d11777 1 a11777 1
QryAuthAns
d11780 1 a11780 1d11790 1 a11790 1
QryNoauthAns
d11793 1 a11793 1SNaAns
d11803 1 a11803 1QryReferral
d11806 1 a11806 1d11812 1 a11812 1 referral counter d11820 1 a11820 1
QryNxrrset
d11823 1 a11823 1d11829 1 a11829 1 nxrrset counter d11837 1 a11837 1
QrySERVFAIL
d11840 1 a11840 1SFail
d11850 1 a11850 1QryFORMERR
d11853 1 a11853 1SFErr
d11863 1 a11863 1QryNXDOMAIN
d11866 1 a11866 1SNXD
d11872 1 a11872 1 nxdomain counter d11880 1 a11880 1QryRecursion
d11883 1 a11883 1RFwdQ
d11890 1 a11890 1 recursion counter d11898 1 a11898 1QryDuplicate
d11901 1 a11901 1RDupQ
d11910 1 a11910 1 duplicate counter d11918 1 a11918 1QryDropped
d11921 1 a11921 1d11931 1 a11931 1 clients-per-query d11933 1 a11933 1 max-clients-per-query d11936 1 a11936 1 clients-per-query.) d11938 1 a11938 1 dropped counter d11946 1 a11946 1
QryFailure
d11949 1 a11949 1d11955 1 a11955 1 failure counter d11961 2 a11962 2 AuthQryRej and RecQryRej d11971 1 a11971 1
XfrReqDone
d11974 1 a11974 1d11984 1 a11984 1
UpdateReqFwd
d11987 1 a11987 1d11997 1 a11997 1
UpdateRespFwd
d12000 1 a12000 1d12010 1 a12010 1
UpdateFwdFail
d12013 1 a12013 1d12023 1 a12023 1
UpdateDone
d12026 1 a12026 1d12036 1 a12036 1
UpdateFail
d12039 1 a12039 1d12049 1 a12049 1
UpdateBadPrereq
d12052 1 a12052 1d12062 1 a12062 1
RateDropped
d12065 1 a12065 1d12075 1 a12075 1
RateSlipped
d12078 1 a12078 1d12088 1 a12088 1
RPZRewrites
d12091 1 a12091 1d12102 1 a12102 1
d12125 1 a12125 1 NotifyOutv4
d12135 1 a12135 1NotifyOutv6
d12145 1 a12145 1NotifyInv4
d12155 1 a12155 1NotifyInv6
d12165 1 a12165 1NotifyRej
d12175 1 a12175 1SOAOutv4
d12185 1 a12185 1SOAOutv6
d12195 1 a12195 1AXFRReqv4
d12205 1 a12205 1AXFRReqv6
d12215 1 a12215 1IXFRReqv4
d12225 1 a12225 1IXFRReqv6
d12235 1 a12235 1XfrSuccess
d12245 1 a12245 1XfrFail
d12256 1 a12256 1 d12261 3 a12263 3d12285 1 a12285 1 Queryv4
d12288 1 a12288 1SFwdQ
d12298 1 a12298 1Queryv6
d12301 1 a12301 1SFwdQ
d12311 1 a12311 1Responsev4
d12314 1 a12314 1RR
d12324 1 a12324 1Responsev6
d12327 1 a12327 1RR
d12337 1 a12337 1NXDOMAIN
d12340 1 a12340 1RNXD
d12350 1 a12350 1SERVFAIL
d12353 1 a12353 1RFail
d12363 1 a12363 1FORMERR
d12366 1 a12366 1RFErr
d12376 1 a12376 1OtherError
d12379 1 a12379 1RErr
d12389 1 a12389 1EDNS0Fail
d12392 1 a12392 1d12402 1 a12402 1
Mismatch
d12405 1 a12405 1RDupR
d12414 1 a12414 1 the port option.) d12422 1 a12422 1Truncated
d12425 1 a12425 1d12435 1 a12435 1
Lame
d12438 1 a12438 1RLame
d12448 1 a12448 1Retry
d12451 1 a12451 1SDupQ
d12461 1 a12461 1QueryAbort
d12464 1 a12464 1d12474 1 a12474 1
QuerySockFail
d12477 1 a12477 1d12490 1 a12490 1
QueryTimeout
d12493 1 a12493 1d12503 1 a12503 1
GlueFetchv4
d12506 1 a12506 1SSysQ
d12516 1 a12516 1GlueFetchv6
d12519 1 a12519 1SSysQ
d12529 1 a12529 1GlueFetchv4Fail
d12532 1 a12532 1d12542 1 a12542 1
GlueFetchv6Fail
d12545 1 a12545 1d12555 1 a12555 1
ValAttempt
d12558 1 a12558 1d12568 1 a12568 1
ValOk
d12571 1 a12571 1d12581 1 a12581 1
ValNegOk
d12584 1 a12584 1d12594 1 a12594 1
ValFail
d12597 1 a12597 1d12607 1 a12607 1
QryRTTnn
d12610 1 a12610 1d12616 1 a12616 1 Each nn specifies the corresponding d12619 2 a12620 2 nn_1, nn_2, d12622 2 a12623 2 nn_m, the value of nn_i is the d12625 2 a12626 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d12628 1 a12628 1 nn_0 to be 0. d12630 1 a12630 1 nn_m+, which means the d12632 1 a12632 1 nn_m milliseconds. d12639 1 a12639 1 d12645 6 a12650 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d12652 1 a12652 1 In the following table <TYPE> d12659 2 a12660 2
d12677 1 a12677 1 <TYPE>Open
d12683 1 a12683 1 FDwatch type. d12689 1 a12689 1<TYPE>OpenFail
d12695 1 a12695 1 FDwatch type. d12701 1 a12701 1<TYPE>Close
d12711 1 a12711 1<TYPE>BindFail
d12721 1 a12721 1<TYPE>ConnFail
d12731 1 a12731 1<TYPE>Conn
d12741 1 a12741 1<TYPE>AcceptFail
d12747 2 a12748 2 UDP and FDwatch types. d12754 1 a12754 1<TYPE>Accept
d12760 2 a12761 2 UDP and FDwatch types. d12767 1 a12767 1<TYPE>SendErr
d12773 2 a12774 2 to SErr counter of BIND 8. d12780 1 a12780 1<TYPE>RecvErr
d12794 1 a12794 1 d12799 2 a12800 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d12804 2 a12805 2d4137 1 a4137 1 Dual-stack Servers d4405 1 a4405 1 Interfaces d4564 1 a4564 1 the use-queryport-pool d4701 1 a4701 1 queries are issued at d4872 1 a4872 1 UDP Port Lists d4914 1 a4914 1 Operating System Resource Limits d5007 5 a5011 4
- RFwdR,SFwdR
d12808 1 a12808 1 because BIND 9 does not adopt d12810 1 a12810 1 as BIND 8 did. d12812 1 a12812 1- RAXFR
d12816 1 a12816 1- RIQ
d12820 1 a12820 1- ROpts
d12823 1 a12823 1 because BIND 9 does not care d12848 1 a12848 1BIND 9.10.3-P4
@ 1.7 log @Merge 9.10.3-P3: 4288. [bug] Fixed a regression in resolver.c:possibly_mark() which caused known-bogus servers to be queried anyway. [RT #41321] 4286. [security] render_ecs errors were mishandled when printing out a OPT record resulting in a assertion failure. (CVE-2015-8705) [RT #41397] 4285. [security] Specific APL data could trigger a INSIST. (CVE-2015-8704) [RT #41396] @ text @d17 1 a17 1 d12700 1 a12700 1BIND 9.10.3-P3
@ 1.6 log @merge conflicts @ text @d17 1 a17 1 d12700 1 a12700 1BIND 9.10.3-P2
@ 1.5 log @Changes for 9.10.2-P4: 4170. [security] An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. (CVE-2015-5986) [RT #40286] 4168. [security] A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys. (CVE-2015-5722) [RT #40212] @ text @d17 1 a17 1 d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d442 1 a442 1 for details on how they interpret its use. d461 1 a461 1defaultd790 1 a790 1 masters or d1164 2 a1165 2 algorithmstring; secretstring; d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2275 1 a2275 1ip_addr[portip_port] [dscpip_dscp]) ; d2323 1 a2323 1 [ address (ip6_addr|*) ] a2332 1 [ tcp-clientsnumber; ] d2335 6 a2422 2 [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] d2737 1 a2737 1 and dnssec-validation for details. d2990 1 a2990 1 IPv4 addresses are to be mapped in the corresponding d3123 1 a3123 1 As of BIND 9.10, d3533 1 a3533 1 NSID (Name Server Identifier) option is sent with all d3747 1 a3747 1 and if the response does not include DNSSEC signatures, d3759 2 a3760 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3832 5 a3836 2 Enable DNSSEC support in named. Unless set toyes, named behaves as if it does not support DNSSEC. d3840 2 a3841 1- d4093 1 a4093 1 Forwarding
d3854 11 a3864 1
d5043 174 d5245 1 a5245 1 Any positive values less than 2MB will be ignored d5260 1 a5260 1 be used; on most platforms this sets the listen queue d5267 1 a5267 1 Periodic Task Intervals a5860 34 clients-per-query, max-clients-per-query The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is d5014 2 a5015 2 bit of memory, on the order of 20 kilobytes, the value of the d5017 20 a5036 3 have to be decreased on hosts with limited memory.
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
d6275 1 a6275 1 Content Filtering d6398 1 a6398 1 Response Policy Zone (RPZ) Rewriting d6440 1 a6440 1 prefixlength.B4.B3.B2.B1.rpz-ip. d6449 1 a6449 1prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. d6451 5 a6455 3 representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. d6460 1 a6460 1 The IPv6 prefix length must be between 64 and 128. d6771 1 a6771 1 Response Rate Limiting d7006 1 a7006 1 [ keys{ string ; [ string ; [...]] }; ] d7167 1 a7167 5 Although the grammar of the keys clause allows for multiple keys, only a single key per server is currently supported. d7208 1 a7208 1 option level. d7232 1 a7232 1 statistics-channels Statement Definition and d7289 2 a7290 2 included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into d7296 1 a7296 1 can request d7298 1 a7298 1 of the statistics XML schema or d7348 1 a7348 1 trusted-keys Statement Definition d7388 1 a7388 1 managed-keys Statement Grammar d7400 1 a7400 1 The managed-keys statement, like d7446 1 a7446 1named.conf, an initializing key listed d7526 1 a7526 1 view Statement Definition and Usage d7817 1 a7817 1 [ server-names { [namelist] }; ] d7848 1 a7848 1 zone Statement Definition and Usage d7851 1 a7851 1 Zone Types d8022 1 a8022 1 glue A or AAAA RRs d8106 1 a8106 1 that point to the desired addresses: d8114 1 a8114 1 "*.ES." instead of "*.". To redirect all d8169 1 a8169 1 Class d8191 1 a8191 1 Zone Options d8624 1 a8624 1 active. d8655 1 a8655 1 When set to d8952 1 a8952 1 and converts it machine.realm allowing the machine d8967 1 a8967 1 This rule takes a Windows machine principal d8986 1 a8986 1 and converts it machine.realm allowing the machine d9001 1 a9001 1 This rule takes a Kerberos machine principal d9113 1 a9113 1 Multiple views d9156 7 d9166 4 d9175 1 a9175 1 Zone File d9188 1 a9188 1 Resource Records d9357 52 d9448 14 d9506 48 d9579 13 d9646 28 d9687 85 d9799 26 d9838 12 d9914 12 d9945 12 d10091 13 d10116 48 d10288 1 a10288 1 Textual expression of RRs d10491 1 a10491 1 Discussion of MX Records d10746 1 a10746 1 Inverse Mapping in IPv4 d10807 1 a10807 1 Other Zone File Directives d10822 1 a10822 1 The @@ (at-sign) d10826 1 a10826 1 At the start of the zone file, it is the d10833 1 a10833 1 The $ORIGIN Directive d10862 1 a10862 1 The $INCLUDE Directive d10898 1 a10898 1 The $TTL Directive d10917 1 a10917 1 BIND Master File Extension: the $GENERATE Directive d11114 1 a11114 1 other formats. d11134 1 a11134 1 file by the named-compilezone command. d11156 1 a11156 1 Whilerawformat uses d11360 1 a11360 1 Name Server Statistics Counters d11956 1 a11956 1 Zone Maintenance Statistics Counters d12110 1 a12110 1 Resolver Statistics Counters d12493 1 a12493 1 Socket I/O Statistics Counters d12648 1 a12648 1 Compatibility with BIND 8 Counters d12700 1 a12700 1BIND 9.10.2-P4
@ 1.4 log @merge conflicts for bind-9.10.2-P3 to address CVE-2015-5477. @ text @d17 1 a17 1 d12153 1 a12153 1BIND 9.10.2-P3
@ 1.3 log @Merge changes. @ text @d17 1 a17 1 d12153 1 a12153 1BIND 9.10.2-P2
@ 1.2 log @security patch for bind from ISC (to 9.10.1-P2). Only the change to lib/dns/zone.c is security relevant Upstream changelog: --- 9.10.1-P2 released --- 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] 4027. [port] Net::DNS 0.81 compatibility. [RT #38165] @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar a894 5 Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.d1018 1 a1018 1 controls Statement Grammar d1142 1 a1142 1 include Statement Grammar d1147 1 a1147 1 include Statement Definition and d1162 1 a1162 1 key Statement Grammar d1171 1 a1171 1 key Statement Definition and Usage d1218 1 a1218 1 logging Statement Grammar d1242 1 a1242 1 logging Statement Definition and d1276 1 a1276 1 The channel Phrase d1884 11 d1900 1 a1900 1 The query-errors Category d2128 1 a2128 1 lwres Statement Grammar d2144 1 a2144 1 lwres Statement Definition and Usage d2195 1 a2195 1 masters Statement Grammar d2203 1 a2203 1 masters Statement Definition and d2213 1 a2213 1 options Statement Grammar d2453 12 a2464 10 zone
] d2780 7 d4076 1 a4076 1 Forwarding d4120 1 a4120 1 Dual-stack Servers d4388 1 a4388 1 Interfaces d4678 3 a4680 1 per second. The default is 20. d4855 1 a4855 1 UDP Port Lists d4897 1 a4897 1 Operating System Resource Limits d5058 1 a5058 1 Periodic Task Intervals d5539 1 a5539 1 Sets the initial advertised EDNS UDP buffer size in d5705 4 a5708 2 is terminated and returns SERVFAIL. The default is 50. d6100 1 a6100 1 Content Filtering d6223 1 a6223 1 Response Policy Zone (RPZ) Rewriting d6228 1 a6228 1 Responses can be changed to deny the existence of domains(NXDOMAIN), d6334 1 a6334 1zone_name; [ policygiven | disabled | passthru | drop | nxdomain | nodata | cnamedomain; ] [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] ; [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] [ break-dnssecyes_or_no; ] [ min-ns-dotsnumber; ] [ qname-wait-recurseyes_or_no; ] } ;d6594 1 a6594 1 Response Rate Limiting d6924 17 a6940 8 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted to the nearest value within it). This option is useful when you wish to advertises a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies. d7059 1 a7059 1 statistics-channels Statement Definition and d7175 1 a7175 1 trusted-keys Statement Definition d7215 1 a7215 1 managed-keys Statement Grammar d7353 1 a7353 1 view Statement Definition and Usage d7675 1 a7675 1 zone Statement Definition and Usage d7678 1 a7678 1 Zone Types d7996 1 a7996 1 Class d8018 1 a8018 1 Zone Options d8940 1 a8940 1 Multiple views d8991 1 a8991 1 Zone File d9004 1 a9004 1 Resource Records d9741 1 a9741 1 Textual expression of RRs d9944 1 a9944 1 Discussion of MX Records d10199 1 a10199 1 Inverse Mapping in IPv4 d10260 1 a10260 1 Other Zone File Directives d10275 1 a10275 1 The @@ (at-sign) d10286 1 a10286 1 The $ORIGIN Directive d10315 1 a10315 1 The $INCLUDE Directive d10351 1 a10351 1 The $TTL Directive d10370 1 a10370 1 BIND Master File Extension: the $GENERATE Directive d10813 1 a10813 1 Name Server Statistics Counters d11409 1 a11409 1 Zone Maintenance Statistics Counters d11563 1 a11563 1 Resolver Statistics Counters d11946 1 a11946 1 Socket I/O Statistics Counters d12101 1 a12101 1 Compatibility with BIND 8 Counters d12153 1 a12153 1d6347 1 a6347 1
- Among triggers with the same prefex length, d6351 1 a6351 1
BIND Version 9.10
@ 1.1 log @Initial revision @ text @d2 1 a2 1 - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") d5 1 a5 1 - Permission to use, copy, modify, and distribute this software for any d17 1 a17 1 d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar a76 3statistics-channels Statement Grammar statistics-channels Statement Definition and Usage d80 8 a87 2trusted-keys Statement Grammar trusted-keys Statement Definition d90 1 a90 1 view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d199 13 d280 15 d427 16 a442 7 A number, the wordunlimited, or the worddefault.An
unlimitedsize_specrequests unlimited use, or the maximum available amount. Adefault size_specuses the limit that was in force when the server was started. d445 2 a446 2 Anumbercan optionally be followed by a scaling factor: d451 8 a458 3Gorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively. d461 2 a462 5 The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). Usingunlimitedis the best way to safely set a really large number. d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d557 2 a558 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d575 1 a575 1 lists. Similarly, the listen-on option will cause the d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d618 2 a619 1# This is a BIND comment as in common UNIX shells and perld625 1 a625 1 Definition and Usage a655 2a672 2
d789 3 a791 1 inclusion in stub and slave zone masters clauses. d808 11 d830 1 a830 1
server
d834 1 a834 2 sets certain configuration options on a per-server basis. d840 1 a840 1trusted-keys
d844 2 a845 1 defines trusted DNSSEC keys. d879 1 a879 1 acl Statement Grammar d935 3 a937 1 interfaces on the system. d949 3 d963 57 d1023 1 a1023 1 controls Statement Grammar d1025 2 a1026 1 [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} d1029 2 a1030 1 [ unixpathpermnumberownernumbergroupnumberkeys {key_list}; ] d1147 1 a1147 1 include Statement Grammar d1152 1 a1152 1 include Statement Definition and d1167 1 a1167 1 key Statement Grammar d1176 1 a1176 1 key Statement Definition and Usage d1223 1 a1223 1 logging Statement Grammar d1228 1 a1228 1 [ sizesize spec] d1247 1 a1247 1 logging Statement Definition and d1281 1 a1281 1 The channel Phrase d1382 3 d1446 1 a1446 1 pointless since syslog also prints d1468 4 a1471 5 syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; d1474 6 a1479 8 file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level d1483 4 a1486 3 stderr; // writes to stderr severity info; // only send priority info // and higher d1490 2 a1491 2 null; // toss anything sent to // this channel d1678 1 a1678 1 Messages that named was unable to determine the d1734 1 a1734 1 class and type. It also reports whether the d1737 5 a1741 3 EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). d1745 4 a1748 1client 127.0.0.1#62536: query: www.example.com IN AAAA +SEd1751 4 a1754 1client ::1#62537: query: www.example.net IN AAAA -SEd1798 1 a1798 2 query those servers during resolution. d1808 5 a1812 5 Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration. d1840 1 a1840 1 Note: eventually named will have to stop d1850 39 d1894 1 a1894 1 The query-errors Category d1925 9 a1933 1fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]d2122 1 a2122 1 lwres Statement Grammar d2128 2 a2129 1 [ listen-on {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] d2138 1 a2138 1 lwres Statement Definition and Usage d2150 2 a2151 2 addresses (and ports) that this instance of a lightweight resolver daemon d2189 1 a2189 1 masters Statement Grammar d2191 2 a2192 1 mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; d2197 1 a2197 1 masters Statement Definition and d2201 2 a2202 1 multiple stub and slave zones. d2207 1 a2207 1 options Statement Grammar d2213 1 d2218 1 d2220 1 d2222 1 d2228 5 d2238 1 a2238 1 [ zone-statisticsyes_or_no; ] d2252 2 d2259 4 a2262 2 [ dnssec-validationyes_or_no; ] [ dnssec-lookasidedomaintrust-anchordomain; ] d2266 4 a2269 4 [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ dual-stack-servers [portip_port] { (domain_name[portip_port] |ip_addr[portip_port] ) ; d2273 1 d2280 2 d2293 4 d2300 1 d2305 3 a2307 2 [ listen-on [ portip_port] {address_match_list}; ] [ listen-on-v6 [ portip_port] {address_match_list}; ] d2309 2 a2310 1 [ port (ip_port|*) ] | d2312 2 a2313 1 [ port (ip_port|*) ] ) ; ] d2315 2 a2316 1 [ port (ip_port|*) ] | d2318 2 a2319 1 [ port (ip_port|*) ] ) ; ] d2322 1 a2322 1 [ queryport-pool-intervalnumber; ] d2337 4 a2340 4 [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] d2343 2 a2344 2 [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] d2346 3 a2348 1 [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] d2365 2 a2366 1 [ sig-validity-intervalnumber; ] d2380 1 d2386 13 d2402 1 d2405 4 a2408 1 [ disable-algorithmsdomain{algorithm; [algorithm; ] }; ] d2414 4 a2417 1 [ masterfile-format (text|raw) ; ] d2424 33 d2474 85 d2574 12 d2589 7 a2595 5 directory where the public and private key files should be found, if different than the current working directory. The directory specified must be an absolute path. d2597 17 d2623 7 d2635 9 a2643 7 and the credential is a Kerberos principal which the server can acquire through the default system key file, normally/etc/krb5.keytab. Normally this principal is of the form "dns/server.domain". To use GSS-TSIG, tkey-domain must also be set. d2652 1 a2652 1 will beclient specified part+ d2660 2 a2661 1 using GSS-TSIG, this variable must be defined. d2696 1 a2696 1 The pid-file is used by programs that want to send signals to d2721 41 d2798 3 a2800 1root-delegation-only d2803 2 a2804 2 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional d2808 30 a2837 2 Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). d2846 2 a2847 1d2878 11 a2888 15 d2852 25 a2876 2 Only the most specific will be applied.
d2929 9 a2937 11 Specify hierarchies which must be or may not be secure (signed and validated). If When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal dnssec validation has left the key untrusted, the trust-anchor will be append to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS d2890 37 a2926 1
yes, then named will only accept answers if they are secure. Ifno, then normal dnssec validation applies allowing for insecure answers to be accepted. The specified domain must be under a trusted-key or dnssec-lookaside must be active. d2939 172 d3116 21 d3512 39 a3572 13zone-statistics d3694 2 a3695 1 If
yes, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics no in the zone statement). These statistics may be accessed using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.d3699 68 a3766 7 Enabling this option is sometimes useful on IPv6-enabled Linux systems, to work around a kernel quirk that causes IPv4 TCP connections such as zone transfers to be accepted on an IPv6 socket using mapped addresses, causing address match lists designed for IPv4 to fail to match. The use of this option for any other purpose is discouraged. d3771 8 a3778 7 When
yesand the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a non-incremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer. d3806 1 a3806 1 addresses refer to different machines. Ifyes, named will d3808 1 a3808 1 when the serial number on the master is less than what named d3814 2 a3815 2 Enable DNSSEC support in named. Unless set toyes, named behaves as if it does not support DNSSEC. d3820 1 a3820 1 Enable DNSSEC validation in named. d3823 9 a3831 1 The default isyes. d3837 3 a3839 1 Setting this option to "yes" leaves named vulnerable to replay attacks. d3843 1 a3843 1 Specify whether query logging should be started when named d3877 8 d3903 2 a3904 1d3945 8 d3967 45 d4013 12 a4024 7 When regenerating the RRSIGs following a UPDATE request to a secure zone, check the KSK flag on the DNSKEY RR to determine if this key should be used to generate the RRSIG. This flag is ignored if there are not DNSKEY RRs both with and without a KSK. The default is yes. d4032 25 d4061 1 a4061 1 Forwarding d4105 1 a4105 1 Dual-stack Servers d4180 6 d4304 65 d4373 1 a4373 1 Interfaces d4377 3 a4379 1 an optional port, and an d3916 12 a3927 1
address_match_list. d4403 2 a4404 2 listen for incoming queries sent using IPv6. d4427 2 a4448 7If no listen-on-v6 option is specified, the server will not listen on any IPv6 address unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default.
d4591 2 a4592 1d4653 20 a4672 13 d4599 13 a4611 1 quickly converge on stealth servers. If an also-notify list d4622 2 a4623 1
d4786 1 a4786 1 getting a answer back to the first refresh d4838 1 a4838 1 UDP Port Lists d4880 1 a4880 1 Operating System Resource Limits d4960 4 a4963 2 will be automatically removed. The default is Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20.
unlimited. d4996 1 a4996 1 interfaces named listens on, tcp-clients as well as d5012 6 a5017 5 reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. A value of 0 is special, meaning that records are purged from the cache only when their d5019 2 a5020 7 Another special keywordunlimitedmeans the maximum value of 32-bit unsigned integers (0xffffffff), which may not have the same effect as 0 on machines that support more than 32 bits of memory space. Any positive values less than 2MB will be ignored reset to 2MB. d5023 1 a5023 1 The default is 0. d5027 1 a5027 1 The listen queue depth. The default and minimum is 3. d5032 4 a5035 3 some data before being passed to accept. Values less than 3 will be silently raised. d5041 1 a5041 1 Periodic Task Intervals d5211 5 a5215 3 { localhost; // IF the local host { localnets; // THEN first fit on the 192.168.1/24; // following nets d5217 3 a5219 2 { 192.168.1/24; // IF on class C 192.168.1 { 192.168.1/24; // THEN use .1, or .2 or .3 d5221 3 a5223 2 { 192.168.2/24; // IF on class C 192.168.2 { 192.168.2/24; // THEN use .2, or .1 or .3 d5225 3 a5227 2 { 192.168.3/24; // IF on class C 192.168.3 { 192.168.3/24; // THEN use .3, or .1 or .2 d5229 2 a5230 1 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net d5343 4 a5346 2 appear, they are not combined — the last one applies. d5364 2 a5365 1d5423 1 a5423 1 is a optional second field which specifies how d5463 2 a5464 2 key signing records. The default is d5372 8 a5379 1
65535. d5470 16 d5510 8 d5520 49 a5568 10d5570 19 a5588 9 Sets the advertised EDNS UDP buffer size in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes.
d5598 2 a5599 1 Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. d5591 6 a5596 1
d5642 2 a5643 1 before dropping additional clients. named will attempt to d5650 1 a5650 1 If the number of queries exceed this value, named will d5668 23 d5692 11 d5704 4 a5707 2 The delay, in seconds, between sending sets of notify messages for a zone. The default is zero. d5709 32 d5755 12 a5766 6 default view of class IN; therefore, any global server options such as allow-query do not apply the these zones. If you feel the need to disable these zones, use the options d5805 1 a5805 1 Specifying server-id hostname; will cause named to d5820 5 a5824 4 these cover the reverse namespace for addresses from RFC 1918 and RFC 3330. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address. d5827 1 a5827 1 Named will attempt to determine if a built in zone already exists d5829 1 a5829 1 and will not create a empty zone in that case. d5835 82 d5921 2 d5926 1 d5960 1 a5960 1 root servers, this is all built in empty zones. This will d6079 67 a6145 8 Specifies d5603 8 a5610 3 standard textual representation. Files in other formats than
textare typically expected to be generated by the named-compilezone tool. d5620 6 a5625 1 file. This statement sets the d5632 2 a5633 1d7147 1 a7147 1 trusted-keys Statement Definition d7177 132 d7325 1 a7325 1 view Statement Definition and Usage d7414 2 a7415 1 // Provide recursive service to internal clients only. d7418 2 a7419 2 // Provide a complete view of the example.com zone // including addresses of internal hosts. d7427 2 a7428 1 // Match all clients not matched by the previous view. d7434 2 a7435 2 // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. d7453 6 a7458 2 [ update-policy {statistics-channels { [ inet ( ip_addr | * ) [ port ip_port ] [allow {address_match_list} ]; ] [ inet ...; ] }; d6147 54 d6202 205 a6406 4d6408 37 a6444 5 The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server. d6446 1 a6446 8 This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error. d6448 105 a6552 9 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of::. d6554 14 a6567 4 If no port is specified, port 80 is used for HTTP channels. The asterisk "*" cannot be used for ip_port. d6569 7 a6575 11 The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately. d6577 217 a6793 3 If no statistics-channels statement is present, named will not open any communication channels. d6802 2 d6806 1 d6811 8 a6818 6 [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ query-source [ address (ip_addr|*) ] [ port (ip_port|*) ]; ] [ query-source-v6 [ address (ip_addr|*) ] [ port (ip_port|*) ]; ] d6821 1 a6821 1 [ queryport-pool-intervalnumber; ] d6881 3 a6883 2 the view or global options block is used as a default. d6906 1 a6906 1 that is advertised by named when querying the remote server. d6908 2 a6909 1 silently adjusted). This option is useful when you wish to d6916 1 a6916 1 maximum EDNS UDP message size named will send. Valid d6920 8 a6927 1 replies from named. d7002 26 d7031 108 a7138 1 trusted-keys Statement Grammarupdate_policy_rule[...] }; ] [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] d7462 1 d7466 1 a7466 1 [ masterfile-format (text|raw) ; ] d7470 1 a7470 1 [ forwarders { [ip_addr[portip_port] ; ... ] }; ] d7474 1 d7483 4 a7486 4 [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ zone-statisticsyes_or_no; ] [ sig-validity-intervalnumber; ] d7496 2 d7499 2 d7510 1 d7512 3 d7516 4 a7519 1 [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] d7523 1 a7523 1 [ masterfile-format (text|raw) ; ] d7527 1 a7527 1 [ forwarders { [ip_addr[portip_port] ; ... ] }; ] d7532 4 a7535 1 [ masters [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7545 6 a7550 4 [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] d7552 7 a7558 3 [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ zone-statisticsyes_or_no; ] d7564 3 d7575 1 a7575 1 [ check-names (warn|fail|ignore) ; // Not Implemented. ] d7586 1 a7586 1 [ masterfile-format (text|raw) ; ] d7588 5 a7592 2 [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ masters [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7596 6 a7601 4 [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] d7613 8 d7623 10 a7632 2 [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ delegation-onlyyes_or_no; ] d7639 4 d7647 1 a7647 1 zone Statement Definition and Usage d7650 1 a7650 1 Zone Types d7713 1 a7713 1 behave very slowly if you put 100 000 files into d7779 49 d7882 58 d7946 7 a7952 7 status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones. d7956 4 a7959 2 effect on answers received from forwarders. d7968 1 a7968 1 Class d7990 1 a7990 1 Zone Options d8043 3 d8058 1 d8065 5 d8095 12 d8144 11 a8154 6d8251 72 d8400 71 d8481 12 d8511 8 a8518 9 The update-policy clause is new in BIND 9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined. d8531 29 a8559 1 This is how a rule definition looks: d8562 1 a8562 1 ( grant | deny ) The flag only applies to hint and stub zones. If set to
yes, then the zone will also be treated as if it is also a delegation-only type zone.identitynametypename[types] d8567 5 a8571 6 granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches the types specified in the type field. d8597 8 a8604 1 Thenametypefield has 12 d8612 2 a8613 1tcp-selfand6to4-self. d8654 23 d8744 68 d8838 1 a8838 1 conection from the 6to4 network or from the d8850 44 d8898 1 a8898 2 field must specify a fully-qualified domain name. d8910 49 d8963 1 a8963 1 Zone File d8976 1 a8976 1 Resource Records d9713 1 a9713 1 Textual expression of RRs d9916 1 a9916 1 Discussion of MX Records a9949 2d10158 1 a10158 2 servers can cache the it. d10171 1 a10171 1 Inverse Mapping in IPv4 d10232 1 a10232 1 Other Zone File Directives d10247 12 a10258 1 The $ORIGIN Directive d10268 2 a10269 1 <
zone-name>. d10287 1 a10287 1 The $INCLUDE Directive d10323 1 a10323 1 The $TTL Directive d10342 1 a10342 1 BIND Master File Extension: the $GENERATE Directive d10362 1 a10362 1 $GENERATE 1-2 0 NS SERVER$.EXAMPLE. d10374 22 d10410 3 a10412 2 is set to 1. All of start, stop and step must be positive. d10447 1 a10447 1 (o) and hexadecimal d10449 2 d10458 10 a10467 2 For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output. d10479 1 a10479 1 normal ttl inheritance rules. d10509 1 a10509 2 At present the only supported types are PTR, CNAME, DNAME, A, AAAA and NS. d10519 1 a10519 2 rhs is a domain name. It is processed similarly to lhs. d10539 15 a10553 5 other formats. Therawformat is currently available as an additional format. It is a binary format representing BIND 9's internal data structure directly, thereby remarkably improving the loading time. d10556 5 a10560 5 For a primary server, a zone file in therawformat is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically d10575 15 a10589 8 Although therawformat uses the network byte order and avoids architecture-dependent data alignment so that it is as much portable as possible, it is primarily expected to be used inside the same single system. In order to export a zone file in therawformat or make a portable backup of the file, it is recommended to convert the file to the standard textual representation. d10686 7 a10692 3 The number of RRsets per RR type (positive or negative) and nonexistent names stored in the cache database. d10785 1 a10785 1 Name Server Statistics Counters d11337 39 d11381 1 a11381 1 Zone Maintenance Statistics Counters d11535 1 a11535 1 Resolver Statistics Counters d11687 7 d11918 1 a11918 1 Socket I/O Statistics Counters d12073 1 a12073 1 Compatibility with BIND 8 Counters d12125 1 @ 1.1.1.1 log @import new bind @ text @@ 1.1.1.2 log @from ftp.isc.org @ text @d17 1 a17 1 d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d77 3 d83 2 a84 5statistics-channels Statement Grammar statistics-channels Statement Definition and Usage trusted-keys Statement Grammar trusted-keys Statement Definition d87 1 a87 1 view Statement Definition and Usage d90 1 a90 1zone Statement Definition and Usage d92 1 a92 1Zone File d95 1 a95 1Discussion of MX Records d97 3 a99 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d464 1 a464 1 Syntax d473 1 a473 1 Definition and Usage d515 2 a516 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d533 1 a533 1 lists. Similarly, the listen-on option will cause the d557 1 a557 1 Comment Syntax d567 1 a567 1 Syntax d582 1 a582 1 Definition and Usage d613 2 d632 2 d767 1 a767 1server
d771 2 a772 2 sets certain configuration options on a per-server basis. d778 1 a778 1statistics-channels
d782 2 a783 2 declares communication channels to get access to named statistics. d827 1 a827 1 acl Statement Grammar d909 1 a909 1 controls Statement Grammar d1031 1 a1031 1 include Statement Grammar d1036 1 a1036 1 include Statement Definition and d1051 1 a1051 1 key Statement Grammar d1060 1 a1060 1 key Statement Definition and Usage d1107 1 a1107 1 logging Statement Grammar d1131 1 a1131 1 logging Statement Definition and d1165 1 a1165 1 The channel Phrase d1327 1 a1327 1 pointless since syslog also logs d1561 1 a1561 1 Messages that named was unable to determine the d1684 5 a1688 5 Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration. d1716 1 a1716 1 Note: eventually named will have to stop d1731 1 a1731 1 The query-errors Category d1951 1 a1951 1 lwres Statement Grammar d1966 1 a1966 1 lwres Statement Definition and Usage d2017 1 a2017 1 masters Statement Grammar d2024 1 a2024 1 masters Statement Definition and d2033 1 a2033 1 options Statement Grammar d2270 1 a2270 1 beclient specified part+ d2313 1 a2313 1 The PID file is used by programs that want to send signals to d2374 1 a2374 3root-delegation-only d2377 2 a2378 2 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional d2382 2 a2383 30 DS queries are expected to be made to and be answered by delegation only zones. Such queries and responses are treated as a exception to delegation-only processing and are not converted to NXDOMAIN responses provided a CNAME is not discovered at the query name.If a delegation only zone server also serves a child zone it is not always possible to determine whether a answer comes from the delegation only zone or the child zone. SOA NS and DNSKEY records are apex only records and a matching response that contains these records or DS is treated as coming from a child zone. RRSIG records are also examined to see if they are signed by a child zone or not. The authority section is also examined to see if there is evidence that the answer is from the child zone. Answers that are determined to be from a child zone are not converted to NXDOMAIN responses. Despite all these checks there is still a possibility of false negatives when a child zone is being served.
Similarly false positives can arise from empty nodes (no records at the name) in the delegation only zone when the query type is not ANY.
Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM"). This list is not exhaustive. d2408 1 a2408 1 the normal DNSSEC validation d2421 1 a2421 1 If
yes, then named will only accept d2424 1 a2424 1 Ifno, then normal DNSSEC validation d3016 1 a3016 1 addresses refer to different machines. Ifyes, named will d3018 1 a3018 1 when the serial number on the master is less than what named d3024 2 a3025 2 Enable DNSSEC support in named. Unless set toyes, named behaves as if it does not support DNSSEC. d3030 1 a3030 1 Enable DNSSEC validation in named. d3039 1 a3039 1 Setting this option to "yes" leaves named vulnerable to replay attacks. d3043 1 a3043 1 Specify whether query logging should be started when named d3158 1 a3158 1 Forwarding d3202 1 a3202 1 Dual-stack Servers d3399 1 a3399 1 Interfaces d3403 1 a3403 1 an optional port and anaddress_match_list. d3474 1 a3474 1 unless -6 is specified when named is d3476 1 a3476 1 named will listen on port 53 on all IPv6 interfaces by default. d3627 1 a3627 6 quickly converge on stealth servers. Optionally, a port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. If an also-notify list d3794 1 a3794 1 getting an answer back to the first refresh d3846 1 a3846 1 UDP Port Lists d3888 1 a3888 1 Operating System Resource Limits d4002 1 a4002 1 interfaces named listens on, tcp-clients as well as d4050 1 a4050 1 Periodic Task Intervals d4490 8 a4497 9 Sets the advertised EDNS UDP buffer size in bytes to control the size of packets received. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. d4501 1 a4501 1 Sets the maximum EDNS UDP message size named will d4505 1 a4505 1 max-udp-size to a non-default value is to get UDP d4545 1 a4545 1 before dropping additional clients. named will attempt to d4552 1 a4552 1 If the number of queries exceed this value, named will d4633 1 a4633 1 Specifying server-id hostname; will cause named to d4654 1 a4654 1 Named will attempt to determine if a built-in zone already exists d4702 1 a4702 1 root servers, this is all built-in empty zones. This will d4824 60 d4987 1 a4987 1 that is advertised by named when querying the remote server. d4996 1 a4996 1 maximum EDNS UDP message size named will send. Valid d5000 1 a5000 1 replies from named. d5078 1 a5078 61 statistics-channels Statement Grammarstatistics-channels { [ inet ( ip_addr | * ) [ port ip_port ] [allow {address_match_list} ]; ] [ inet ...; ] };The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server.
This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error.
An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of
*(asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of::.If no port is specified, port 80 is used for HTTP channels. The asterisk "
*" cannot be used for ip_port.The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately.
If no statistics-channels statement is present, named will not open any communication channels.
d5087 1 a5087 1 trusted-keys Statement Definition d5133 1 a5133 1 view Statement Definition and Usaged5399 1 a5399 1 zone Statement Definition and Usage d5402 1 a5402 1 Zone Types d5465 1 a5465 1 behave very slowly if you put 100000 files into d5591 7 a5597 7 status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones. d5601 2 a5602 4 effect on answers received from forwarders.See caveats in root-delegation-only. d5611 1 a5611 1 Class d5633 1 a5633 1 Zone Options d5766 1 a5766 2
d6208 1 a6208 1 Zone File d6221 1 a6221 1 Resource Records d6958 1 a6958 1 Textual expression of RRs d7161 1 a7161 1 Discussion of MX Records d7195 2 d7419 1 a7419 1 Inverse Mapping in IPv4 d7480 1 a7480 1 Other Zone File Directives d7495 1 a7495 1 The $ORIGIN Directive d7523 1 a7523 1 The $INCLUDE Directive d7559 1 a7559 1 The $TTL Directive d7578 1 a7578 1 BIND Master File Extension: the $GENERATE Directive d7682 1 a7682 1 normal TTL inheritance rules. d7969 1 a7969 1 Name Server Statistics Counters d8526 1 a8526 1 Zone Maintenance Statistics Counters d8680 1 a8680 1 Resolver Statistics Counters d9056 1 a9056 1 Socket I/O Statistics Counters d9211 1 a9211 1 Compatibility with BIND 8 Counters @ 1.1.1.3 log @import bind-9-7-0-b1 @ text @d5 1 a5 1 - Permission to use, copy, modify, and/or distribute this software for any d17 1 a17 1 d51 1 a51 1 d5769 3 a5771 6 treated as if it is also a delegation-only type zone.
See caveats in root-delegation-only.
Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d83 2 a84 5 trusted-keys Statement Grammar trusted-keys Statement Definition and Usage managed-keys Statement Grammar managed-keys Statement Definition d87 1 a87 1 view Statement Definition and Usage d90 1 a90 1zone Statement Definition and Usage d92 1 a92 1Zone File d95 1 a95 1Discussion of MX Records d97 3 a99 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a195 13namelistA list of one or more
domain_nameelements.
d464 1 a464 1 Syntax d473 1 a473 1 Definition and Usage d557 1 a557 1 Comment Syntax d567 1 a567 1 Syntax d576 1 a576 2
# This is a BIND comment as in common UNIX shells # and perld582 1 a582 1 Definition and Usage a794 11
managed-keys
lists DNSSEC keys to be kept up to date using RFC 5011 trust anchor maintenance.
address_match_list }
d910 1
a910 2
[ unix path perm number owner number group number
keys { key_list }; ]
d1027 1
a1027 1
include Statement Grammar
d1032 1
a1032 1
include Statement Definition and
d1047 1
a1047 1
key Statement Grammar
d1056 1
a1056 1
key Statement Definition and Usage
d1103 1
a1103 1
logging Statement Grammar
d1127 1
a1127 1
logging Statement Definition and
d1161 1
a1161 1
The channel Phrase
d1345 5
a1349 4
// send to syslog's daemon facility
syslog daemon;
// only send priority info and higher
severity info;
d1352 8
a1359 6
// write to named.run in the working directory
// Note: stderr is used instead of "named.run" if
// the server is started with the '-f' option.
file "named.run";
// log at the server's current debug level
severity dynamic;
d1363 3
a1365 4
// writes to stderr
stderr;
// only send priority info and higher
severity info;
d1369 2
a1370 2
// toss anything sent to this channel
null;
d1613 1
a1613 1
class and type. Next it reports whether the
d1618 1
a1618 2
(C). After this the destination address the
query was sent to is reported.
d1669 2
a1670 1
query those servers during resolution.
d1727 1
a1727 1
The query-errors Category
d1758 1
a1758 9
fetch completed at resolver.c:2970 for www.example.com/A
in 30.000183: timed out/success [domain:example.com,
referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
badresp:1,adberr:0,findfail:0,valfail:0]
d1947 1
a1947 1
lwres Statement Grammar
d1953 1
a1953 2
[ listen-on { ip_addr [port ip_port] ;
[ ip_addr [port ip_port] ; ... ] }; ]
d1962 1
a1962 1
lwres Statement Definition and Usage
d2013 1
a2013 1
masters Statement Grammar
d2015 1
a2015 2
masters name [port ip_port] { ( masters_list |
ip_addr [port ip_port] [key key] ) ; [...] };
d2020 1
a2020 1
masters Statement Definition and
d2029 1
a2029 1
options Statement Grammar
a2034 1
[ attach-cache cache_name; ]
a2045 1
[ bindkeys-file path_name; ]
d2071 1
a2071 2
[ dnssec-lookaside ( auto |
domain trust-anchor domain ); ]
a2098 2
[ dnskey-ksk-only yes_or_no; ]
[ secure-to-insecure yes_or_no ;]
d2136 1
a2136 2
[ alt-transfer-source-v6 (ip6_addr | *)
[port ip_port] ; ]
d2142 1
a2142 2
[ also-notify { ip_addr [port ip_port] ;
[ ip_addr [port ip_port] ; ... ] }; ]
d2159 1
a2159 1
[ sig-validity-interval number [number] ; ]
d2183 1
a2183 2
[ disable-algorithms domain { algorithm;
[ algorithm; ] }; ]
a2195 2
[ deny-answer-addresses { address_match_list } [ except-from { namelist } ];]
[ deny-answer-aliases { namelist } [ except-from { namelist } ];]
a2212 85
Allows multiple views to share a single cache database. Each view has its own cache database by default, but if multiple views have the same operational policy for name resolution and caching, those views can share a single cache to save memory and possibly improve resolution efficiency by using this option.
The attach-cache option may also be specified in view statements, in which case it overrides the global attach-cache option.
The cache_name specifies
the cache to be shared.
When the named server configures
views which are supposed to share a cache, it
creates a cache with the specified name for the
first view of these sharing views.
The rest of the views will simply refer to the
already created cache.
One common configuration to share a cache would be to allow all views to share a single cache. This can be done by specifying the attach-cache as a global option with an arbitrary name.
Another possible operation is to allow a subset of all views to share a cache while the others to retain their own caches. For example, if there are three views A, B, and C, and only A and B should share a cache, specify the attach-cache option as a view A (or B)'s option, referring to the other view name:
view "A" {
// this view has its own cache
...
};
view "B" {
// this view refers to A's cache
attach-cache "A";
};
view "C" {
// this view has its own cache
...
};
Views that share a cache must have the same policy on configurable parameters that may affect caching. The current implementation requires the following configurable options be consistent among these views: check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl.
Note that there may be other parameters that may cause confusion if they are inconsistent for different views that share a single cache. For example, if these views define different sets of forwarders that can return different answers for the same question, sharing the answer does not make sense or could even be harmful. It is administrator's responsibility to ensure configuration differences in different views do not cause disruption with a shared cache.
bind.keys,
rndc.key or
session.key.)
a2333 40
The pathname of a file to override the built-in trusted
keys provided by named.
See the discussion of dnssec-lookaside
for details. If not specified, the default is
/etc/bind.keys.
The pathname of the file into which to write a TSIG
session key generated by named for use by
nsupdate -l. If not specified, the
default is /var/run/named/session.key.
(See the section called “Dynamic Update Policies”, and in
particular the discussion of the
update-policy statement's
local option for more
information about this feature.)
The key name to use for the TSIG session key. If not specified, the default is "local-ddns".
The algorithm to use for the TSIG session key. Valid values are hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512 and hmac-md5. If not specified, the default is hmac-sha256.
The pathname of the file into which to write a session TSIG
key for use by nsupdate -l. (See the
discussion of the update-policy
statement's local option for more
details on this feature.)
When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS d2442 1 a2442 32
If dnssec-lookaside is set to
auto, then built-in default
values for the DLV domain and trust anchor will be
used, along with a built-in key for validation.
The default DLV key is stored in the file
bind.keys, which
named loads at startup if
dnssec-lookaside is set to
auto. A copy of that file is
installed along with BIND 9, and is
current as of the release date. If the DLV key expires, a
new copy of bind.keys can be downloaded
from https://www.isc.org/solutions/dlv.
(To prevent problems if bind.keys is
not found, the current key is also compiled in to
named. Relying on this is not
recommended, however, as it requires named
to be recompiled with a new key when the DLV key expires.)
NOTE: Using bind.keys to store
locally-configured keys is possible, but not
recommended, as the file will be overwritten whenever
BIND 9 is re-installed or upgraded.
yes,
then named will only accept answers if
they are secure. If no, then normal
DNSSEC validation applies allowing for insecure answers to
be accepted. The specified domain must be under a
trusted-keys or
managed-keys statement, or
dnssec-lookaside must be active.
a2865 1
The default is no.
d2993 1
a2993 2
d2997 8 a3004 11
This option was introduced to work around a kernel quirk in some operating systems that causes IPv4 TCP connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, named now solves this problem internally. The use of this option is discouraged.
yes
leaves named vulnerable to
replay attacks.
d3165 9
a3173 44
When set to the default value of yes,
check the KSK bit in each key to determine how the key
should be used when generating RRSIGs for a secure zone.
Ordinarily, zone-signing keys (that is, keys without the
KSK bit set) are used to sign the entire zone, while
key-signing keys (keys with the KSK bit set) are only
used to sign the DNSKEY RRset at the zone apex.
However, if this option is set to no,
then the KSK bit is ignored; KSKs are treated as if they
were ZSKs and are used to sign the entire zone. This is
similar to the dnssec-signzone -z
command line option.
When this option is set to yes, there
must be at least two active keys for every algorithm
represented in the DNSKEY RRset: at least one KSK and one
ZSK per algorithm. If there is any algorithm for which
this requirement is not met, this option will be ignored
for that algorithm.
When this option and update-check-ksk
are both set to yes, only key-signing
keys (that is, keys with the KSK bit set) will be used
to sign the DNSKEY RRset at the zone apex. Zone-signing
keys (keys without the KSK bit set) will be used to sign
the remainder of the zone, but not the DNSKEY RRset.
This is similar to the
dnssec-signzone -x command line option.
The default is no. If
update-check-ksk is set to
no, this option is ignored.
Allow a zone to transition from secure to insecure by deleting all DNSKEY records. The default is no.
d4523 1 a4523 1 Valid values are 1024 to 4096 (values outside this range d4530 1 a4530 9
named will fallback to using 512 bytes if it get a series of timeout at the initial value. 512 bytes is not being offered to encourage sites to fix their firewalls. Small EDNS UDP sizes will result in the excessive use of TCP.
Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default d4537 4 a4540 4 max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. d4543 1 a4543 6
Setting this to a low value will encourge additional TCP traffic to the nameserver.
BIND 9 provides the ability to filter
out DNS responses from external DNS servers containing
certain types of data in the answer section.
Specifically, it can reject address (A or AAAA) records if
the corresponding IPv4 or IPv6 addresses match the given
address_match_list of the
deny-answer-addresses option.
It can also reject CNAME or DNAME records if the "alias"
name (i.e., the CNAME alias or the substituted query name
due to DNAME) matches the
given namelist of the
deny-answer-aliases option, where
"match" means the alias name is a subdomain of one of
the name_list elements.
If the optional namelist is specified
with except-from, records whose query name
matches the list will be accepted regardless of the filter
setting.
Likewise, if the alias name is a subdomain of the
corresponding zone, the deny-answer-aliases
filter will not apply;
for example, even if "example.com" is specified for
deny-answer-aliases,
www.example.com. CNAME xxx.example.com.
returned by an "example.com" server will be accepted.
In the address_match_list of the
deny-answer-addresses option, only
ip_addr
and ip_prefix
are meaningful;
any key_id will be silently ignored.
If a response message is rejected due to the filtering, the entire message is discarded without being cached, and a SERVFAIL error will be returned to the client.
This filtering is intended to prevent "DNS rebinding attacks," in which an attacker, in response to a query for a domain name the attacker controls, returns an IP address within your own network or an alias name within your own domain. A naive web browser or script could then serve as an unintended proxy, allowing the attacker to get access to an internal node of your local network that couldn't be externally accessed otherwise. See the paper available at http://portal.acm.org/citation.cfm?id=1315245.1315298 for more details about the attacks.
For example, if you own a domain named "example.net" and your internal network uses an IPv4 prefix 192.0.2.0/24, you might specify the following rules:
deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
deny-answer-aliases { "example.net"; };
If an external attacker lets a web browser in your local network look up an IPv4 address of "attacker.example.com", the attacker's DNS server would return a response like this:
attacker.example.com. A 192.0.2.1
in the answer section. Since the rdata of this record (the IPv4 address) matches the specified prefix 192.0.2.0/24, this response will be ignored.
On the other hand, if the browser looks up a legitimate internal web server "www.example.net" and the following response is returned to the BIND 9 server
www.example.net. A 192.0.2.2
it will be accepted since the owner name "www.example.net" matches the except-from element, "example.net".
Note that this is not really an attack on the DNS per se. In fact, there is nothing wrong for an "external" name to be mapped to your "internal" IP address or domain name from the DNS point of view. It might actually be provided for a legitimate purpose, such as for debugging. As long as the mapping is provided by the correct owner, it is not possible or does not make sense to detect whether the intent of the mapping is legitimate or not within the DNS. The "rebinding" attack must primarily be protected at the application that uses the DNS. For a large site, however, it may be difficult to protect all possible applications at once. This filtering feature is provided only to help such an operational environment; it is generally discouraged to turn it on unless you are very sure you have no other choice and the attack is a real threat for your applications.
Care should be particularly taken if you want to use this option for addresses within 127.0.0.0/8. These addresses are obviously "internal", but many applications conventionally rely on a DNS mapping from some name to such an address. Filtering out DNS records containing this address spuriously can break such applications.
ip_addr | * ) ]
[ port ( ip_port | * ) ]; ]
[ query-source-v6 [ address ( ip_addr | * ) ]
[ port ( ip_port | * ) ]; ]
d5052 1
a5052 2
[ inet ( ip_addr | * ) [ port ip_port ]
[ allow { address_match_list } ]; ]
d5059 1
a5059 1
statistics-channels Statement Definition and
d5110 1
a5110 1
trusted-keys Statement Grammar
d5119 1
a5119 1
trusted-keys Statement Definition
a5148 114
trusted-keys may be set at the top level
of named.conf or within a view. If it is
set in both places, they are additive: keys defined at the top
level are inherited by all views, but keys defined in a view
are only used within that view.
managed-keys {stringinitial-keynumbernumbernumberstring; [stringinitial-keynumbernumbernumberstring; [...]] };
The managed-keys statement, like trusted-keys, defines DNSSEC security roots. The difference is that managed-keys can be kept up to date automatically, without intervention from the resolver operator.
Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had the old key in a trusted-keys statement would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had updated the trusted-keys statement with the new key.
If, however, the zone were listed in a managed-keys statement instead, then the zone owner could add a "stand-by" key to the zone in advance. named would store the stand-by key, and when the original key was revoked, named would be able to transition smoothly to the new key. It would also recognize that the old key had been revoked, and cease using that key to validate answers, minimizing the damage that the compromised key could do.
A managed-keys statement contains a list of
the keys to be managed, along with information about how the
keys are to be initialized for the first time. The only
initialization method currently supported (as of
BIND 9.7.0) is initial-key.
This means the managed-keys statement must
contain a copy of the initializing key. (Future releases may
allow keys to be initialized by other methods, eliminating this
requirement.)
Consequently, a managed-keys statement
appears similar to a trusted-keys, differing
in the presence of the second field, containing the keyword
initial-key. The difference is, whereas the
keys listed in a trusted-keys continue to be
trusted until they are removed from
named.conf, an initializing key listed
in a managed-keys statement is only trusted
once: for as long as it takes to load the
managed key database and start the RFC 5011 key maintenance
process.
The first time named runs with a managed key
configured in named.conf, it fetches the
DNSKEY RRset directly from the zone apex, and validates it
using the key specified in the managed-keys
statement. If the DNSKEY RRset is validly signed, then it is
used as the basis for a new managed keys database.
From that point on, whenever named runs, it sees the managed-keys statement, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The key specified in the managed-keys is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database.
The next time named runs after a name has been removed from the managed-keys statement, the corresponding zone will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used for that domain.
named only maintains a single managed keys
database; consequently, unlike trusted-keys,
managed-keys may only be set at the top
level of named.conf, not within a view.
If the dnssec-lookaside option is
set to auto, named
will automatically initialize a managed key for the
zone dlv.isc.org. The key that is
used to initialize the key maintenance process is built
into named, and can be overridden
from bindkeys-file.
local | { update_policy_rule [...] }; ]
[ also-notify { ip_addr [port ip_port] ;
[ ip_addr [port ip_port] ; ... ] }; ]
d5318 1
a5318 1
[ sig-validity-interval number [number] ; ]
a5327 1
[ auto-dnssec allow|maintain|create|off; ]
a5338 2
[ dnskey-ksk-only yes_or_no; ]
[ secure-to-insecure yes_or_no ; ]
d5340 1
a5340 2
[ also-notify { ip_addr [port ip_port] ;
[ ip_addr [port ip_port] ; ... ] }; ]
d5353 1
a5353 3
[ masters [port ip_port] { ( masters_list | ip_addr
[port ip_port]
[key key] ) ; [...] }; ]
d5366 1
a5366 2
[ alt-transfer-source-v6 (ip6_addr | *)
[port ip_port] ; ]
d5384 1
a5384 1
[ check-names (warn|fail|ignore) ; ] // Not Implemented.
d5398 1
a5398 3
[ masters [port ip_port] { ( masters_list | ip_addr
[port ip_port]
[key key] ) ; [...] }; ]
d5403 1
a5403 2
[ transfer-source-v6 (ip6_addr | *)
[port ip_port] ; ]
d5405 1
a5405 2
[ alt-transfer-source-v6 (ip6_addr | *)
[port ip_port] ; ]
d5431 1
a5431 1
zone Statement Definition and Usage
d5434 1
a5434 1
Zone Types
d5645 1
a5645 1
Class
d5667 1
a5667 1
Zone Options
a5731 1
It is not implemented for hint zones.
a5762 5
See the description of dnskey-ksk-only in the section called “Boolean Options”.
Zones configured for dynamic DNS may also use this option to allow varying levels of autonatic DNSSEC key management. There are four possible settings:
auto-dnssec allow; permits keys to be updated and the zone re-signed whenever the user issues the command rndc sign.
auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)).
auto-dnssec create; includes the above, but also allows named to create new keys in the key repository when needed. (NOTE: This option is not yet implemented; the syntax is being reserved for future use.)
The default setting is auto-dnssec off.
See the description of secure-to-insecure in the section called “Boolean Options”.
/var/run/named/session.key, the key
name is "local-ddns" and the key algorithm is HMAC-SHA256,
but these values are configurable with the
session-keyfile,
session-keyname and
session-keyalg options, respectively).
A client running on the local system, and with appropriate permissions, may read that file and use the key to sign update requests. The zone's update policy will be set to allow that key to change any record within the zone. Assuming the key name is "local-ddns", this policy is equivalent to:
update-policy { grant local-ddns zonesub any; };
The command nsupdate -l sends update requests to localhost, and signs them using the session key.
Other rule definitions look like this:
d6035 1
a6035 1
( grant | deny ) identity nametype [ name ] [ types ]
d6040 6
a6045 5
granted or denied and no further rules are examined. A rule
is matched when the signer matches the identity field, the
name matches the name field in accordance with the nametype
field, and the type matches the types specified in the type
field.
d6071 1
a6071 1
The nametype field has 13
d6079 1
a6079 2
tcp-self, 6to4-self,
and zonesub.
a6119 23
zonesub
This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the update-policy statement appears. This obviates the need to type the zone name twice, and enables the use of a standard update-policy statement in multiple zones without modification.
When this rule is used, the
name field is omitted.
d6213 1 a6213 1 connection from the 6to4 network or from the d6246 1 a6246 1 Zone File d6259 1 a6259 1 Resource Records d6996 1 a6996 1 Textual expression of RRs d7199 1 a7199 1 Discussion of MX Records d7455 1 a7455 1 Inverse Mapping in IPv4 d7516 1 a7516 1 Other Zone File Directives d7531 1 a7531 12 The @@ (at-sign)
When used in the label (or name) field, the asperand or
at-sign (@@) symbol represents the current origin.
At the start of the zone file, it is the
<zone_name> (followed by
trailing dot).
Generate a set of A and MX records. Note the MX's right hand side is a quoted string. The quotes will be stripped when the right hand side is processed.
$ORIGIN EXAMPLE. $GENERATE 1-127 HOST-$ A 1.2.3.$ $GENERATE 1-127 HOST-$ MX "0 ."
is equivalent to
HOST-1.EXAMPLE. A 1.2.3.1 HOST-1.EXAMPLE. MX 0 . HOST-2.EXAMPLE. A 1.2.3.2 HOST-2.EXAMPLE. MX 0 . HOST-3.EXAMPLE. A 1.2.3.3 HOST-3.EXAMPLE. MX 0 . ... HOST-127.EXAMPLE. A 1.2.3.127 HOST-127.EXAMPLE. MX 0 .d7696 1 a7696 1 (o), hexadecimal a7697 2 for uppercase) and nibble (n or N\ d7705 2 a7706 10 In nibble mode the value will be treated as if it was a reversed hexadecimal string with each hexadecimal digit as a separate label. The width field includes the label separator.
For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output. d7748 2 a7749 1 Any valid type. d7759 2 a7760 1 rhs, optionally, quoted string. d7910 3 a7912 6 The number of RRsets per RR type and nonexistent names stored in the cache database. If the exclamation mark (!) is printed for a RR type, it means that particular type of RRset is known to be nonexistent (this is also known as "NXRRSET"). d8005 1 a8005 1 Name Server Statistics Counters d8562 1 a8562 1 Zone Maintenance Statistics Counters d8716 1 a8716 1 Resolver Statistics Counters a8867 7 The DNS ID, response's source address, and/or the response's source port does not match what was expected. (The port must be 53 or as defined by the port option.) This may be an indication of a cache poisoning attempt. d9092 1 a9092 1 Socket I/O Statistics Counters d9247 1 a9247 1 Compatibility with BIND 8 Counters @ 1.1.1.4 log @Import bind 9.7.0rc1 @ text @d17 1 a17 1 d51 1 a51 1
warn | fail | ignore ); ]
d2140 2
a2141 2
[ dnssec-dnskey-kskonly yes_or_no; ]
[ dnssec-secure-to-insecure yes_or_no ;]
d2161 1
a2161 1
[ queryport-pool-updateinterval number; ]
a2222 1
[ filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); ]
d2366 3
a2368 2
directory. (Note that this option has no effect on the
paths for files containing non-DNSSEC keys such as
a3210 51
This option is only available when
BIND 9 is compiled with the
--enable-filter-aaaa option on the
"configure" command line. It is intended to help the
transition from IPv4 to IPv6 by not giving IPv6 addresses
to DNS clients unless they have connections to the IPv6
Internet. This is not recommended unless absolutely
necessary. The default is no.
The filter-aaaa-on-v4 option
may also be specified in view statements
to override the global filter-aaaa-on-v4
option.
If yes,
the DNS client is at an IPv4 address,
and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
If break-dnssec,
then AAAA records are deleted even when dnssec is enabled.
As suggested by the name, this makes the response not verify,
because the DNSSEC protocol is designed detect deletions.
This mechanism can erroneously cause other servers to not give AAAA records to their clients. A recursing server with both IPv6 and IPv4 network connections that queries an authoritative server using this mechanism via IPv4 will be denied AAAA records even if its client is using IPv6.
This mechanism is applied to authoritative as well as non-authoritative records. A client using IPv4 that is not allowed recursion can erroneously be given AAAA records because the server is not allowed to check for A records.
Some AAAA records are given to IPv4 clients in glue records. IPv4 clients that are servers can then erroneously answer requests for AAAA records received via IPv4.
Check master zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. The default is to warn. Other possible values are fail and ignore.
Check whether the MX record appears to refer to a IP address. The default is to warn. Other possible values are fail and ignore.
number; ]
d5456 1
a5456 1
statistics-channels Statement Definition and
d5507 1
a5507 1
trusted-keys Statement Grammar
d5516 1
a5516 1
trusted-keys Statement Definition
d5556 1
a5556 1
managed-keys Statement Grammar
d5565 1
a5565 1
managed-keys Statement Definition
a5651 15
In the current implementation, the managed keys database is
stored as a master-format zone file called
managed-keys.bind. When the key database
is changed, the zone is updated. As with any other dynamic
zone, changes will be written into a journal file,
managed-keys.bind.jnl. They are committed
to the master file as soon as possible afterward; in the case
of the managed key database, this will usually occur within 30
seconds. So, whenever named is using
automatic key maintenace, those two files can be expected to
exist in the working directory. (For this reason among others,
the working directory should be always be writable by
named.)
d5676 1
a5676 1
view Statement Definition and Usage
d5854 2
a5855 2
[ dnssec-dnskey-kskonly yes_or_no; ]
[ dnssec-secure-to-insecure yes_or_no ; ]
d5956 1
a5956 1
zone Statement Definition and Usage
d5959 1
a5959 1
Zone Types
d6170 1
a6170 1
Class
d6192 1
a6192 1
Zone Options
d6289 1
a6289 1
zonename.
d6554 1
a6554 1
path_name; ]
a2225 1
[ filter-aaaa { address_match_list }; ]
a2374 8
The directory used to hold the files used to track managed keys.
By default it is the working directory. It there are no
views then the file managed-keys.bind
otherwise a SHA256 hash of the view name is used with
.mkeys extension added.
DNS/server.domain".
a2479 7
The pathname of the file the server dumps
security roots to when instructed to do so with
rndc secroots.
If not specified, the default is named.secroots.
Allow a dynamic zone to transition from secure to insecure (i.e., signed to unsigned) by deleting all of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset at the zone apex is deleted, all RRSIG and NSEC records will be removed from the zone as well.
If the zone uses NSEC3, then it is also necessary to delete the NSEC3PARAM RRset from the zone apex; this will cause the removal of all corresponding NSEC3 records. (It is expected that this requirement will be eliminated in a future release.)
Note that if a zone has been configured with auto-dnssec maintain and the private keys remain accessible in the key repository, then the zone will be automatically signed again the next time named is started.
Specifies a list of addresses to which
filter-aaaa-on-v4
is applies. The default is any.
d4726 1 a4726 8
Lame-ttl also controls the amount of time DNSSEC validation failures are cached. There is a minimum of 30 seconds applied to bad cache entries if the lame-ttl is set to less than 30 seconds.
yes_or_no }; ]
a2681 7
If yes, then zones can be
added at runtime via rndc addzone
or deleted via rndc delzone.
The default is no.
The following defaults apply. min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds (2 weeks).
a5086 2zonename causes
named to load keys from the key
repository and sign the zone with all keys that are
active.
rndc loadkeys
zonename causes
named to load keys from the key
repository and schedule key maintenance events to occur
in the future, but it does not sign the full zone
immediately.
d6996 1
a6996 1
Zone File
d7009 1
a7009 1
Resource Records
d7746 1
a7746 1
Textual expression of RRs
d7949 1
a7949 1
Discussion of MX Records
d8205 1
a8205 1
Inverse Mapping in IPv4
d8266 1
a8266 1
Other Zone File Directives
d8281 1
a8281 1
The @@ (at-sign)
d8292 1
a8292 1
The $ORIGIN Directive
d8321 1
a8321 1
The $INCLUDE Directive
d8357 1
a8357 1
The $TTL Directive
d8376 1
a8376 1
BIND Master File Extension: the $GENERATE Directive
d8800 1
a8800 1
Name Server Statistics Counters
d9357 1
a9357 1
Zone Maintenance Statistics Counters
d9511 1
a9511 1
Resolver Statistics Counters
d9894 1
a9894 1
Socket I/O Statistics Counters
d10049 1
a10049 1
Compatibility with BIND 8 Counters
@
1.1.1.6.2.1
log
@Sync with HEAD
@
text
@d2 1
a2 1
- Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
d17 1
a17 1
d51 1
a51 1
path_name; ]
d2112 1
a2112 1
[ dnssec-validation (yes_or_no | auto); ]
a2228 10
[ dns64 IPv6-prefix {
[ clients { address_match_list }; ]
[ mapped { address_match_list }; ]
[ exclude { address_match_list }; ]
[ suffix IPv6-address; ]
[ recursive-only yes_or_no; ]
[ break-dnssec yes_or_no; ]
}; ];
[ dns64-server name ]
[ dns64-contact name ]
a2247 1
[ resolver-query-timeout number ; ]
a2249 1
[ response-policy { zone_name [ policy given | no-op | nxdomain | nodata | cname domain ] ; } ; ]
a2394 7
The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab.
/etc/krb5.keytab.
The location keytab file can be overridden using the
tkey-gssapi-keytab option. Normally this principal is
of the form "DNS/server.domain".
To use GSS-TSIG, tkey-domain must
also be set if a specific keytab is not set with
tkey-gssapi-keytab.
d2423 1
a2423 2
using GSS-TSIG, this variable must be defined, unless
you specify a specific keytab using tkey-gssapi-keytab.
d2488 1
a2488 2
and dnssec-validation for details.
If not specified, the default is
d2643 4
a2646 4
bind.keys;
named will load that key at
startup if dnssec-lookaside is set to
auto. A copy of the file is
d2660 4
a2663 4
NOTE: named only loads certain specific
keys from bind.keys: those for the
DLV zone and for the DNS root zone. The file cannot be
used to store keys for other zones.
a2677 64
This directive instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. It is intended to be used in conjunction with a NAT64. Each dns64 defines one DNS64 prefix. Multiple DNS64 prefixes can be defined.
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, 64 and 96 as per RFC 6052.
Additionally a reverse IP6.ARPA zone will be created for the prefix to provide a mapping from the IP6.ARPA names to the corresponding IN-ADDR.ARPA names using synthesized CNAMEs. dns64-server and dns64-contact can be used to specify the name of the server and contact for the zones. These are settable at the view / options level. These are not settable on a per-prefix basis.
Each dns64 supports an optional
clients ACL that determines which
clients are affected by this directive. If not defined,
it defaults to any;.
Each dns64 supports an optional
mapped ACL that selects which
IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
any;.
Each dns64 supports an optional exclude ACL that selects which IPv6 addresses will be ignored for the purposes of determining whether dns64 is to be applied. Any non-matching address will prevent further DNS64 processing from occurring for this client.
A optional suffix can also
be defined to set the bits trailing the mapped
IPv4 address bits. By default these bits are
set to ::. The bits
matching the prefix and mapped IPv4 address
must be zero.
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
dns64 64:FF9B::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
no, DNSSEC validation
is disabled. If set to auto,
DNSSEC validation is enabled, and a default
trust-anchor for the DNS root zone is used. If set to
yes, DNSSEC validation is enabled,
but a trust anchor must be manually configured using
a trusted-keys or
managed-keys statement. The default
is yes.
d3404 7
d3545 1
a3545 1
Forwarding
d3589 1
a3589 1
Dual-stack Servers
a3787 8
The amount of time the resolver will spend attempting
to resolve a recursive query before failing. The
default is 10 and the maximum is
30. Setting it to 0
will result in the default being used.
BIND 9 includes an intentionally limited mechanism to modify DNS responses for recursive requests similar to email anti-spam DNS blacklists. All response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view.
The rules encoded in a response policy zone (RPZ) are applied only to responses to queries that ask for recursion (RD=1). RPZs are normal DNS zones containing largely valid RRsets that can be queried normal if allowed. It is usually best to restrict those queries with something like allow-query {none; }; or allow-query { 127.0.0.1; };.
There are four kinds of RPZ rewrite rules. QNAME rules are applied to query names in requests and to targets of CNAME records resolved in the process of generating the response. The owner name of a QNAME rule is the query name relativized to the RPZ.
IP rules are triggered by addresses in A and AAAA records. All IP addresses in A or AAAA RRsets are tested and the rule longest prefix is applied. Ties between rules with equal prefixes are broken in favor of the first RPZ mentioned in the response-policy option. The rule matching the smallest IP address is chosen among equal prefix rules from a single RPZ. IP rules are expressed in RRsets with owner names that are subdomains of rpz-ip and encoding an IP address block, reversed as in IN-ARPA. prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255 encodes an IPv4 address. IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or prefix.WORDS.zz.WORDS. The words in the standard IPv6 text representation are reversed, "::" is replaced with ".zz.", and ":" becomes ".".
NSDNAME rules match names in NS RRsets for the response or a parent. They are encoded as subdomains of rpz-nsdomain relativized to the RPZ origin name.
NSIP rules match IP addresses in A and AAAA RRsets for names of responsible servers or the names that can be matched by NSDNAME rules. The are encoded like IP rules except as subdomains of rpz-nsip.
Authority verification issues and variations in authority data in
the current version of BIND 9 can cause
inconsistent results from NSIP and NSDNAME. So they are available
only when BIND is built with the
--enable-rpz-nsip or
--enable-rpz-nsdname options
on the "configure" command line.
Four policies can be expressed. The NXDOMAIN policy causes a NXDOMAIN response and is expressed with an RRset consisting of a single CNAME whose target is the root domain (.). NODATA generates NODATA or ANCOUNT=1 regardless of query type. It is expressed with a CNAME whose target is the wildcard top-level domain (*.). The NO-OP policy does not change the response and is used to "poke holes" in policies for larger CIDR blocks or in zones named later in the response-policy option. The NO-OP policy is expressed by a CNAME with a target consisting of the variable part of the owner name, such as "example.com." for a QNAME rule or "128.1.0.0.127." for an IP rule. The CNAME policy is used to replace the RRsets of response. A and AAAA RRsets are most common and useful to capture an evil domain in a walled garden, but any valid set of RRsets is possible.
All of the policies in an RPZ can be overridden with a policy clause. given says "do not override." no-op says "do nothing" regardless of the policy in RPZ records. nxdomain causes all RPZ rules to generate NXDOMAIN results. nodata gives nodata. cname domain causes all RPZ rules to act as if the consisted of a "cname domain" record.
For example, you might use this option statement
response-policy { zone "bl"; };
and this zone statement
zone "bl" {type master; file "example/bl"; allow-query {none;}; };
with this zone file
$TTL 1H
@@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
; QNAME rules
nxdomain.domain.com CNAME .
nodata.domain.com CNAME *.
bad.domain.com A 10.0.0.1
AAAA 2001:2::1
ok.domain.com CNAME ok.domain.com.
; IP rules rewriting all answers for 127/8 except 127.0.0.1
8.0.0.0.127.ip CNAME .
32.1.0.0.127.ip CNAME 32.1.0.0.127.
; NSDNAME and NSIP rules
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
address_match_list }; ]
[ server-addresses { [ ip_addr ; ... ] }; ]
[ server-names { [ namelist ] }; ]
[ zone-statistics yes_or_no ; ]
};
zone zone_name [class] {
d6108 1
a6108 1
zone Statement Definition and Usage
d6111 1
a6111 1
Zone Types
a6239 49
static-stub
A static-stub zone is similar to a stub zone with the following exceptions: the zone data is statically configured, rather than transferred from a master server; when recursion is necessary for a query that matches a static-stub zone, the locally configured data (nameserver names and glue addresses) is always used even if different authoritative information is cached.
Zone data is configured via the server-addresses and server-names zone options.
The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone databases by rndc dumpdb -all. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD bit off) to a static-stub zone are therefore prohibited and will be responded with REFUSED.
Since the data is statically configured, no zone maintenance action takes place for a static-stub zone. For example, there is no periodic refresh attempt, and an incoming notify message will be rejected with an rcode of NOTAUTH.
Each static-stub zone is configured with internally generated NS and (if necessary) glue A or AAAA RRs
d6322 1 a6322 1 Class d6344 1 a6344 1 Zone Options a6588 72
Only meaningful for static-stub zones. This is a list of IP addresses to which queries should be sent in recursive resolution for the zone. A non empty list for this option will internally configure the apex NS RR with associated glue A or AAAA RRs.
For example, if "example.com" is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 in a server-addresses option, the following RRs will be internally configured.
example.com. NS example.com. example.com. A 192.0.2.1 example.com. AAAA 2001:db8::1234
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server will initiate recursive resolution and send queries to 192.0.2.1 and/or 2001:db8::1234.
Only meaningful for static-stub zones. This is a list of domain names of nameservers that act as authoritative servers of the static-stub zone. These names will be resolved to IP addresses when named needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin name of static-stub zone. That is, when "example.net" is the origin of a static-stub zone, "ns.example" and "master.example.com" can be specified in the server-names option, but "ns.example.net" cannot, and will be rejected by the configuration parser.
A non empty list for this option will internally configure the apex NS RR with the specified names. For example, if "example.com" is configured as a static-stub zone with "ns1.example.net" and "ns2.example.net" in a server-names option, the following RRs will be internally configured.
example.com. NS ns1.example.net. example.com. NS ns2.example.net.
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server initiate recursive resolution, resolve "ns1.example.net" and/or "ns2.example.net" to IP addresses, and then send queries to (one or more of) these addresses.
zonesub, and external.
a7004 44
external
This rule allows named to defer the decision of whether to allow a given update to an external daemon.
The method of communicating with the daemon is
specified in the identity
field, the format of which is
"local:path",
where path is the location
of a UNIX-domain socket. (Currently, "local" is the
only supported mechanism.)
Requests to the external daemon are sent over the UNIX-domain socket as datagrams with the following format:
Protocol version number (4 bytes, network byte order, currently 1) Request length (4 bytes, network byte order) Signer (null-terminated string) Name (null-terminated string) TCP source address (null-terminated string) Rdata type (null-terminated string) Key (null-terminated string) TKEY token length (4 bytes, network byte order) TKEY token (remainder of packet)
The daemon replies with a four-byte value in network byte order, containing either 0 or 1; 0 indicates that the specified update is not permitted, and 1 indicates that it is.
path_name; ]
d2112 1
a2112 1
[ dnssec-validation (yes_or_no | auto); ]
a2228 10
[ dns64 IPv6-prefix {
[ clients { address_match_list }; ]
[ mapped { address_match_list }; ]
[ exclude { address_match_list }; ]
[ suffix IPv6-address; ]
[ recursive-only yes_or_no; ]
[ break-dnssec yes_or_no; ]
}; ];
[ dns64-server name ]
[ dns64-contact name ]
a2247 1
[ resolver-query-timeout number ; ]
a2249 1
[ response-policy { zone_name [ policy given | no-op | nxdomain | nodata | cname domain ] ; } ; ]
a2394 7
The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab.
/etc/krb5.keytab.
The location keytab file can be overridden using the
tkey-gssapi-keytab option. Normally this principal is
of the form "DNS/server.domain".
To use GSS-TSIG, tkey-domain must
also be set if a specific keytab is not set with
tkey-gssapi-keytab.
d2423 1
a2423 2
using GSS-TSIG, this variable must be defined, unless
you specify a specific keytab using tkey-gssapi-keytab.
d2488 1
a2488 2
and dnssec-validation for details.
If not specified, the default is
d2643 4
a2646 4
bind.keys;
named will load that key at
startup if dnssec-lookaside is set to
auto. A copy of the file is
d2660 4
a2663 4
NOTE: named only loads certain specific
keys from bind.keys: those for the
DLV zone and for the DNS root zone. The file cannot be
used to store keys for other zones.
a2677 64
This directive instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. It is intended to be used in conjunction with a NAT64. Each dns64 defines one DNS64 prefix. Multiple DNS64 prefixes can be defined.
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, 64 and 96 as per RFC 6052.
Additionally a reverse IP6.ARPA zone will be created for the prefix to provide a mapping from the IP6.ARPA names to the corresponding IN-ADDR.ARPA names using synthesized CNAMEs. dns64-server and dns64-contact can be used to specify the name of the server and contact for the zones. These are settable at the view / options level. These are not settable on a per-prefix basis.
Each dns64 supports an optional
clients ACL that determines which
clients are affected by this directive. If not defined,
it defaults to any;.
Each dns64 supports an optional
mapped ACL that selects which
IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
any;.
Each dns64 supports an optional exclude ACL that selects which IPv6 addresses will be ignored for the purposes of determining whether dns64 is to be applied. Any non-matching address will prevent further DNS64 processing from occurring for this client.
A optional suffix can also
be defined to set the bits trailing the mapped
IPv4 address bits. By default these bits are
set to ::. The bits
matching the prefix and mapped IPv4 address
must be zero.
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
dns64 64:FF9B::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
suffix ::;
};
no, DNSSEC validation
is disabled. If set to auto,
DNSSEC validation is enabled, and a default
trust-anchor for the DNS root zone is used. If set to
yes, DNSSEC validation is enabled,
but a trust anchor must be manually configured using
a trusted-keys or
managed-keys statement. The default
is yes.
d3404 7
d3545 1
a3545 1
Forwarding
d3589 1
a3589 1
Dual-stack Servers
a3787 8
The amount of time the resolver will spend attempting
to resolve a recursive query before failing. The
default is 10 and the maximum is
30. Setting it to 0
will result in the default being used.
BIND 9 includes an intentionally limited mechanism to modify DNS responses for recursive requests similar to email anti-spam DNS blacklists. All response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view.
The rules encoded in a response policy zone (RPZ) are applied only to responses to queries that ask for recursion (RD=1). RPZs are normal DNS zones containing largely valid RRsets that can be queried normal if allowed. It is usually best to restrict those queries with something like allow-query {none; }; or allow-query { 127.0.0.1; };.
There are four kinds of RPZ rewrite rules. QNAME rules are applied to query names in requests and to targets of CNAME records resolved in the process of generating the response. The owner name of a QNAME rule is the query name relativized to the RPZ.
IP rules are triggered by addresses in A and AAAA records. All IP addresses in A or AAAA RRsets are tested and the rule longest prefix is applied. Ties between rules with equal prefixes are broken in favor of the first RPZ mentioned in the response-policy option. The rule matching the smallest IP address is chosen among equal prefix rules from a single RPZ. IP rules are expressed in RRsets with owner names that are subdomains of rpz-ip and encoding an IP address block, reversed as in IN-ARPA. prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255 encodes an IPv4 address. IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or prefix.WORDS.zz.WORDS. The words in the standard IPv6 text representation are reversed, "::" is replaced with ".zz.", and ":" becomes ".".
NSDNAME rules match names in NS RRsets for the response or a parent. They are encoded as subdomains of rpz-nsdomain relativized to the RPZ origin name.
NSIP rules match IP addresses in A and AAAA RRsets for names of responsible servers or the names that can be matched by NSDNAME rules. The are encoded like IP rules except as subdomains of rpz-nsip.
Authority verification issues and variations in authority data in
the current version of BIND 9 can cause
inconsistent results from NSIP and NSDNAME. So they are available
only when BIND is built with the
--enable-rpz-nsip or
--enable-rpz-nsdname options
on the "configure" command line.
Four policies can be expressed. The NXDOMAIN policy causes a NXDOMAIN response and is expressed with an RRset consisting of a single CNAME whose target is the root domain (.). NODATA generates NODATA or ANCOUNT=1 regardless of query type. It is expressed with a CNAME whose target is the wildcard top-level domain (*.). The NO-OP policy does not change the response and is used to "poke holes" in policies for larger CIDR blocks or in zones named later in the response-policy option. The NO-OP policy is expressed by a CNAME with a target consisting of the variable part of the owner name, such as "example.com." for a QNAME rule or "128.1.0.0.127." for an IP rule. The CNAME policy is used to replace the RRsets of response. A and AAAA RRsets are most common and useful to capture an evil domain in a walled garden, but any valid set of RRsets is possible.
All of the policies in an RPZ can be overridden with a policy clause. given says "do not override." no-op says "do nothing" regardless of the policy in RPZ records. nxdomain causes all RPZ rules to generate NXDOMAIN results. nodata gives nodata. cname domain causes all RPZ rules to act as if the consisted of a "cname domain" record.
For example, you might use this option statement
response-policy { zone "bl"; };
and this zone statement
zone "bl" {type master; file "example/bl"; allow-query {none;}; };
with this zone file
$TTL 1H
@@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
; QNAME rules
nxdomain.domain.com CNAME .
nodata.domain.com CNAME *.
bad.domain.com A 10.0.0.1
AAAA 2001:2::1
ok.domain.com CNAME ok.domain.com.
; IP rules rewriting all answers for 127/8 except 127.0.0.1
8.0.0.0.127.ip CNAME .
32.1.0.0.127.ip CNAME 32.1.0.0.127.
; NSDNAME and NSIP rules
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
address_match_list }; ]
[ server-addresses { [ ip_addr ; ... ] }; ]
[ server-names { [ namelist ] }; ]
[ zone-statistics yes_or_no ; ]
};
zone zone_name [class] {
d6108 1
a6108 1
zone Statement Definition and Usage
d6111 1
a6111 1
Zone Types
a6239 49
static-stub
A static-stub zone is similar to a stub zone with the following exceptions: the zone data is statically configured, rather than transferred from a master server; when recursion is necessary for a query that matches a static-stub zone, the locally configured data (nameserver names and glue addresses) is always used even if different authoritative information is cached.
Zone data is configured via the server-addresses and server-names zone options.
The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone databases by rndc dumpdb -all. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD bit off) to a static-stub zone are therefore prohibited and will be responded with REFUSED.
Since the data is statically configured, no zone maintenance action takes place for a static-stub zone. For example, there is no periodic refresh attempt, and an incoming notify message will be rejected with an rcode of NOTAUTH.
Each static-stub zone is configured with internally generated NS and (if necessary) glue A or AAAA RRs
d6322 1 a6322 1 Class d6344 1 a6344 1 Zone Options a6588 72
Only meaningful for static-stub zones. This is a list of IP addresses to which queries should be sent in recursive resolution for the zone. A non empty list for this option will internally configure the apex NS RR with associated glue A or AAAA RRs.
For example, if "example.com" is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 in a server-addresses option, the following RRs will be internally configured.
example.com. NS example.com. example.com. A 192.0.2.1 example.com. AAAA 2001:db8::1234
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server will initiate recursive resolution and send queries to 192.0.2.1 and/or 2001:db8::1234.
Only meaningful for static-stub zones. This is a list of domain names of nameservers that act as authoritative servers of the static-stub zone. These names will be resolved to IP addresses when named needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin name of static-stub zone. That is, when "example.net" is the origin of a static-stub zone, "ns.example" and "master.example.com" can be specified in the server-names option, but "ns.example.net" cannot, and will be rejected by the configuration parser.
A non empty list for this option will internally configure the apex NS RR with the specified names. For example, if "example.com" is configured as a static-stub zone with "ns1.example.net" and "ns2.example.net" in a server-names option, the following RRs will be internally configured.
example.com. NS ns1.example.net. example.com. NS ns2.example.net.
These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for "www.example.com" with the RD bit on, the server initiate recursive resolution, resolve "ns1.example.net" and/or "ns2.example.net" to IP addresses, and then send queries to (one or more of) these addresses.
zonesub, and external.
a7004 44
external
This rule allows named to defer the decision of whether to allow a given update to an external daemon.
The method of communicating with the daemon is
specified in the identity
field, the format of which is
"local:path",
where path is the location
of a UNIX-domain socket. (Currently, "local" is the
only supported mechanism.)
Requests to the external daemon are sent over the UNIX-domain socket as datagrams with the following format:
Protocol version number (4 bytes, network byte order, currently 1) Request length (4 bytes, network byte order) Signer (null-terminated string) Name (null-terminated string) TCP source address (null-terminated string) Rdata type (null-terminated string) Key (null-terminated string) TKEY token length (4 bytes, network byte order) TKEY token (remainder of packet)
The daemon replies with a four-byte value in network byte order, containing either 0 or 1; 0 indicates that the specified update is not permitted, and 1 indicates that it is.
maintain | no-resign ); ]
a2145 1
[ dnssec-loadkeys-interval number; ]
d2191 2
a2192 3
[ also-notify { ip_addr
[port ip_port] [key keyname] ;
[ ip_addr [port ip_port] [key keyname] ; ... ] }; ]
d2740 6
a2745 9
Normally, DNS64 won't apply to a domain name that
owns one or more AAAA records; these records will
simply be returned. The optional
exclude ACL allows specification
of a list of IPv6 addresses that will be ignored
if they appear in a domain name's AAAA records, and
DNS64 will be applied to any A records the domain
name owns. If not defined, exclude
defaults to none.
a2754 15
If recursive-only is set to yes the DNS64 synthesis will only happen for recursive queries. The default is no.
If break-dnssec is set to yes the DNS64 synthesis will happen even if the result, if validated, would cause a DNSSEC validation failure. If this option is set to no (the default), the DO is set on the incoming query, and there are RRSIGs on the applicable records, then synthesis will not happen.
a2765 31
If this option is set to its default value of
maintain in a zone of type
master which is DNSSEC-signed
and configured to allow dynamic updates (see
the section called “Dynamic Update Policies”), and
if named has access to the
private signing key(s) for the zone, then
named will automatically sign all new
or changed records and maintain signatures for the zone
by regenerating RRSIG records whenever they approach
their expiration date.
If the option is changed to no-resign,
then named will sign all new or
changed records, but scheduled maintenance of
signatures is disabled.
With either of these settings, named
will reject updates to a DNSSEC-signed zone when the
signing keys are inactive or unavailable to
named. (A planned third option,
external, will disable all automatic
signing and allow DNSSEC data to be submitted into a zone
via dyanmic update; this is not yet implemented.)
When a zone is configured with auto-dnssec
maintain; its key repository must be checked
periodically to see if any new keys have been added
or any existing keys' timing metadata has been updated
(see dnssec-keygen(8) and
dnssec-settime(8)). The
dnssec-loadkeys-interval option
sets the frequency of autoatic repository checks, in
minutes. The default is 60 (1 hour),
the minimum is 1 (1 minute), and the
maximum is 1440 (24 hours); any higher
value is silently reduced.
a4121 7 An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views. In place of explicit addresses, one or more named masters lists can be used.
d4133 1 a4133 2
Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20.
In addition to controlling the rate SOA refresh queries are issued at serial-query-rate also controls the rate at which NOTIFY messages are sent from both master and slave zones.
d5108 1 a5108 6
The overall rate that NOTIFY messages are sent for all zones is controlled by serial-query-rate.
allow|maintain|off; ]
a6223 1
[ serial-update-method increment|unixtime; ]
a6233 1
[ dnssec-update-mode ( maintain | no-resign ); ]
a6234 1
[ dnssec-loadkeys-interval number; ]
d6237 2
a6238 3
[ also-notify [port ip_port] { ( masters_list | ip_addr
[port ip_port]
[key key] ) ; [...] }; ]
a6335 7
zone "." [class] {
type redirect;
file string ;
[ masterfile-format (text|raw) ; ]
[ allow-query { address_match_list }; ]
};
d6344 1
a6344 1
zone Statement Definition and Usage
d6347 1
a6347 1
Zone Types
a6578 20
redirect
Provides a source of answers when the normal resolution returns NXDOMAIN. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers.
If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur.
d6607 1
a6607 1
Class
d6629 1
a6629 1
Zone Options
a6681 3
A TSIG key may also be specified to cause the
NOTIFY to be signed by the
given key.
a6725 7
See the description of dnssec-update-mode in the section called “options Statement Definition and Usage”.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to
serial-update-method unixtime;, the
SOA serial number will be set to the number of seconds
since the UNIX epoch, unless the serial number is
already greater than or equal to that value, in which
case it is simply incremented by one.
a7183 7
For nametypes krb5-self,
ms-self, krb5-subdomain,
and ms-subdomain the
identity field specifies
the Windows or Kerberos realm of the machine belongs to.
a7323 68
ms-self
This rule takes a Windows machine principal (machine$@@REALM) for machine in REALM and and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the <replacable>identity</replacable> field.
ms-subdomain
This rule takes a Windows machine principal (machine$@@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the <replacable>identity</replacable> field.
krb5-self
This rule takes a Kerberos machine principal (host/machine@@REALM) for machine in REALM and and converts it machine.realm allowing the machine to update machine.realm. The REALM to be matched is specified in the <replacable>identity</replacable> field.
krb5-subdomain
This rule takes a Kerberos machine principal (host/machine@@REALM) for machine in REALM and converts it to machine.realm allowing the machine to update subdomains of machine.realm. The REALM to be matched is specified in the <replacable>identity</replacable> field.
d7426 1 a7426 1 Zone File d7439 1 a7439 1 Resource Records d8176 1 a8176 1 Textual expression of RRs d8379 1 a8379 1 Discussion of MX Records d8635 1 a8635 1 Inverse Mapping in IPv4 d8696 1 a8696 1 Other Zone File Directives d8711 1 a8711 1 The @@ (at-sign) d8722 1 a8722 1 The $ORIGIN Directive d8751 1 a8751 1 The $INCLUDE Directive d8787 1 a8787 1 The $TTL Directive d8806 1 a8806 1 BIND Master File Extension: the $GENERATE Directive d9230 1 a9230 1 Name Server Statistics Counters d9787 1 a9787 1 Zone Maintenance Statistics Counters d9941 1 a9941 1 Resolver Statistics Counters d10324 1 a10324 1 Socket I/O Statistics Counters d10479 1 a10479 1 Compatibility with BIND 8 Counters @ 1.1.1.9.2.1 log @sync with head @ text @d2 1 a2 1 - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d51 1 a51 1
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
d1657 1
a1657 7
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE
(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.) a1752 13
RPZ
Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
path_name; ]
[ session-keyfile path_name; ]
[ session-keyname key_name; ]
[ session-keyalg algorithm_id; ]
d2117 1
a2117 2
[ dnssec-lookaside ( auto |
no |
d2268 1
a2268 1
[ response-policy { zone_name [ policy given | disabled | passthru | nxdomain | nodata | cname domain ] ; } ; ]
d2526 1
a2526 2
If not specified, the default is
named.secroots.
d2552 8
a2671 5
If dnssec-lookaside is set to
no, then dnssec-lookaside
is not used.
d3435 7
a3441 8
When yes and the server loads a new
version of a master zone from its zone file or receives a
new version of a slave file via zone transfer, it will
compare the new version to the previous one and calculate
a set of differences. The differences are then logged in
the zone's journal file such that the changes can be
transmitted to downstream slaves as an incremental zone
transfer.
d3704 1
a3704 1
Forwarding
d3748 1
a3748 1
Dual-stack Servers
d3959 1
a3959 1
Interfaces
d4427 1
a4427 1
UDP Port Lists
d4469 1
a4469 1
Operating System Resource Limits
d4631 1
a4631 1
Periodic Task Intervals
d4933 2
a4934 4
appear, they are not combined — the last one applies.
By default, all records are returned in random order.
d5052 1
a5052 1
65534.
a5057 9
These records can be removed from the zone once named has completed signing the zone with the matching key using nsupdate or rndc signing -clear. rndc signing -clear is the only supported way to remove these records from inline-signing zones.
d5133 1 a5133 2Specifies
d5137 3
a5139 8
standard textual representation, except for slave zones,
in which the default value is raw.
Files in other formats than text are
typically expected to be generated by the
named-compilezone tool, or dumped by
named.
d5156 1 a5156 2
rpz-ip relativized to the
RPZ origin name and encode an IP address or address block.
IPv4 addresses are encoded as
prefixlength.B4.B3.B2.B1.rpz-ip.
The prefix length must be between 1 and 32.
All four bytes, B4, B3, B2, and B1, must be present.
B4 is the decimal value of the least significant byte of the
IPv4 address as in IN-ADDR.ARPA.
IPv6 addresses are encoded in a format similar to the standard
IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
representing 16 bits of the IPv6 address as in the standard text
representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
All 8 words must be present except when consecutive
zero words are replaced with .zz.
analogous to double colons (::) in standard IPv6 text encodings.
The prefix length must be between 1 and 128.
NSDNAME policy records match names of authoritative servers
for the query name, a parent of the query name, a CNAME,
or a parent of a CNAME.
They are encoded as subdomains of
rpz-nsdomain relativized
to the RPZ origin name.
d5639 3
a5641 32
NSIP policy records match IP addresses in A and AAAA RRsets
for domains that can be checked against NSDNAME policy records.
The are encoded like IP policies except as subdomains of
rpz-nsip.
The query response is checked against all RPZs, so two or more policy records can apply to a single response. Because DNS responses can be rewritten according by at most a single policy record, a single policy (other than DISABLED policies) must be chosen. Policies are chosen in the following order:
d5644 4 a5647 5 When the processing of a response is restarted to resolve DNAME or CNAME records and an applicable policy record set has not been found, all RPZs are again consulted for the DNAME or CNAME names and addresses. d5650 3 a5652 4 Authority verification issues and variations in authority data can cause inconsistent results for NSIP and NSDNAME policy records. Glue NS records often differ from authoritative NS records. So they are available d5659 31 a5689 74 RPZ record sets are special CNAME records or one or more of any types of DNS record except DNAME or DNSSEC. Except when a policy record is a CNAME, there can be more more than one record and more than one type in a set of policy records. Except for three kinds of CNAME records that are illegal except in policy zones, the records in a set are used in the response as if their owner name were the query name. They are copied to the response as dictated by their types.
The policies specified in individual records in an RPZ can be overridden with a policy clause in the response-policy option. An organization using an RPZ provided by another organization might use this mechanism to redirect domains to its own walled garden.
d5694 1 a5694 1
response-policy { zone "badlist"; };
d5698 1
a5698 1
zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };
d5703 1
a5703 16
@@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
; QNAME policy records. There are no periods (.) after the owner names.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
AAAA 2001:2::1
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME ok.domain.com.
bzone.domain.com CNAME garden.example.com.
; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
*.bzone.domain.com CNAME *.garden.example.com.
d5705 7
d5713 3
a5715 3
; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1
d5717 1
a5717 1
; NSDNAME and NSIP policy records
d5806 2
a5807 3
the view or global options block is used as a default. It may
also be set in the zone block and, if set there, it will
override the global or view setting for that zone.
d5931 1
a5931 1
statistics-channels Statement Definition and
d5991 1
a5991 1
trusted-keys Statement Definition
d6031 1
a6031 1
managed-keys Statement Grammar
d6166 1
a6166 1
view Statement Definition and Usage
a6310 1
[ request-ixfr yes_or_no ; ]
a6332 1
[ inline-signing <replacable>yes_or_no</replacable>; ]
d6465 1
a6465 1
zone Statement Definition and Usage
d6468 1
a6468 1
Zone Types
d6748 1
a6748 1
Class
d6770 1
a6770 1
Zone Options
a7235 9
If yes, this enables
"bump in the wire" signing of a zone, where a
unsigned zone is transfered in or loaded from
disk and a signed version of the zone is served,
with possibly, a different serial number. This
behaviour is disabled by default.
number; ]
d2292 1
a2292 5
[ response-policy { zone_name
[ policy given | disabled | passthru | nxdomain | nodata | cname domain ]
[ recursive-only yes_or_no ] [ max-policy-ttl number ] ;
} [ recursive-only yes_or_no ] [ max-policy-ttl number ]
[ break-dnssec yes_or_no ] ; ]
d3727 1
a3727 1
Forwarding
d3771 1
a3771 1
Dual-stack Servers
d3973 2
a3974 2
to resolve a recursive query before failing. The default
and minimum is 10 and the maximum is
d3982 1
a3982 1
Interfaces
d4450 1
a4450 1
UDP Port Lists
d4492 1
a4492 1
Operating System Resource Limits
d4654 1
a4654 1
Periodic Task Intervals
a5241 7
The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
rpz-ip relativized
to the RPZ origin name and encode an IP address or address block.
IPv4 trigger addresses are represented as
d5688 3
a5690 3
NSDNAME triggers match names of authoritative servers
for the query name, a parent of the query name, a CNAME for
query name, or a parent of a CNAME.
d5696 3
a5698 4
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
d5703 5
a5707 6
two or more policy records can be triggered by a response.
Because DNS responses can be rewritten according to at most one
policy record, a single record encoding an action (other than
DISABLED actions) must be chosen.
Triggers or the records that encode them are chosen in
the following order:
d5710 2
a5711 2
Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
d5844 1
a5844 1
ok.domain.com CNAME rpz-passthru.
d5854 1
a5854 1
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
d6071 1
a6071 1
statistics-channels Statement Definition and
d6131 1
a6131 1
trusted-keys Statement Definition
d6171 1
a6171 1
managed-keys Statement Grammar
d6306 1
a6306 1
view Statement Definition and Usage
d6474 1
a6474 1
[ inline-signing yes_or_no; ]
d6607 1
a6607 1
zone Statement Definition and Usage
d6610 1
a6610 1
Zone Types
d6890 1
a6890 1
Class
d6912 1
a6912 1
Zone Options
d7662 1
a7662 1
is specified in the identity
d7680 1
a7680 1
identity field.
d7696 1
a7696 1
is specified in the identity
d7714 1
a7714 1
identity field.
d7823 1
a7823 1
Zone File
d7836 1
a7836 1
Resource Records
d8573 1
a8573 1
Textual expression of RRs
d8776 1
a8776 1
Discussion of MX Records
d9032 1
a9032 1
Inverse Mapping in IPv4
d9093 1
a9093 1
Other Zone File Directives
d9108 1
a9108 1
The @@ (at-sign)
d9119 1
a9119 1
The $ORIGIN Directive
d9148 1
a9148 1
The $INCLUDE Directive
d9184 1
a9184 1
The $TTL Directive
d9203 1
a9203 1
BIND Master File Extension: the $GENERATE Directive
d9627 1
a9627 1
Name Server Statistics Counters
d10184 1
a10184 1
Zone Maintenance Statistics Counters
d10338 1
a10338 1
Resolver Statistics Counters
d10721 1
a10721 1
Socket I/O Statistics Counters
d10876 1
a10876 1
Compatibility with BIND 8 Counters
@
1.1.1.9.2.3
log
@sync with head.
for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.
this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
@
text
@d2 1
a2 1
- Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
d51 1
a51 1
ip_dscp
A number between 0 and 63, used
to select a differentiated services code point (DSCP)
value for use with outgoing traffic on operating systems
that support DSCP.
d412 2
a413 16
A 64-bit unsigned integer, or the keywords
unlimited or
default.
Integers may take values
0 <= value <= 18446744073709551615, though
certain parameters
(such as max-journal-size) may
use a more limited range within these extremes.
In most cases, setting a value to 0 does not
literally mean zero; it means "undefined" or
"as big as possible", depending on the context.
See the expalantions of particular parameters
that use size_spec
for details on how they interpret its use.
d416 7
a422 2
Numeric values can optionally be followed by a
scaling factor:
d427 3
a429 8
G or g
for gigabytes, which scale by 1024, 1024*1024, and
1024*1024*1024 respectively.
unlimited generally means
"as big as possible", and is usually the best
way to safely set a very large number.
d432 5
a436 2
default
uses the limit that was in force when the server was started.
d480 1
a480 1
Syntax
d489 1
a489 1
Definition and Usage
d573 1
a573 1
Comment Syntax
d583 1
a583 1
Syntax
d599 1
a599 1
Definition and Usage
d853 1
a853 1
acl Statement Grammar
a931 54
When BIND 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
This is done by specifying an ACL element of the form:
geoip [db database] field value
The field indicates which field
to search for a match. Available fields are "country",
"region", "city", "continent", "postal" (postal code),
"metro" (metro code), "area" (area code), "tz" (timezone),
"isp", "org", "asnum", "domain" and "netspeed".
value is the value to searched for
within the database. A string may be quoted if it contains
spaces or other special characters. If this is a "country"
search and the string is two characters long, then it must be a
standard ISO-3166-1 two-letter country code, and if it is three
characters long then it must be an ISO-3166-1 three-letter
country code; otherwise it is the full name of the country.
Similarly, if this is a "region" search and the string is
two characters long, then it must be a standard two-letter state
or province abbreviation; otherwise it is the full name of the
state or province.
The database field indicates which
GeoIP database to search for a match. In most cases this is
unnecessary, because most search fields can only be found in
a single database. However, searches for country can be
answered from the "city", "region", or "country" databases,
and searches for region (i.e., state or province) can be
answered from the "city" or "region" databases. For these
search types, specifying a database
will force the query to be answered from that database and no
other. If database is not
specified, then these queries will be answered from the "city",
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
Some example GeoIP ACLs:
geoip country US; geoip country JAP; geoip db country country Canada; geoip db region region WA; geoip city "San Francisco"; geoip region Oklahoma; geoip postal 95062; geoip tz "America/Los_Angeles"; geoip org "Internet Systems Consortium";d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1140 1 a1140 1 [ size
size_spec ]
d1159 1
a1159 1
logging Statement Definition and
d1193 1
a1193 1
The channel Phrase
a1293 3
On Windows machines syslog messages are directed to the EventViewer.
d1720 2 a1721 2 delegation-only in a forward, hint or stub zone declaration. a1771 26
rate-limit
The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
ip_addr [port ip_port] [dscp ip_dscp] ;
[ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
d2021 1
a2021 1
lwres Statement Definition and Usage
d2072 1
a2072 1
masters Statement Grammar
d2074 1
a2074 1
masters name [port ip_port] [dscp ip_dscp] { ( masters_list |
d2080 1
a2080 1
masters Statement Definition and
d2090 1
a2090 1
options Statement Grammar
d2120 1
a2120 1
[ zone-statistics full | terse | none; ]
a2133 2
[ request-sit yes_or_no; ]
[ request-nsid yes_or_no; ]
d2146 4
a2149 4
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
[ dual-stack-servers [port ip_port] [dscp ip_dscp] {
( domain_name [port ip_port] [dscp ip_dscp] |
ip_addr [port ip_port] [dscp ip_dscp]) ;
a2159 1
[ check-spf ( warn | fail | ignore ); ]
a2178 1
[ no-case-compress { address_match_list }; ]
d2183 2
a2184 3
[ listen-on [ port ip_port ] [dscp ip_dscp] { address_match_list }; ]
[ listen-on-v6 [ port ip_port] [dscp ip_dscp]
{ address_match_list }; ]
d2186 1
a2186 2
[ port ( ip_port | * ) ]
[ dscp ip_dscp] |
d2188 1
a2188 2
[ port ( ip_port | * ) ] )
[ dscp ip_dscp] ; ]
d2190 1
a2190 2
[ port ( ip_port | * ) ]
[ dscp ip_dscp] |
d2192 1
a2192 2
[ port ( ip_port | * ) ] )
[ dscp ip_dscp] ; ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ alt-transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ alt-transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d2217 2
a2218 2
[ notify-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ notify-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d2221 2
a2222 2
[port ip_port] [dscp ip_dscp] [key keyname] ;
[ ip_addr [port ip_port] [dscp ip_dscp] [key keyname] ; ... ] }; number ; ]
a2252 1
[ dscp ip_dscp] ;
a2258 1
[ filter-aaaa-on-v6 ( yes_or_no | break-dnssec ); ]
d2260 1
a2260 1
[ dns64 ipv6-prefix {
a2277 2
[ disable-ds-digests domain { digest_type;
[ digest_type; ] }; ]
d2283 1
a2283 2
[ masterfile-format
(text|raw|map) ; ]
a2292 18
[ rate-limit {
[ domain domain ; ]
[ responses-per-second [size number] [ratio fixedpoint] number ; ]
[ referrals-per-second number ; ]
[ nodata-per-second number ; ]
[ nxdomains-per-second number ; ]
[ errors-per-second number ; ]
[ all-per-second number ; ]
[ window number ; ]
[ log-only yes_or_no ; ]
[ qps-scale number ; ]
[ ipv4-prefix-length number ; ]
[ ipv6-prefix-length number ; ]
[ slip number ; ]
[ exempt-clients { address_match_list } ; ]
[ max-table-size number ; ]
[ min-table-size number ; ]
} ; ]
d2294 1
a2294 1
[ policy given | disabled | passthru | drop | nxdomain | nodata | cname domain ]
d2297 1
a2297 2
[ break-dnssec yes_or_no ] [ min-ns-dots number ]
[ qname-wait-recurse yes_or_no ] ; ]
d2427 7
a2433 16
Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views,
then managed keys for the server will be tracked in a single
file called managed-keys.bind.
Otherwise, managed keys will be tracked in separate files,
one file per view; each file name will be the SHA256 hash
of the view name, followed by the extension
.mkeys.
d2671 2 a2672 25 Only the best match disable-algorithms clause will be used to determine which algorithms are used.
If all supported algorithms are disabled, the zones covered by the disable-algorithms will be treated as insecure.
Disable the specified DS/DLV digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. Only the best match disable-ds-digests clause will be used to determine which digest types are used.
If all supported digest types are disabled, the zones covered by the disable-ds-digests will be treated as insecure.
Specifies a maximum permissible TTL value.
When loading a zone file using a
masterfile-format of
text or raw,
any record encountered with a TTL higher than
max-zone-ttl will cause the zone to
be rejected.
This is useful in DNSSEC-signed zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from
caches. Themax-zone-ttl option guarantees
that the largest TTL in the zone will be no higher
the set value.
(NOTE: Because map-format files
load directly into memory, this option cannot be
used with them.)
If full, the server will collect
statistical data on all zones (unless specifically
turned off on a per-zone basis by specifying
zone-statistics terse or
zone-statistics none
in the zone statement).
The default is terse, providing
minimal statistics on zones (including name and
current serial number, but not query type
counters).
These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions
of BIND 9, the zone-statistics
option can also accept yes
or no; yes
has the same meaning as full.
As of BIND 9.10,
no has the same meaning
as none; previously, it
was the same as terse.
If yes and supported by the OS,
automatically rescan network interfaces when the interface
addresses are added or removed. The default is
yes.
Currently the OS needs to support routing sockets for automatic-interface-scan to be supported.
If yes, then an empty EDNS(0)
NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the resolver category at level
info.
The default is no.
Identical to filter-aaaa-on-v4,
except it filters AAAA responses to queries from IPv6
clients instead of IPv4 clients. To filter all
responses, set both options to yes.
d3606 1 a3606 9
Check that the two forms of Sender Policy Framework records (TXT records starting with "v=spf1" and SPF) either both exist or both don't exist. Warnings are emitted it they don't and be suppressed with check-spf.
When performing integrity checks, check that the two forms of Sender Policy Framwork records (TXT records starting with "v=spf1" and SPF) both exist or both don't exist and issue a warning if not met. The default is warn.
a3974 51
Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisions.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circusmstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
unlimited, which also
means 2 gigabytes.
d4627 5
a4631 6
reaches this limit, the server will cause records to
expire prematurely based on an LRU based strategy so
that the limit is not exceeded.
The keyword unlimited,
or the value 0, will place no limit on cache size;
records will be purged from the cache only when their
d4633 7
a4639 2
Any positive values less than 2MB will be ignored
and reset to 2MB.
d4642 1
a4642 1
The default is unlimited.
d4646 1
a4646 1
The listen queue depth. The default and minimum is 10.
d4651 3
a4653 4
some data before being passed to accept. Nonzero values
less than 10 will be silently raised. A value of 0 may also
be used; on most platforms this sets the listen queue
length to a system-defined default value.
d4659 1
a4659 1
Periodic Task Intervals
d5133 2
a5134 3
Sets the initial advertised EDNS UDP buffer size in
bytes, to control the size of packets received from
authoritative servers in response to recursive queries.
d5136 6
a5141 2
will be silently adjusted to the nearest value within
it). The default value is 4096.
d5144 5
a5148 37
The usual reason for setting
edns-udp-size to a non-default value
is to get UDP answers to pass through broken firewalls
that block fragmented packets and/or block UDP DNS
packets that are greater than 512 bytes.
When named first queries a remote server, it will advertise a UDP buffer size of 512, as this has the greatest chance of success on the first try.
If the initial response times out, named will try again with plain DNS, and if that is successful, it will be taken as evidence that the server does not support EDNS. After enough failures using EDNS and successes using plain DNS, named will default to plain DNS for future communications with that server. (Periodically, named will send an EDNS query to see if the situation has improved.)
However, if the initial query is successful with EDNS advertising a buffer size of 512, then named will advertise progressively larger buffer sizes on successive queries, until responses begin timing out or edns-udp-size is reached.
The default buffer sizes used by named are 512, 1232, 1432, and 4096, but never exceeding edns-udp-size. (The values 1232 and 1432 are chosen to allow for an IPv4/IPv6 encapsulated UDP message to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.) d5157 2 a5158 10 range will be silently adjusted to the nearest value within it). The default value is 4096.
This value applies to responses sent by a server; to set the advertised buffer size in queries, see edns-udp-size.
The usual reason for setting
d5194 1
a5194 6
file. Also, map format files are
loaded directly into memory via memory mapping, with only
minimal checking.
This statement sets the a5253 32
When a query is received for cached data which is to expire shortly, named can refresh the data from the authoritative server immediately, ensuring that the cache always has an answer available.
The prefetch specifies the the
"trigger" TTL value at which prefetch of the current
query will take place: when a cache record with a
lower TTL value is encountered during query processing,
it will be refreshed. Valid trigger TTL values are 1 to
10 seconds. Setting a trigger TTL to zero disables
prefetch.
An optional second argument can be used to set the smallest original TTL value that will be accepted for a record to be eligible for prefetching. The difference between the trigger TTL and the eligibility TTL must be at least 6 seconds.
The default trigger and eligibility TTLs are
2 and 9,
respectively.
no, and
rate-limit is set to allow
three responses per second.
If you need to disable these zones, use the options d5328 1 a5328 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5359 64
Five policy triggers can be encoded in RPZ records.
IP records are triggered by the IP address of the
DNS client.
Client IP address triggers are encoded in records that have
owner names that are subdomains of
rpz-client-ip relativized to the
policy zone origin name
and encode an address or address block.
IPv4 addresses are represented as
prefixlength.B4.B3.B2.B1.rpz-ip.
The IPv4 prefix length must be between 1 and 32.
All four bytes, B4, B3, B2, and B1, must be present.
B4 is the decimal value of the least significant byte of the
IPv4 address as in IN-ADDR.ARPA.
IPv6 addresses are encoded in a format similar
to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
representing 16 bits of the IPv6 address as in the standard
text representation of IPv6 addresses,
but reversed as in IN-ADDR.ARPA.
All 8 words must be present except when one set of consecutive
zero words is replaced with .zz.
analogous to double colons (::) in standard IPv6 text
encodings.
The IPv6 prefix length must be between 64 and 128.
QNAME policy records are triggered by query names of requests and targets of CNAME records resolved to generate the response. The owner name of a QNAME policy record is the query name relativized to the policy zone.
IP triggers are IP addresses in an A or AAAA record in the ANSWER section of a response. They are encoded like client-IP triggers except as subdomains of rpz-ip.
NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdname relativized to the RPZ origin name. NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records.
NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains.
The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses are rewritten according to at most one d5717 2 a5718 2 Triggers or the records that encode them are chosen for the rewriting in the following order: d5722 1 a5722 1 first in the response-policy option. d5724 2 a5725 2
The whitelist policy is specified by a CNAME whose target is rpz-passthru. It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks.
The blacklist policy is specified by a CNAME whose target is rpz-drop. It causes the response to be discarded. Nothing is sent to the DNS client.
The "slip" policy is specified by a CNAME whose target is rpz-tcp-only. It changes UDP responses to short, truncated DNS responses that require the DNS client to try again with TCP. It is used to mitigate distributed DNS reflection attacks.
The domain undefined response is encoded by a CNAME whose target is the root domain (.)
The empty set of resource records is specified by CNAME whose target is the wildcard top-level domain (*.). It rewrites the response to NODATA or ANCOUNT=1.
A set of ordinary DNS records can be used to answer queries. Queries for record types not the set are answered with NODATA.
A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) has been replaced with the query name. The purpose for this special form is query logging in the walled garden's authority DNS server.
The placeholder policy says "do not override but perform the action specified in the zone."
The testing override policy causes policy zone records to do nothing but log what they would have done if the policy zone were not disabled. The response to the DNS query will be written (or not) according to any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first.
override with the corresponding per-record policy.
causes all RPZ policy records to act as if they were "cname domain" records.
No DNS records are needed for a QNAME or Client-IP trigger. The name or IP address itself is sufficient, so in principle the query name need not be recursively resolved. However, not resolving the requested name can leak the fact that response policy rewriting is in use and that the name is listed in a policy zone to operators of servers for listed names. To prevent that information leak, by default any recursion needed for a request is done before any policy triggers are considered. Because listed domains often have slow authoritative servers, this default behavior can cost significant time. The qname-wait-recurse no option overrides that default behavior when recursion cannot change a non-error response. The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution. It also does not affect DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. Using this option can cause error responses such as SERVFAIL to appear to be rewritten, since no recursion is being done to discover problems at the authoritative server. a5878 1 *.nxdomain.domain.com CNAME . ; NXDOMAIN policy a5879 1 *.nodata.domain.com CNAME *. ; NODATA policy a5881 1 bzone.domain.com CNAME garden.example.com. d5886 2 d5892 1 a5892 2 ; IP policy records that rewrite all responses containing A records in 127/8 ; except 127.0.0.1 a5898 177 ; blacklist and whitelist some DNS clients 112.zz.2001.rpz-client-ip CNAME rpz-drop. 8.0.0.0.127.rpz-client-ip CNAME rpz-drop. ; force some DNS clients and responses in the example.com zone to TCP 16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. example.com CNAME rpz-tcp-only. *.example.com CNAME rpz-tcp-only.
RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified by the base responses-per-second option (that is, responses-per-second with only a single argument and no additional modifiers). The default is 0, which indicates that there should be no limit. All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default base responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomain-per-second (default base responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default base responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the default base responses-per-second value, but it can be set separately with errors-per-second.
In addition to the base responses-per-second value, up to four (4) additional responses-per-second options can be configured, with additional parameters to indicate that they apply to responses larger than a given size, or with an amplification factor larger than a given value. The size parameter sets the minimum DNS response size that will trigger the use of this responses-per-second option. The ratio parameter sets the minimum DNS response-size / request-size ratio that falls into the band, to two decimal places. These selective rate limits are applied after any other rate limits have been applied, and they only apply to positive answers. For example:
rate-limit {
responses-per-second 10;
responses-per-second size 1100 5;
};
...indicates that responses should be limited to ten per second for responses up to 1099 bytes in size, but only five per second for responses larger than that. This configuration:
rate-limit {
responses-per-second 10;
responses-per-second ratio 7.25 5;
responses-per-second ratio 15.00 2;
};
...indicates that responses should be limited to ten per second if the amplification factor is below 7.25, five per second if above 7.25 but below 15, and two per second if above 15.
Both sizes and ratios can be used together. For example:
rate-limit {
responses-per-second 10;
responses-per-second size 1000 ratio 5.00 5;
responses-per-second ratio 10.00 2;
};
a5899 161
This configuration will rate-limit to five per second if
the ratio is over 5 or the size is over
1000, and to two per second if the ratio is over 10. In the
event that two bands might be chosen (i.e., because the size
is over 1000 and the ratio is over 10),
the one that appears last in the configuration file is the
one chosen. To eliminate any ambiguity, it is recommended
that under normal circumstnaces, rate limiting bands should
be configured using either size or
ratio parameters, but not both.
Many attacks using DNS involve UDP requests with forged source
addresses.
Rate limiting prevents the use of BIND 9 to flood a network
with responses to requests with forged source addresses,
but could let a third party block responses to legitimate requests.
There is a mechanism that can answer some legitimate
requests from a client whose address is being forged in a flood.
Setting slip to 2 (its default) causes every
other UDP request to be answered with a small truncated (TC=1)
response.
The small size and reduced frequency, and so lack of
amplification, of "slipped" responses make them unattractive
for reflection DoS attacks.
slip must be between 0 and 10.
A value of 0 does not "slip":
no truncated responses are sent due to rate limiting,
all responses are dropped.
A value of 1 causes every response to slip;
values between 2 and 10 cause every n'th response to slip.
Some error responses including REFUSED and SERVFAIL
cannot be replaced with truncated responses and are instead
leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may
reduce the difficulty of a third party successfully forging
a response to a recursive resolver. The best security
against forged responses is for authoritative operators
to sign their zones using DNSSEC and for resolver operators
to validate the responses. When this is not an option,
operators who are more concerned with response integrity
than with flood mitigation may consider setting
slip to 1, causing all rate-limited
responses to be truncated rather than dropped. This reduces
the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds
the qps-scale value,
then the responses-per-second,
errors-per-second,
nxdomains-per-second and
all-per-second values are reduced by the
ratio of the current rate to the qps-scale value.
This feature can tighten defenses during attacks.
For example, with
qps-scale 250; responses-per-second 20; and
a total query rate of 1000 queries/second for all queries from
all DNS clients including via TCP,
then the effective responses/second limit changes to
(250/1000)*20 or 5.
Responses sent via TCP are not limited
but are counted to compute the query per second rate.
The optional domain clause specifies
the namespace to which rate limits will apply. It
is possible to use different rate limits for different names
by specifying multiple rate-limit blocks
with different domain clauses.
The rate-limit statement's
domain most closely matches the query
name will be the one applied to a given query.
Rate limiters for different name spaces maintain
separate counters: If, for example, there is a
rate-limit statement for "com" and
another for "example.com", queries matching "example.com"
will not be debited against the rate limiter for "com".
If a rate-limit statement does not specify a
domain, then it applies to the root domain
(".") and thus affects the entire DNS namespace, except those
portions covered by other rate-limit
statements.
Communities of DNS clients can be given their own parameters or no
rate limiting by putting
rate-limit statements in view
statements instead of the global option
statement.
A rate-limit statement in a view replaces,
rather than supplementing, a rate-limit
statement among the main options.
DNS clients within a view can be exempted from rate limits
with the exempt-clients clause.
UDP responses of all kinds can be limited with the
all-per-second phrase. This rate
limiting is unlike the rate limiting provided by
responses-per-second,
errors-per-second, and
nxdomains-per-second on a DNS server
which are often invisible to the victim of a DNS
reflection attack. Unless the forged requests of the
attack are the same as the legitimate requests of the
victim, the victim's requests are not affected. Responses
affected by an all-per-second limit
are always dropped; the slip value
has no effect. An all-per-second
limit should be at least 4 times as large as the other
limits, because single DNS clients often send bursts
of legitimate requests. For example, the receipt of a
single mail message can prompt requests from an SMTP
server for NS, PTR, A, and AAAA records as the incoming
SMTP/TCP/IP connection is considered. The SMTP server
can need additional NS, A, AAAA, MX, TXT, and SPF records
as it considers the STMP Mail From
command. Web browsers often repeatedly resolve the
same names that are repeated in HTML <IMG> tags
in a page. All-per-second is similar
to the rate limiting offered by firewalls but often
inferior. Attacks that justify ignoring the contents
of DNS responses are likely to be attacks on the DNS
server itself. They usually should be discarded before
the DNS server spends resources make TCP connections
or parsing DNS requests, but that rate limiting must
be done before the DNS server sees the requests.
The maximum size of the table used to track requests and
rate limit responses is set with max-table-size.
Each entry in the table is between 40 and 80 bytes.
The table needs approximately as many entries as the number
of requests received per second.
The default is 20,000.
To reduce the cold start of growing the table,
min-table-size (default 500)
can set the minimum table size.
Enable rate-limit category logging to monitor
expansions of the table and inform
choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters
without actually dropping any requests.
Responses dropped by rate limits are included in the
RateDropped and QryDropped
statistics.
Responses that truncated by rate limits are included in
RateSlipped and RespTruncated.
a5910 1
[ nosit-udp-size number ; ]
d5915 4
a5918 4
[ transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ notify-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ notify-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d5920 1
a5920 1
[ port ( ip_port | * ) ] [dscp ip_dscp] ; ]
d5922 1
a5922 1
[ port ( ip_port | * ) ] [dscp ip_dscp] ; ]
d6012 1
a6012 2
silently adjusted to the nearest value within it). This option is
useful when you wish to
a6025 7
The nosit-udp-size option sets the
maximum size of UDP responses that will be sent to
queries without a valid source identity token. The command
max-udp-size option may further limit
the response size.
d6111 1
a6111 1
statistics-channels Statement Definition and
d6123 2
a6124 3
It requires that BIND 9 be compiled with libxml2 and/or
json-c (also known as libjson0); the
statistics-channels statement is
d6132 1
a6132 2
address. An ip_addr of *
(asterisk) is
a6158 54
The statistics are available in various formats and views
depending on the URI used to access them. For example, if
the statistics channel is configured to listen on 127.0.0.1
port 8888, then the statistics are accessible in XML format at
http://127.0.0.1:8888/ or
http://127.0.0.1:8888/xml. A CSS file is
included which can format the XML statistics into tables
when viewed with a stylesheet-capable browser, and into
charts and graphs using the Google Charts API when using a
javascript-capable browser.
Applications that depend on a particular XML schema
can request
http://127.0.0.1:8888/xml/v2 for version 2
of the statistics XML schema or
http://127.0.0.1:8888/xml/v3 for version 3.
If the requested schema is supported by the server, then
it will respond; if not, it will return a "page not found"
error.
Broken-out subsets of the statistics can be viewed at
http://127.0.0.1:8888/xml/v3/status
(server uptime and last reconfiguration time),
http://127.0.0.1:8888/xml/v3/server
(server and resolver statistics),
http://127.0.0.1:8888/xml/v3/zones
(zone statistics),
http://127.0.0.1:8888/xml/v3/net
(network status and socket statistics),
http://127.0.0.1:8888/xml/v3/mem
(memory manager statistics),
http://127.0.0.1:8888/xml/v3/tasks
(task manager statistics).
The full set of statistics can also be read in JSON format at
http://127.0.0.1:8888/json,
with the broken-out subsets at
http://127.0.0.1:8888/json/v1/status
(server uptime and last reconfiguration time),
http://127.0.0.1:8888/json/v1/server
(server and resolver statistics),
http://127.0.0.1:8888/json/v1/zones
(zone statistics),
http://127.0.0.1:8888/json/v1/net
(network status and socket statistics),
http://127.0.0.1:8888/json/v1/mem
(memory manager statistics),
http://127.0.0.1:8888/json/v1/tasks
(task manager statistics).
d6171 1
a6171 1
trusted-keys Statement Definition
d6211 1
a6211 1
managed-keys Statement Grammarname initial-key flags protocol algorithm key-data ;
[ name initial-key flags protocol algorithm key-data ; [...]]
d6322 1
a6322 1
If the dnssec-validation option is
d6325 4
a6328 7
root zone. Similarly, if the dnssec-lookaside
option is set to auto,
named will automatically initialize
a managed key for the zone dlv.isc.org.
In both cases, the key that is used to initialize the key
maintenance process is built into named,
and can be overridden from bindkeys-file.
d6346 1
a6346 1
view Statement Definition and Usage
a6473 3
[ update-check-ksk yes_or_no; ]
[ dnssec-dnskey-kskonly yes_or_no; ]
[ dnssec-loadkeys-interval number; ]
d6475 2
a6476 2
[ also-notify { ip_addr [port ip_port] [dscp ip_dscp] ;
[ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
a6479 1
[ check-spf ( warn | fail | ignore ); ]
d6483 1
a6483 1
[ masterfile-format (text|raw|map) ; ]
d6487 1
a6487 1
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
d6500 3
a6502 3
[ notify-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ notify-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ zone-statistics full | terse | none; ]
a6516 1
[ max-zone-ttl number ; ]
d6526 1
a6527 1
[ update-check-ksk yes_or_no; ]
d6532 1
a6532 1
[ also-notify [port ip_port] [dscp ip_dscp] { ( masters_list | ip_addr
a6533 1
[dscp ip_dscp]
d6538 1
a6538 1
[ masterfile-format (text|raw|map) ; ]
d6542 1
a6542 1
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
d6547 1
a6547 1
[ masters [port ip_port] [dscp ip_dscp] { ( masters_list | ip_addr
a6548 1
[dscp ip_dscp]
d6559 3
a6561 3
[ transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ transfer-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ alt-transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d6563 1
a6563 2
[port ip_port]
[dscp ip_dscp] ; ]
d6565 3
a6567 7
[ notify-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ notify-source-v6 (ip6_addr | *) [port ip_port] [dscp ip_dscp] ; ]
[ zone-statistics full | terse | none; ]
[ sig-validity-interval number [number] ; ]
[ sig-signing-nodes number ; ]
[ sig-signing-signatures number ; ]
[ sig-signing-type number ; ]
a6572 3
[ key-directory path_name; ]
[ auto-dnssec allow|maintain|off; ]
[ inline-signing yes_or_no; ]
d6592 1
a6592 1
[ masterfile-format (text|raw|map) ; ]
d6594 2
a6595 2
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
[ masters [port ip_port] [dscp ip_dscp] { ( masters_list | ip_addr
a6596 1
[dscp ip_dscp]
d6601 1
a6601 1
[ transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d6603 2
a6604 2
[port ip_port] [dscp ip_dscp] ; ]
[ alt-transfer-source (ip4_addr | *) [port ip_port] [dscp ip_dscp] ; ]
d6606 1
a6606 1
[port ip_port] [dscp ip_dscp] ; ]
d6628 1
a6628 1
[ forwarders { [ ip_addr [port ip_port] [dscp ip_dscp] ; ... ] }; ]
d6635 1
a6635 1
[ masterfile-format (text|raw|map) ; ]
a6636 1
[ max-zone-ttl number ; ]
a6642 4
zone zone_name [class] {
[ in-view string ; ]
};
d6647 1
a6647 1
zone Statement Definition and Usage
d6650 1
a6650 1
Zone Types
d6887 4
a6890 6
Redirect zones are used to provide answers to
queries when normal resolution would result in
NXDOMAIN being returned.
Only one redirect zone is supported
per view. allow-query can be
used to restrict which clients see these answers.
a6896 36
To redirect all NXDOMAIN responses to
100.100.100.2 and
2001:ffff:ffff::100.100.100.2, one would
configure a type redirect zone named ".",
with the zone file containing wildcard records
that point to the desired addresses:
"*. IN A 100.100.100.2"
and
"*. IN AAAA 2001:ffff:ffff::100.100.100.2".
To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced
directly by name, they are not kept in the
zone lookup table with normal master and slave
zones. Consequently, it is not currently possible
to use
rndc reload
zonename
to reload a redirect zone. However, when using
rndc reload without specifying
a zone name, redirect zones will be reloaded along
with other zones.
See the description of check-spf in the section called “Boolean Options”.
yes,
then the zone will also be treated as if it is
also a delegation-only type zone.
d7422 1
a7422 1
unsigned zone is transferred in or loaded from
a7436 7
See the description of max-zone-ttl in the section called “options Statement Definition and Usage”.
When multiple views are in use, a zone may be referenced by more than one of them. Often, the views will contain different zones with the same name, allowing different clients to receive different answers for the same queries. At times, however, it is desirable for multiple views to contain identical zones. The in-view zone option provides an efficient way to do this: it allows a view to reference a zone that was defined in a previously configured view. Example:
view internal {
match-clients { 10/8; };
zone example.com {
type master;
file "example-external.db";
};
};
view external {
match-clients { any; };
zone example.com {
in-view internal;
};
};
An in-view option cannot refer to a view that is configured later in the configuration file.
A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control the behavior of the containing view, rather than changing the zone object itself.)
The raw format is
a binary representation of zone data in a manner similar
to that used in zone transfers. Since it does not require
parsing text, load time is significantly reduced.
An even faster alternative is the map
format, which is an image of a BIND 9
in-memory zone database; it is capable of being loaded
directly into memory via the mmap()
function; the zone can begin serving queries almost
immediately.
d9446 5
a9450 5
For a primary server, a zone file in
raw or map
format is expected to be generated from a textual zone
file by the named-compilezone command.
For a secondary server or for a dynamic zone, it is automatically
d9465 8
a9472 15
Note that map format is extremely
architecture-specific. A map
file cannot be used on a system
with different pointer size, endianness or data alignment
than the system on which it was generated, and should in
general be used only inside a single system.
While raw format uses
network byte order and avoids architecture-dependent
data alignment so that it is as portable as
possible, it is also primarily expected to be used
inside the same single system. To export a
zone file in either raw or
map format, or make a
portable backup of such a file, conversion to
text format is recommended.
d9574 1
a9574 2
"NXRRSET"). If a hash mark (#) is present then
the RRset is marked for garbage collection.
d9667 1
a9667 1
Name Server Statistics Counters
a10218 39
RateDropped
Responses dropped by rate limits.
RateSlipped
Responses truncated by rate limits.
RPZRewrites
Response policy zone rewrites.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
d1657 1
a1657 7
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE
(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.) a1752 13
RPZ
Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
path_name; ]
[ session-keyfile path_name; ]
[ session-keyname key_name; ]
[ session-keyalg algorithm_id; ]
d2117 1
a2117 2
[ dnssec-lookaside ( auto |
no |
d2268 1
a2268 1
[ response-policy { zone_name [ policy given | disabled | passthru | nxdomain | nodata | cname domain ] ; } ; ]
d2526 1
a2526 2
If not specified, the default is
named.secroots.
d2552 8
a2671 5
If dnssec-lookaside is set to
no, then dnssec-lookaside
is not used.
d3435 7
a3441 8
When yes and the server loads a new
version of a master zone from its zone file or receives a
new version of a slave file via zone transfer, it will
compare the new version to the previous one and calculate
a set of differences. The differences are then logged in
the zone's journal file such that the changes can be
transmitted to downstream slaves as an incremental zone
transfer.
d3704 1
a3704 1
Forwarding
d3748 1
a3748 1
Dual-stack Servers
d3959 1
a3959 1
Interfaces
d4427 1
a4427 1
UDP Port Lists
d4469 1
a4469 1
Operating System Resource Limits
d4631 1
a4631 1
Periodic Task Intervals
d4933 2
a4934 4
appear, they are not combined — the last one applies.
By default, all records are returned in random order.
d5052 1
a5052 1
65534.
a5057 9
These records can be removed from the zone once named has completed signing the zone with the matching key using nsupdate or rndc signing -clear. rndc signing -clear is the only supported way to remove these records from inline-signing zones.
d5133 1 a5133 2Specifies
d5137 3
a5139 8
standard textual representation, except for slave zones,
in which the default value is raw.
Files in other formats than text are
typically expected to be generated by the
named-compilezone tool, or dumped by
named.
d5156 1 a5156 2
rpz-ip relativized to the
RPZ origin name and encode an IP address or address block.
IPv4 addresses are encoded as
prefixlength.B4.B3.B2.B1.rpz-ip.
The prefix length must be between 1 and 32.
All four bytes, B4, B3, B2, and B1, must be present.
B4 is the decimal value of the least significant byte of the
IPv4 address as in IN-ADDR.ARPA.
IPv6 addresses are encoded in a format similar to the standard
IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip.
Each of W8,...,W1 is a one to four digit hexadecimal number
representing 16 bits of the IPv6 address as in the standard text
representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
All 8 words must be present except when consecutive
zero words are replaced with .zz.
analogous to double colons (::) in standard IPv6 text encodings.
The prefix length must be between 1 and 128.
NSDNAME policy records match names of authoritative servers
for the query name, a parent of the query name, a CNAME,
or a parent of a CNAME.
They are encoded as subdomains of
rpz-nsdomain relativized
to the RPZ origin name.
d5639 3
a5641 32
NSIP policy records match IP addresses in A and AAAA RRsets
for domains that can be checked against NSDNAME policy records.
The are encoded like IP policies except as subdomains of
rpz-nsip.
The query response is checked against all RPZs, so two or more policy records can apply to a single response. Because DNS responses can be rewritten according by at most a single policy record, a single policy (other than DISABLED policies) must be chosen. Policies are chosen in the following order:
d5644 4 a5647 5 When the processing of a response is restarted to resolve DNAME or CNAME records and an applicable policy record set has not been found, all RPZs are again consulted for the DNAME or CNAME names and addresses. d5650 3 a5652 4 Authority verification issues and variations in authority data can cause inconsistent results for NSIP and NSDNAME policy records. Glue NS records often differ from authoritative NS records. So they are available d5659 31 a5689 74 RPZ record sets are special CNAME records or one or more of any types of DNS record except DNAME or DNSSEC. Except when a policy record is a CNAME, there can be more more than one record and more than one type in a set of policy records. Except for three kinds of CNAME records that are illegal except in policy zones, the records in a set are used in the response as if their owner name were the query name. They are copied to the response as dictated by their types.
The policies specified in individual records in an RPZ can be overridden with a policy clause in the response-policy option. An organization using an RPZ provided by another organization might use this mechanism to redirect domains to its own walled garden.
d5694 1 a5694 1
response-policy { zone "badlist"; };
d5698 1
a5698 1
zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };
d5703 1
a5703 16
@@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
NS LOCALHOST.
; QNAME policy records. There are no periods (.) after the owner names.
nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
AAAA 2001:2::1
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME ok.domain.com.
bzone.domain.com CNAME garden.example.com.
; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
*.bzone.domain.com CNAME *.garden.example.com.
d5705 7
d5713 3
a5715 3
; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1
d5717 1
a5717 1
; NSDNAME and NSIP policy records
d5806 2
a5807 3
the view or global options block is used as a default. It may
also be set in the zone block and, if set there, it will
override the global or view setting for that zone.
d5931 1
a5931 1
statistics-channels Statement Definition and
d5991 1
a5991 1
trusted-keys Statement Definition
d6031 1
a6031 1
managed-keys Statement Grammar
d6166 1
a6166 1
view Statement Definition and Usage
a6310 1
[ request-ixfr yes_or_no ; ]
a6332 1
[ inline-signing <replacable>yes_or_no</replacable>; ]
d6465 1
a6465 1
zone Statement Definition and Usage
d6468 1
a6468 1
Zone Types
d6748 1
a6748 1
Class
d6770 1
a6770 1
Zone Options
a7235 9
If yes, this enables
"bump in the wire" signing of a zone, where a
unsigned zone is transfered in or loaded from
disk and a signed version of the zone is served,
with possibly, a different serial number. This
behaviour is disabled by default.
unlimited or
default.
Integers may take values
0 <= value <= 18446744073709551615, though
certain parameters
(such as max-journal-size) may
use a more limited range within these extremes.
In most cases, setting a value to 0 does not
literally mean zero; it means "undefined" or
"as big as possible", depending on the context.
See the explanations of particular parameters
that use size_spec
for details on how they interpret its use.
d416 7
a422 2
Numeric values can optionally be followed by a
scaling factor:
d427 3
a429 13
G or g
for gigabytes, which scale by 1024, 1024*1024, and
1024*1024*1024 respectively.
unlimited generally means
"as big as possible", though in certain contexts,
(including max-cache-size), it may
mean the largest possible 32-bit unsigned integer
(0xffffffff); this distinction can be important when
dealing with larger quantities.
unlimited is usually the best way
to safely set a very large number.
d432 5
a436 2
default
uses the limit that was in force when the server was started.
d480 1
a480 1
Syntax
d489 1
a489 1
Definition and Usage
d573 1
a573 1
Comment Syntax
d583 1
a583 1
Syntax
d599 1
a599 1
Definition and Usage
d853 1
a853 1
acl Statement Grammar
d909 1
a909 3
interfaces on the system. When addresses are
added or removed, the localhost
ACL element is updated to reflect the changes.
a920 3
When addresses are added or removed,
the localnets
ACL element is updated to reflect the changes.
d935 1
a935 1
controls Statement Grammar
d1059 1
a1059 1
include Statement Grammar
d1064 1
a1064 1
include Statement Definition and
d1079 1
a1079 1
key Statement Grammar
d1088 1
a1088 1
key Statement Definition and Usage
d1135 1
a1135 1
logging Statement Grammar
d1140 1
a1140 1
[ size size_spec ]
d1159 1
a1159 1
logging Statement Definition and
d1193 1
a1193 1
The channel Phrase
a1293 3
On Windows machines syslog messages are directed to the EventViewer.
d1720 2 a1721 2 delegation-only in a forward, hint or stub zone declaration. a1771 31
rate-limit
(Only available when BIND 9 is
configured with the --enable-rrl
option at compile time.)
The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
full | terse | none; ]
a2133 1
[ request-nsid yes_or_no; ]
a2159 1
[ check-spf ( warn | ignore ); ]
a2178 1
[ no-case-compress { address_match_list }; ]
d2260 1
a2260 1
[ dns64 ipv6-prefix {
a2272 1
[ max-rsa-exponent-size number; ]
a2281 1
[ max-recursion-depth number ; ]
d2292 1
a2292 22
[ rate-limit {
[ responses-per-second number ; ]
[ referrals-per-second number ; ]
[ nodata-per-second number ; ]
[ nxdomains-per-second number ; ]
[ errors-per-second number ; ]
[ all-per-second number ; ]
[ window number ; ]
[ log-only yes_or_no ; ]
[ qps-scale number ; ]
[ ipv4-prefix-length number ; ]
[ ipv6-prefix-length number ; ]
[ slip number ; ]
[ exempt-clients { address_match_list } ; ]
[ max-table-size number ; ]
[ min-table-size number ; ]
} ; ]
[ response-policy { zone_name
[ policy given | disabled | passthru | nxdomain | nodata | cname domain ]
[ recursive-only yes_or_no ] [ max-policy-ttl number ] ;
} [ recursive-only yes_or_no ] [ max-policy-ttl number ]
[ break-dnssec yes_or_no ] [ min-ns-dots number ] ; ]
d2422 7
a2428 16
Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views,
then managed keys for the server will be tracked in a single
file called managed-keys.bind.
Otherwise, managed keys will be tracked in separate files,
one file per view; each file name will be the SHA256 hash
of the view name, followed by the extension
.mkeys.
If full, the server will collect
statistical data on all zones (unless specifically
turned off on a per-zone basis by specifying
zone-statistics terse or
zone-statistics none
in the zone statement).
The default is terse, providing
minimal statistics on zones (including name and
current serial number, but not query type
counters).
These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions
of BIND 9, the zone-statistics
option can also accept yes
or no, which have the same
effect as full and
terse, respectively.
a3229 11
If yes, then an empty EDNS(0)
NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
the resolver category at level
info.
The default is no.
d3601 1 a3601 12
The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with check-spf.
If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn.
a3969 51
Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circumstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all responses for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
10 and the maximum is
d3982 1
a3982 1
Interfaces
d3986 1
a3986 3
an optional port and an address_match_list
of IPv4 addresses. (IPv6 addresses are ignored, with a
logged warning.)
a4033 2
IPv4 addresses specified in listen-on-v6
will be ignored, with a logged warning.
d4450 1
a4450 1
UDP Port Lists
d4492 1
a4492 1
Operating System Resource Limits
d4572 2
a4573 4
will be automatically removed. The largest permitted
value is 2 gigabytes. The default is
unlimited, which also
means 2 gigabytes.
d4641 1
a4641 1
The listen queue depth. The default and minimum is 10.
d4646 3
a4648 4
some data before being passed to accept. Nonzero values
less than 10 will be silently raised. A value of 0 may also
be used; on most platforms this sets the listen queue
length to a system-defined default value.
d4654 1
a4654 1
Periodic Task Intervals
d5076 1
a5076 1
signing state records. The default is
d5084 7
a5090 14
Signing state records are used to internally by
named to track the current state of
a zone-signing process, i.e., whether it is still active
or has been completed. The records can be inspected
using the command
rndc signing -list zone.
Once named has finished signing
a zone with a particular key, the signing state
record associated with that key can be removed from
the zone by running
rndc signing -clear keyid/algorithm zone.
To clear all of the completed signing state
records for a zone, use
rndc signing -clear all zone.
a5230 23
Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50.
The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
no.
If you need to disable these zones, use the options d5316 1 a5316 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5347 64
rpz-ip relativized
to the RPZ origin name and encode an IP address or address block.
IPv4 trigger addresses are represented as
d5688 3
a5690 3
NSDNAME triggers match names of authoritative servers
for the query name, a parent of the query name, a CNAME for
query name, or a parent of a CNAME.
d5694 5
a5698 4
NSIP triggers match IP addresses in A and
AAAA RRsets for domains that can be checked against NSDNAME
policy records.
NSIP triggers are encoded like IP triggers except as subdomains of
a5699 4
NSDNAME and NSIP triggers are checked only for names with at
least min-ns-dots dots.
The default value of min-ns-dots is 1 to
exclude top level domains.
d5703 5
a5707 6
two or more policy records can be triggered by a response.
Because DNS responses can be rewritten according to at most one
policy record, a single record encoding an action (other than
DISABLED actions) must be chosen.
Triggers or the records that encode them are chosen in
the following order:
d5710 2
a5711 2
Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
d5844 1 a5844 1 ok.domain.com CNAME rpz-passthru. d5854 1 a5854 1 32.1.0.0.127.rpz-ip CNAME rpz-passthru. a5859 245
RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
This feature is only available when BIND 9
is compiled with the --enable-rrl
option on the "configure" command line.
Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with responses-per-second (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomain-per-second (default responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the responses-per-second value, but it can be set separately with errors-per-second.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
a5868 1 [ request-nsidyes_or_no ; ]
a6057 7
The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
d6071 1 a6071 1 statistics-channels Statement Definition and a6118 24If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When BIND 9 is configured with --enable-newstats, a new XML schema is used (version 3) which adds additional zone statistics and uses a flatter tree for more efficient parsing. The stylesheet included uses the Google Charts API to render data into into charts and graphs when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
d6131 1 a6131 1 trusted-keys Statement Definition d6171 1 a6171 1 managed-keys Statement Grammarname initial-key flags protocol algorithm key-data ;
[ name initial-key flags protocol algorithm key-data ; [...]]
d6282 1
a6282 1
If the dnssec-validation option is
d6285 4
a6288 7
root zone. Similarly, if the dnssec-lookaside
option is set to auto,
named will automatically initialize
a managed key for the zone dlv.isc.org.
In both cases, the key that is used to initialize the key
maintenance process is built into named,
and can be overridden from bindkeys-file.
d6306 1
a6306 1
view Statement Definition and Usage
a6433 3
[ update-check-ksk yes_or_no; ]
[ dnssec-dnskey-kskonly yes_or_no; ]
[ dnssec-loadkeys-interval number; ]
a6439 1
[ check-spf ( warn | ignore ); ]
d6462 1
a6462 1
[ zone-statistics full | terse | none; ]
d6474 1
a6474 1
[ inline-signing yes_or_no; ]
d6486 1
a6487 1
[ update-check-ksk yes_or_no; ]
d6527 1
a6527 5
[ zone-statistics full | terse | none; ]
[ sig-validity-interval number [number] ; ]
[ sig-signing-nodes number ; ]
[ sig-signing-signatures number ; ]
[ sig-signing-type number ; ]
a6532 3
[ key-directory path_name; ]
[ auto-dnssec allow|maintain|off; ]
[ inline-signing yes_or_no; ]
d6607 1
a6607 1
zone Statement Definition and Usage
d6610 1
a6610 1
Zone Types
d6847 4
a6850 6
Redirect zones are used to provide answers to
queries when normal resolution would result in
NXDOMAIN being returned.
Only one redirect zone is supported
per view. allow-query can be
used to restrict which clients see these answers.
a6856 36
To redirect all NXDOMAIN responses to
100.100.100.2 and
2001:ffff:ffff::100.100.100.2, one would
configure a type redirect zone named ".",
with the zone file containing wildcard records
that point to the desired addresses:
"*. IN A 100.100.100.2"
and
"*. IN AAAA 2001:ffff:ffff::100.100.100.2".
To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced
directly by name, they are not kept in the
zone lookup table with normal master and slave
zones. Consequently, it is not currently possible
to use
rndc reload
zonename
to reload a redirect zone. However, when using
rndc reload without specifying
a zone name, redirect zones will be reloaded along
with other zones.
See the description of check-spf in the section called “Boolean Options”.
yes,
then the zone will also be treated as if it is
also a delegation-only type zone.
d7382 1
a7382 1
unsigned zone is transferred in or loaded from
d7662 1
a7662 1
is specified in the identity
d7680 1
a7680 1
identity field.
d7696 1
a7696 1
is specified in the identity
d7714 1
a7714 1
identity field.
d7823 1
a7823 1
Zone File
d7836 1
a7836 1
Resource Records
d8573 1
a8573 1
Textual expression of RRs
d8776 1
a8776 1
Discussion of MX Records
d9018 2
a9019 1
servers can cache it.
d9032 1
a9032 1
Inverse Mapping in IPv4
d9093 1
a9093 1
Other Zone File Directives
d9108 1
a9108 1
The @@ (at-sign)
d9119 1
a9119 1
The $ORIGIN Directive
d9148 1
a9148 1
The $INCLUDE Directive
d9184 1
a9184 1
The $TTL Directive
d9203 1
a9203 1
BIND Master File Extension: the $GENERATE Directive
d9271 2
a9272 3
is set to 1. start, stop and step must be positive
integers between 0 and (2^31)-1. start must not be
larger than stop.
d9627 1
a9627 1
Name Server Statistics Counters
a10178 39
RPZRewrites
Response policy zone rewrites.
RateDropped
Responses dropped by rate limits.
RateSlipped
Responses truncated by rate limits.
BIND Version 9.9
@ 1.1.1.9.4.1.4.2 log @Pull up following revision(s) (requested by spz in ticket #1259): external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/README patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html patch external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/zone.c patch Security patch for bind from ISC (to 9.9.6-P2). Only the change to lib/dns/zone.c is security relevant (CVE-2015-1349). @ text @d81 1 a81 1number ; ]
d3865 1
a3865 1
Forwarding
d3909 1
a3909 1
Dual-stack Servers
d4177 1
a4177 1
Interfaces
d4649 1
a4649 1
UDP Port Lists
d4691 1
a4691 1
Operating System Resource Limits
d4856 1
a4856 1
Periodic Task Intervals
d5819 1
a5819 1
Content Filtering
d5942 1
a5942 1
Response Policy Zone (RPZ) Rewriting
d6209 1
a6209 1
Response Rate Limiting
d6651 1
a6651 1
statistics-channels Statement Definition and
d6735 1
a6735 1
trusted-keys Statement Definition
d6775 1
a6775 1
managed-keys Statement Grammar
d6913 1
a6913 1
view Statement Definition and Usage
d7225 1
a7225 1
zone Statement Definition and Usage
d7228 1
a7228 1
Zone Types
d7546 1
a7546 1
Class
d7568 1
a7568 1
Zone Options
d8485 1
a8485 1
Zone File
d8498 1
a8498 1
Resource Records
d9235 1
a9235 1
Textual expression of RRs
d9438 1
a9438 1
Discussion of MX Records
d9693 1
a9693 1
Inverse Mapping in IPv4
d9754 1
a9754 1
Other Zone File Directives
d9769 1
a9769 1
The @@ (at-sign)
d9780 1
a9780 1
The $ORIGIN Directive
d9809 1
a9809 1
The $INCLUDE Directive
d9845 1
a9845 1
The $TTL Directive
d9864 1
a9864 1
BIND Master File Extension: the $GENERATE Directive
d10289 1
a10289 1
Name Server Statistics Counters
d10885 1
a10885 1
Zone Maintenance Statistics Counters
d11039 1
a11039 1
Resolver Statistics Counters
d11422 1
a11422 1
Socket I/O Statistics Counters
d11577 1
a11577 1
Compatibility with BIND 8 Counters
@
1.1.1.9.4.1.4.3
log
@Apply patch, requested by spz in ticket 1329:
Update bind to 9.9.7-P3
@
text
@d2 1
a2 1
- Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
d51 1
a51 1
cname
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
zone_name
[ policy (given | disabled | passthru |
nxdomain | nodata | cname domain) ]
[ recursive-only yes_or_no ]
[ max-policy-ttl number ]
[ break-dnssec yes_or_no ]
[ min-ns-dots number ]
; [...]
} ; ]
d3866 1
a3866 1
Forwarding
d3910 1
a3910 1
Dual-stack Servers
d4178 1
a4178 1
Interfaces
d4475 1
a4475 3
per second. The default is 20 per second.
The lowest possible rate is one per second; when set
to zero, it will be silently raised to one.
d4650 1
a4650 1
UDP Port Lists
d4692 1
a4692 1
Operating System Resource Limits
d4857 1
a4857 1
Periodic Task Intervals
d5461 2
a5462 4
is terminated and returns SERVFAIL. Queries to
look up top level comains such as "com" and "net"
and the DNS root zone are exempt from this limitation.
The default is 50.
d5820 1
a5820 1
Content Filtering
d5943 1
a5943 1
Response Policy Zone (RPZ) Rewriting
d6031 1
a6031 1
BIND 9.9.7-P3 (Extended Support Version)
@ 1.1.1.9.4.1.4.4 log @Revert ticket 1329, it doens't build on this branch @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1
d951 1
a951 1
controls Statement Grammar
d1075 1
a1075 1
include Statement Grammar
d1080 1
a1080 1
include Statement Definition and
d1095 1
a1095 1
key Statement Grammar
d1104 1
a1104 1
key Statement Definition and Usage
d1151 1
a1151 1
logging Statement Grammar
d1175 1
a1175 1
logging Statement Definition and
d1209 1
a1209 1
The channel Phrase
d1822 11
d1838 1
a1838 1
The query-errors Category
d2066 1
a2066 1
lwres Statement Grammar
d2082 1
a2082 1
lwres Statement Definition and Usage
d2133 1
a2133 1
masters Statement Grammar
d2141 1
a2141 1
masters Statement Definition and
d2151 1
a2151 1
options Statement Grammar
d2376 10
a2385 5
[ response-policy { zone_name
[ policy given | disabled | passthru | nxdomain | nodata | cname domain ]
[ recursive-only yes_or_no ] [ max-policy-ttl number ] ;
} [ recursive-only yes_or_no ] [ max-policy-ttl number ]
[ break-dnssec yes_or_no ] [ min-ns-dots number ] ; ]
d3877 1
a3877 1
Forwarding
d3921 1
a3921 1
Dual-stack Servers
d4189 1
a4189 1
Interfaces
d4486 3
a4488 1
per second. The default is 20.
d4663 1
a4663 1
UDP Port Lists
d4705 1
a4705 1
Operating System Resource Limits
d4870 1
a4870 1
Periodic Task Intervals
d5474 4
a5477 2
is terminated and returns SERVFAIL. The default
is 50.
d5835 1
a5835 1
Content Filtering
d5958 1
a5958 1
Response Policy Zone (RPZ) Rewriting
d6046 1
a6046 1
BIND Version 9.9
@ 1.1.1.9.4.1.4.5 log @Apply patch (requested by spz in ticket #1449): Update BIND to 9.9.9-P8 Security issues fixed with this update: CVE-2015-8704 CVE-2016-1285 CVE-2016-1286 CVE-2016-2775 CVE-2016-2776 CVE-2016-8864 CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2017-3135 CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 The update also contains numerous bug fixes as well as changes to comply with recent RFCs. @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d17 1 d22 2 a23 2 d42 3 a44 3default
d491 1
a491 1
acl
d720 1 a720 1controls
d725 1 a725 1 by the rndc utility. d731 1 a731 1include
d741 1 a741 1key
d752 1 a752 1logging
d763 1 a763 1lwres
d767 2 a768 2 configures named to also act as a light-weight resolver daemon (lwresd). d774 1 a774 1masters
d780 2 a781 2 masters or also-notify lists. d787 1 a787 1options
d798 1 a798 1server
d809 1 a809 1statistics-channels
d814 1 a814 1 named statistics. d820 1 a820 1trusted-keys
d830 1 a830 1managed-keys
d841 1 a841 1view
d851 1 a851 1zone
d862 2 a863 2 The logging and options statements may only occur once d867 1 a867 1acl acl-name { d875 1 a875 1d877 1 a877 1 acl Statement Definition and d880 1 a880 1 The acl statement assigns a symbolic d885 5 d894 2 a895 2d900 1 a900 1 any
d910 1 a910 1none
d920 1 a920 1localhost
d926 1 a926 1 added or removed, the localhost d933 1 a933 1localnets
d940 1 a940 1 the localnets d945 1 a945 1 In such a case, localnets d947 1 a947 1 IPv6 addresses, just like localhost. d954 1 a954 1controls { d968 1 a968 1d970 1 a970 1 controls Statement Definition and d973 1 a973 1 The controls statement declares control d976 1 a976 1 used by the rndc utility to send d980 4 a983 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d987 2 a988 2 use an ip_addr of::. If you will only use rndc on the local host, d994 1 a994 1 "*" cannot be used for ip_port. d998 2 a999 2 restricted by the allow and keys clauses. d1001 3 a1003 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1007 1 a1007 1 A unix control channel is a UNIX domain d1009 2 a1010 2 Access to the socket is specified by the perm, owner and group clauses. d1012 1 a1012 1 (perm) are applied to the parent directory d1017 3 a1019 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1021 2 a1022 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1025 2 a1026 2 If no controls statement is present, named will set up a default d1029 3 a1031 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1042 1 a1042 1 messages and thus did not have a keys clause. d1046 2 a1047 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1063 1 a1063 1 named is running as) can access it. d1066 1 a1066 1 rndc commands, then you need to create d1074 2 a1075 2 controls statement: controls { };. d1078 1 a1078 1included1083 1 a1083 1 d1088 3 a1090 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1098 1 a1098 1filename;keykey_id{ algorithmalgorithm_id; secretsecret_string; d1107 1 a1107 1 d1111 2 a1112 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1114 2 a1115 1 (see the section called “controls Statement Definition and d1119 1 a1119 1 The key statement can occur at the d1121 2 a1122 2 of the configuration file or inside a view statement. Keys defined in top-level key d1124 3 a1126 2 a controls statement (see the section called “controls Statement Definition and d1133 1 a1133 1 be used in a server d1154 1 a1154 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1167 3 a1169 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1171 1 a1171 1 [ categorycategory_name{ d1178 1 a1178 1 d1183 1 a1183 1 The logging statement configures a d1185 1 a1185 1 variety of logging options for the name server. Its channel phrase d1187 1 a1187 1 a name that can then be used with the category phrase d1191 1 a1191 1 Only one logging statement is used to d1193 1 a1193 1 as many channels and categories as are wanted. If there is no logging statement, d1205 1 a1205 1 established as soon as the logging d1212 1 a1212 1 d1225 2 a1226 2 info), and whether to include a named-generated time stamp, the d1231 1 a1231 1 The null destination clause d1236 1 a1236 1 The file destination clause directs d1244 1 a1244 1 If you use the versions log file d1246 1 a1246 1 named will retain that many backup d1256 1 a1256 1 You can say versions unlimited to d1259 1 a1259 1 If a size option is associated with d1267 1 a1267 1 The size option for files is used d1269 2 a1270 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1274 1 a1274 1 versions option, no more data will d1283 2 a1284 2 Example usage of the size and versions options: d1293 1 a1293 1 The syslog destination clause d1296 9 a1304 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1307 1 a1307 1 How syslog will handle messages d1309 3 a1311 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1318 1 a1318 1 The severity clause works like syslog's d1320 1 a1320 1 straight to a file rather than using syslog. d1327 1 a1327 1 If you are using syslog, then the syslog.conf priorities d1329 7 a1335 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1339 1 a1339 1 The stderr destination clause d1352 1 a1352 1 level is set either by starting the named server d1354 1 a1354 1 or by running rndc trace. d1356 1 a1356 1 can be set to zero, and debugging mode turned off, by running rndc d1369 1 a1369 1 level. Channels with dynamic d1374 1 a1374 1 If print-time has been turned on, d1376 2 a1377 2 the date and time will be logged. print-time may be specified for a syslog channel, d1379 1 a1379 1 pointless since syslog also logs d1381 1 a1381 1 time. If print-category is d1383 2 a1384 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1388 1 a1388 1 three print- options d1396 1 a1396 1 named's default logging as follows. d1398 1 a1398 1 used is described in the section called “The category Phrase”. d1428 1 a1428 1 The default_debug channel has the d1438 1 a1438 1 is created only after named has d1440 1 a1440 1 new UID, and any debug output generated while named is d1452 1 a1452 1 d1460 1 a1460 1 in that category will be sent to the default category d1481 1 a1481 1 To discard all messages in a category, specify the null channel: d1493 2 a1494 2d1499 2 a1500 2 client
d1502 7 a1508 4Processing of client requests.
d1512 2 a1513 2cname
d1515 5 a1519 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1523 2 a1524 2config
d1526 6 a1531 4Configuration file parsing and processing.
d1535 2 a1536 2database
d1538 4 a1541 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1545 2 a1546 2default
d1548 4 a1551 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1555 2 a1556 2delegation-only
d1558 6 a1563 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1567 2 a1568 2dispatch
d1570 4 a1573 5Dispatching of incoming packets to the server modules where they are to be processed.
d1577 2 a1578 2dnssec
d1580 4 a1583 4DNSSEC and TSIG protocol processing.
d1587 2 a1588 2edns-disabled
d1590 4 a1593 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1597 2 a1598 2general
d1600 4 a1603 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1607 2 a1608 2lame-servers
d1610 9 a1618 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1622 2 a1623 2network
d1625 4 a1628 4Network operations.
d1632 2 a1633 2notify
d1635 4 a1638 4The NOTIFY protocol.
d1642 2 a1643 2queries
d1645 4 a1648 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1652 2 a1653 2query-errors
d1655 35 a1689 5Information about queries that resulted in some failure.
d1693 2 a1694 2rate-limit
d1696 5 a1700 25(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1704 2 a1705 2resolver
d1707 5 a1711 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1715 2 a1716 2rpz
d1718 4 a1721 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1725 2 a1726 2security
d1728 6 a1733 4Approval and denial of requests.
d1737 2 a1738 2spill
d1740 8 a1747 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1751 2 a1752 2unmatched
d1754 28 a1781 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1785 2 a1786 2update
d1788 7 a1794 4Dynamic updates.
d1798 2 a1799 2update-security
d1801 25 a1825 24Approval and denial of update requests.
xfer-in
Zone transfers the server is receiving.
xfer-out
d1830 1 a1830 1 d1834 1 a1834 1 The query-errors category is d1839 1 a1839 1 with debug levels. d1902 2 a1903 2 Zone transfers the server is sending.
d2058 1 a2058 1 d2062 1 a2062 1 This is the grammar of the lwres d2065 1 a2065 1 lwres { d2074 1 a2074 1 d2078 1 a2078 1 The lwres statement configures the d2081 2 a2082 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2086 1 a2086 1 The listen-on statement specifies a d2097 1 a2097 1 The view statement binds this d2108 1 a2108 1 The search statement is equivalent to d2110 1 a2110 1 search statement in d2116 1 a2116 1 The ndots statement is equivalent to d2118 1 a2118 1 ndots statement in d2125 1 a2125 1 d2129 1 a2129 1 mastersname[portip_port] { (masters_list| d2133 1 a2133 1d2135 1 a2135 1 masters Statement Definition and d2137 1 a2137 1d2147 1 a2147 1 This is the grammar of the options d2150 1 a2150 1masters d2139 2 a2140 2 multiple stub and slave zones in their masters or also-notify lists. d2143 1 a2143 1
options { a2193 1 [ auto-dnssecallow|maintain|off; ] d2205 1 a2205 1ip_addr[portip_port] ) ; d2248 2 a2249 2 [ port (ip_port|*) ] | [ address (ip6_addr|*) ] d2258 1 a2260 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2278 3 a2280 3 [ also-notify [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] a2296 1 [ serial-update-methodincrement|unixtime|date; ] d2322 1 a2322 1 [ suffixIPv6-address; ] d2339 2 d2370 5 a2374 10 [ response-policy { zonezone_name[ policy(given | disabled | passthru | nxdomain | nodata | cname domain) ] ; [...] } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d2378 1 a2378 1d2380 1 a2380 1 options Statement Definition and d2383 1 a2383 1 The options statement sets up global d2387 1 a2387 1 once in a configuration file. If there is no options d2391 2 a2392 2d6916 1 a6916 1 The view statement is a powerful d6925 1 a6925 1 Each view statement defines a view d6931 1 a6931 1 match-clients clause and its d6935 1 a6935 1 match-destinations clause. If not d6937 1 a6937 1 match-clients and match-destinations d6940 2 a6941 2 match-clients and match-destinations can also take keys which provide an d6944 1 a6944 1 as match-recursive-only, which d6947 1 a6947 1 The order of the view statements is d6950 1 a6950 1 view that it matches. d6953 1 a6953 1 Zones defined within a view d6955 1 a6955 1 only be accessible to clients that match the view. d6962 2 a6963 2 Many of the options given in the options statement can also be used within a view d6967 1 a6967 1 value is given, the value in the options statement d6970 1 a6970 1 in the view statement; these d6972 1 a6972 1 take precedence over those in the options statement. d6980 1 a6980 1 If there are no view statements in d6984 1 a6984 1 in class IN. Any zone statements d6988 1 a6988 1 this default view, and the options d6990 2 a6991 2 apply to the default view. If any explicit view statements are present, all zone d6993 1 a6993 1 occur inside view statements. d6997 1 a6997 1 using view statements: d7032 1 a7032 1d3918 2 a3919 2
- attach-cache
d2404 2 a2405 2 The attach-cache option may also be specified in view d2407 1 a2407 1 global attach-cache option. d2412 1 a2412 1 When the named server configures d2423 1 a2423 1 the attach-cache as a global d2432 1 a2432 1 attach-cache option as a view A (or d2455 8 a2462 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2477 1 a2477 1- directory
d2492 1 a2492 1- key-directory
d2503 1 a2503 1- managed-keys-directory
d2511 1 a2511 1 If named is not configured to use views, d2520 1 a2520 1- named-xfer
d2524 1 a2524 1 the pathname to the named-xfer d2526 1 a2526 1 named-xfer program is needed; d2529 1 a2529 1- tkey-gssapi-keytab
d2536 1 a2536 1- tkey-gssapi-credential
d2547 1 a2547 1 To use GSS-TSIG, tkey-domain must d2551 1 a2551 1- tkey-domain
d2554 2 a2555 2 generated with TKEY. When a client requests a TKEY exchange, d2562 1 a2562 1 In most cases, the domainname d2569 1 a2569 1- tkey-dhkey
d2574 1 a2574 1 of TKEY. The server must be d2580 1 a2580 1- cache-file
d2584 1 a2584 1- dump-file
d2588 1 a2588 1 rndc dumpdb. d2591 1 a2591 1- memstatistics-file
d2597 1 a2597 1- pid-file
d2604 1 a2604 1 name server. Specifying pid-file none disables the d2606 1 a2606 1 existing one will be removed. Note that none d2611 1 a2611 1- recursing-file
d2615 1 a2615 1 to do so with rndc recursing. d2618 1 a2618 1- statistics-file
d2621 1 a2621 1 to when instructed to do so using rndc stats. d2625 1 a2625 1 in the section called “The Statistics File”. d2627 1 a2627 1- bindkeys-file
d2630 3 a2632 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2636 1 a2636 1- secroots-file
d2640 1 a2640 1 rndc secroots. d2644 1 a2644 1- session-keyfile
d2647 2 a2648 2 session key generated by named for use by nsupdate -l. If not specified, the d2650 1 a2650 1 (See the section called “Dynamic Update Policies”, and in d2652 1 a2652 1 update-policy statement's d2656 1 a2656 1- session-keyname
d2661 1 a2661 1- session-keyalg
d2668 1 a2668 1- port
d2678 1 a2678 1- random-device
d2692 1 a2692 1 random-device option takes d2697 1 a2697 1- preferred-glue
d2702 1 a2702 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2705 1 a2705 1 root-delegation-only d2751 1 a2751 1- disable-algorithms
d2755 1 a2755 1 Multiple disable-algorithms d2759 1 a2759 1- dnssec-lookaside
d2762 1 a2762 1 When set, dnssec-lookaside provides the d2766 1 a2766 1 dnssec-lookaside, and the normal DNSSEC d2774 1 a2774 1 If dnssec-lookaside is set to d2780 1 a2780 1 If dnssec-lookaside is set to d2787 2 a2788 2 named will load that key at startup if dnssec-lookaside is set to d2793 1 a2793 1 from https://www.isc.org/solutions/dlv/. d2798 2 a2799 2 named. Relying on this is not recommended, however, as it requires named d2803 1 a2803 1 NOTE: named only loads certain specific d2809 1 a2809 1- dnssec-must-be-secure
d2813 1 a2813 1 then named will only accept answers if d2817 3 a2819 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2821 1 a2821 1- dns64
d2824 1 a2824 1 This directive instructs named to d2828 1 a2828 1 dns64 defines one DNS64 prefix. d2839 2 a2840 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2846 2 a2847 2 Each dns64 supports an optional clients ACL that determines which d2852 3 a2854 3 Each dns64 supports an optional mapped ACL that selects which IPv4 addresses are to be mapped in the corresponding d2862 1 a2862 1 exclude ACL allows specification d2866 1 a2866 1 name owns. If not defined, exclude d2870 1 a2870 1 A optional suffix can also d2878 2 a2879 2 If recursive-only is set to yes the DNS64 synthesis will d2881 1 a2881 1 is no. d2884 2 a2885 2 If break-dnssec is set to yes the DNS64 synthesis will d2888 1 a2888 1 is set to no (the default), the DO d2903 1 a2903 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d2910 2 a2911 2 the section called “Dynamic Update Policies”), and if named has access to the d2913 1 a2913 1 named will automatically sign all new d2920 1 a2920 1 then named will sign all new or d2925 1 a2925 1 With either of these settings, named d2928 1 a2928 1 named. (A planned third option, d2934 1 a2934 23- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
- zone-statistics
d2940 3 a2942 3 zone-statistics terse or zone-statistics none in the zone statement). d2950 2 a2951 2 statistics-channel or using rndc stats, which d2953 2 a2954 2 in the statistics-file. See also the section called “The Statistics File”. d2958 1 a2958 1 of BIND 9, the zone-statistics d2966 1 a2966 1d2969 2 a2970 2d3877 2 a3878 2
- allow-new-zones
d2973 2 a2974 2 added at runtime via rndc addzone or deleted via rndc delzone. d2977 1 a2977 1- auth-nxdomain
d2979 1 a2979 1 Ifyes, then the AA bit d2988 1 a2988 1- deallocate-on-exit
d2995 1 a2995 1- memstatistics
d2998 1 a2998 1 memstatistics-file at exit. d3003 1 a3003 1- dialup
d3015 1 a3015 1 happens in a short interval, once every heartbeat-interval and d3021 4 a3024 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3037 1 a3037 1 notify and also-notify. d3045 1 a3045 1 heartbeat-interval expires in d3058 1 a3058 1 when the heartbeat-interval d3066 4 a3069 4d3096 1 a3096 1 no (default)
d3116 1 a3116 1yes
d3136 1 a3136 1notify
d3156 1 a3156 1refresh
d3176 1 a3176 1passive
d3196 1 a3196 1notify-passive
d3218 1 a3218 1 dialup. d3221 1 a3221 1- fake-iquery
d3228 1 a3228 1- fetch-glue
d3239 1 a3239 1- flush-zones-on-shutdown
d3244 1 a3244 1 flush-zones-on-shutdownno. d3246 1 a3246 1- has-old-clients
d3252 3 a3254 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3256 1 a3256 1- host-statistics
d3263 1 a3263 1- maintain-ixfr-base
d3271 1 a3271 1 transfers, use provide-ixfrno. d3273 1 a3273 1- minimal-responses
d3282 1 a3282 1- multiple-cnames
d3290 1 a3290 1- notify
d3296 1 a3296 1 changes, see the section called “Notify”. The messages are d3301 1 a3301 1 also-notify option. d3309 1 a3309 1 servers explicitly listed using also-notify. d3313 2 a3314 2 The notify option may also be specified in the zone d3316 1 a3316 1 in which case it overrides the options notify statement. d3322 1 a3322 1- notify-to-soa
d3333 1 a3333 1- recursion
d3344 1 a3344 1 Note that setting recursion no does not prevent d3350 1 d3352 1 a3352 1- request-nsid
d3355 1 a3355 1 NSID (Name Server Identifier) option is sent with all d3359 2 a3360 2 the resolver category at level info. d3363 1 a3363 1- rfc2308-type1
d3379 1 a3379 1- use-id-pool
d3385 1 a3385 1- use-ixfr
d3390 3 a3392 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3395 1 a3395 1 the section called “Incremental Zone Transfers (IXFR)”. d3397 1 a3397 1- provide-ixfr
d3400 3 a3402 2 provide-ixfr in the section called “server Statement Definition and d3405 1 a3405 1- request-ixfr
d3408 3 a3410 2 request-ixfr in the section called “server Statement Definition and d3413 1 a3413 1- treat-cr-as-space
d3417 1 a3417 1 the server treat carriage return ("\r") characters the same way d3421 2 a3422 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3427 1 a3427 1 additional-from-auth, additional-from-cache d3462 1 a3462 1 Setting these options to no d3470 1 a3470 1 them to no without also d3472 1 a3472 1 recursion no will cause the d3477 1 a3477 1 Specifying additional-from-cache no actually d3497 1 a3497 1 referrals when additional-from-cache no d3505 1 a3505 1- match-mapped-addresses
d3518 1 a3518 1 named now solves this problem d3522 1 a3522 1- filter-aaaa-on-v4
d3533 3 a3535 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3540 2 a3541 2 the DNS client is at an IPv4 address, in filter-aaaa, and if the response does not include DNSSEC signatures, d3553 2 a3554 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3573 1 a3573 1- ixfr-from-differences
d3597 3 a3599 3ixfr-from-differences also accepts master and slave at the view and options d3601 3 a3603 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3607 1 a3607 1
- multi-master
d3611 1 a3611 1 addresses refer to different machines. Ifyes, named will d3613 1 a3613 1 when the serial number on the master is less than what named d3617 4 a3620 47- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
This indicates whether DNSSEC-related resource records are to be returned by named. If set to
no, named will not return DNSSEC-related resource records unless specifically queried for. d3623 4 a3626 5- dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3634 2 a3635 2 a trusted-keys or managed-keys statement. The default d3637 2 a3638 12
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
- dnssec-accept-expired
d3643 1 a3643 1 leaves named vulnerable to d3646 1 a3646 1- querylog
d3648 1 a3648 1 Specify whether query logging should be started when named d3650 1 a3650 1 If querylog is not specified, d3652 1 a3652 1 is determined by the presence of the logging category queries. d3654 1 a3654 1- check-names
d3663 5 a3667 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3673 1 a3673 1check-names d3682 1 a3682 1
- check-dup-records
d3686 3 a3688 3 default is to warn. Other possible values are fail and ignore. d3690 1 a3690 1- check-mx
d3693 3 a3695 3 The default is to warn. Other possible values are fail and ignore. d3697 1 a3697 1- check-wildcard
d3704 1 a3704 1 affects master zones. The default (yes) is to check d3707 1 a3707 1- check-integrity
d3716 1 a3716 1 named-checkzone). d3719 2 a3720 2 checks use named-checkzone). The default is yes. d3730 1 a3730 1 check-spf. d3733 1 a3733 1- check-mx-cname
d3735 1 a3735 1 If check-integrity is set then d3737 1 a3737 1 to CNAMES. The default is to warn. d3739 1 a3739 1- check-srv-cname
d3741 1 a3741 1 If check-integrity is set then d3743 1 a3743 1 to CNAMES. The default is to warn. d3745 1 a3745 1- check-sibling
d3748 1 a3748 1 sibling glue exists. The default is yes. d3750 1 a3750 1- check-spf
d3752 1 a3752 1 If check-integrity is set then d3756 1 a3756 1 warn. d3758 1 a3758 1- zero-no-soa-ttl
d3763 1 a3763 1 The default is yes. d3765 1 a3765 1- zero-no-soa-ttl-cache
d3769 1 a3769 1 The default is no. d3771 1 a3771 1- update-check-ksk
d3786 1 a3786 1 similar to the dnssec-signzone -z d3798 1 a3798 1- dnssec-dnskey-kskonly
d3801 1 a3801 1 When this option and update-check-ksk d3808 1 a3808 1 dnssec-signzone -x command line option. d3811 2 a3812 2 The default is no. If update-check-ksk is set to d3816 16 a3831 1- try-tcp-refresh
d3835 1 a3835 1 yes. d3837 1 a3837 1- dnssec-secure-to-insecure
d3842 2 a3843 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d3856 1 a3856 1 auto-dnssec maintain and the d3859 1 a3859 1 next time named is started. d3864 1 a3864 1
- forward
d3890 1 a3890 1- forwarders
d3902 3 a3904 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d3908 1 a3908 1d4696 2 a4697 2 example, 1G can be used instead of 1073741824 to specify a limit of d4699 1 a4699 1 gigabyte. unlimited requests d4701 1 a4701 1 maximum available amount. default d4704 1 a4704 1 of size_spec in the section called “Configuration File Elements”. d4714 2 a4715 2
- dual-stack-servers
d3926 1 a3926 1 stacked, then the dual-stack-servers have no effect unless d3928 1 a3928 1 (e.g. named -4). d3932 1 a3932 1d3937 1 a3937 1 of the requesting system. See the section called “Address Match Lists” for d3940 2 a3941 2d4181 1 a4181 1 from may be specified using the listen-on option. listen-on takes d4189 1 a4189 1 Multiple listen-on statements are d4202 1 a4202 1 If no listen-on is specified, the d4206 1 a4206 1 The listen-on-v6 option is used to d4217 1 a4217 1 listen-on-v6 option, d4232 1 a4232 1 IPv4 addresses specified in listen-on-v6 d4236 1 a4236 1 Multiple listen-on-v6 options can d4255 1 a4255 1 If no listen-on-v6 option is d4257 3 a4259 3 unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default. d4262 1 a4262 1
- allow-notify
d3946 1 a3946 1 allow-notify may also be d3948 1 a3948 1 zone statement, in which case d3950 1 a3950 1 options allow-notify d3956 1 a3956 1- allow-query
d3960 2 a3961 2 DNS questions. allow-query may also be specified in the zone d3963 1 a3963 1 options allow-query statement. d3970 1 a3970 1 allow-query-cache is now d3975 1 a3975 1- allow-query-on
d3985 1 a3985 1 Note that allow-query-on is only d3987 1 a3987 1 allow-query. A query must be d3991 2 a3992 2 allow-query-on may also be specified in the zone d3994 1 a3994 1 options allow-query-on statement. d4003 1 a4003 1 allow-query-cache is d4008 1 a4008 1- allow-query-cache
d4011 7 a4017 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4019 1 a4019 1- allow-query-cache-on
d4024 2 a4025 2 localnets and localhost. d4027 1 a4027 1- allow-recursion
d4031 3 a4033 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4035 2 a4036 2 (localnets; localhost;) is used. d4038 1 a4038 1- allow-recursion-on
d4044 1 a4044 1- allow-update
d4051 1 a4051 1 the section called “Dynamic Update Security” for details. d4053 1 a4053 1- allow-update-forwarding
d4077 1 a4077 1 access control to attacks; see the section called “Dynamic Update Security” d4081 1 a4081 1- allow-v6-synthesis
d4091 1 a4091 1- allow-transfer
d4094 2 a4095 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4097 1 a4097 1 case it overrides the options allow-transfer statement. d4101 1 a4101 1- blackhole
d4109 1 a4109 1- filter-aaaa
d4112 1 a4112 1 filter-aaaa-on-v4 d4115 1 a4115 1- no-case-compress
d4120 1 a4120 1 used when named needs to work with d4127 1 a4127 1 none: case-insensitive compression d4151 1 a4151 1 There are circumstances in which named d4166 1 a4166 1- resolver-query-timeout
d4176 1 a4176 1d4267 1 a4267 1 query other name servers. query-source specifies d4269 3 a4271 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4275 1 a4275 1 If port is * or is omitted, d4279 2 a4280 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4282 2 a4283 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4286 2 a4287 2 The defaults of the query-source and query-source-v6 options d4294 3 a4296 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4300 1 a4300 1 named will use the corresponding system d4313 2 a4314 2 changed while named is running; the new range will automatically be applied when named d4317 2 a4318 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4324 1 a4324 1 where named runs may prohibit the use d4326 1 a4326 1 named running without a root privilege d4335 2 a4336 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4344 1 a4344 1 the use-queryport-pool d4350 2 a4351 2 query-source or query-source-v6 options; d4354 2 a4355 2d4652 4 a4655 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4658 1 a4658 1 See the section called “Query Address” about how the d4668 1 a4668 1 from named will be in one d4673 3 a4675 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4683 3 a4685 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4690 1 a4690 1
- use-queryport-pool
d4359 1 a4359 1- queryport-pool-ports
d4363 1 a4363 1- queryport-pool-updateinterval
d4371 1 a4371 1 The address specified in the query-source option d4387 2 a4388 2 See also transfer-source and notify-source. d4392 1 a4392 1d4401 2 a4402 2d4602 1 a4602 1
- also-notify
d4413 1 a4413 1 also-notify address to send d4420 1 a4420 1 masters lists can be used. d4423 2 a4424 2 If an also-notify list is given in a zone statement, d4426 2 a4427 2 the options also-notify statement. When a zone notify d4429 2 a4430 2 is set to no, the IP addresses in the global also-notify list will d4436 1 a4436 1- max-transfer-time-in
d4443 1 a4443 1- max-transfer-idle-in
d4450 1 a4450 1- max-transfer-time-out
d4457 1 a4457 1- max-transfer-idle-out
d4464 1 a4464 1- serial-query-rate
d4473 1 a4473 1 serial-query-rate option, an d4475 1 a4475 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4479 2 a4480 2 queries are issued at, serial-query-rate also controls d4485 1 a4485 1- serial-queries
d4487 1 a4487 1 In BIND 8, the serial-queries d4492 1 a4492 1 serial queries and ignores the serial-queries option. d4494 1 a4494 1 as defined using the serial-query-rate option. d4496 1 a4496 1- transfer-format
d4499 3 a4501 3 one-answer and many-answers. The transfer-format option is used d4503 1 a4503 1 one-answer uses one DNS message per d4505 1 a4505 1 many-answers packs as many resource d4507 1 a4507 1 many-answers is more efficient, but is d4511 1 a4511 1 The many-answers format is also supported by d4513 3 a4515 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4518 1 a4518 1- transfers-in
d4522 1 a4522 1 Increasing transfers-in may d4527 1 a4527 1- transfers-out
d4534 1 a4534 1- transfers-per-ns
d4540 1 a4540 1 Increasing transfers-per-ns d4544 3 a4546 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4548 1 a4548 1- transfer-source
d4550 1 a4550 1transfer-source d4560 1 a4560 1 allow-transfer option for the d4563 1 a4563 1 transfer-source for all zones, d4566 3 a4568 3 transfer-source statement within the view or zone block in the configuration d4579 1 a4579 1
- transfer-source-v6
d4581 1 a4581 1 The same as transfer-source, d4584 1 a4584 1- alt-transfer-source
d4588 2 a4589 2 transfer-source fails and use-alt-transfer-source is a4593 1d4596 1 a4596 1 use-alt-transfer-source d4600 1 a4600 2
- alt-transfer-source-v6
d4605 2 a4606 2 transfer-source-v6 fails and use-alt-transfer-source is d4609 1 a4609 1- use-alt-transfer-source
d4612 1 a4612 1 specified this defaults to no d4614 1 a4614 1 yes (for BIND 8 d4617 1 a4617 1- notify-source
d4619 1 a4619 1notify-source d4623 3 a4625 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4628 3 a4630 3 notify-source statement within the zone or view block in the configuration d4641 1 a4641 1
- notify-source-v6
d4643 1 a4643 1 Like notify-source, d4648 1 a4648 1
- coresize
d4720 1 a4720 1- datasize
d4733 2 a4734 2 max-cache-size and recursive-clients d4737 1 a4737 1- files
d4742 1 a4742 1- stacksize
d4749 1 a4749 1d4757 2 a4758 2
- max-ixfr-log-size
d4762 1 a4762 1 max-journal-size performs a d4765 1 a4765 1- max-journal-size
d4768 1 a4768 1 (see the section called “The journal file”). When the journal file d4778 1 a4778 1- host-statistics-max
d4784 5 a4788 6- recursive-clients
The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4791 7 a4797 24 bit of memory (on the order of 20 kilobytes), the value of the recursive-clients option may have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.- tcp-clients
d4803 1 a4803 175- clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
- fetches-per-zone
The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetches-per-server
The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetch-quota-params
Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- reserved-sockets
d4808 1 a4808 1 interfaces named listens on, tcp-clients as well as d4819 1 a4819 1- max-cache-size
d4841 1 a4841 1- tcp-listen-queue
d4850 1 a4850 1 be used; on most platforms this sets the listen queue d4855 1 a4855 1d4966 2 a4967 2 (but see the rrset-order statement in the section called “RRset Ordering”). d4978 1 a4978 1 The sortlist statement (see below) d4980 1 a4980 1 an address_match_list and d4982 1 a4982 1 more specifically than the topology d4984 3 a4986 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d4989 1 a4989 1 an IP prefix, an ACL name or a nested address_match_list) d5001 2 a5002 2 treated the same as the address_match_list in a topology statement. Each top d5067 1 a5067 1
- cleaning-interval
d4863 1 a4863 1 from the cache every cleaning-interval minutes. d4870 1 a4870 1- heartbeat-interval
d4873 1 a4873 1 for all zones marked as dialup whenever this d4880 1 a4880 1- interface-interval
d4883 1 a4883 1 every interface-interval d4891 1 a4891 1 listen-on configuration), and d4895 1 a4895 1- statistics-interval
d4899 1 a4899 1 every statistics-interval d4914 1 a4914 1d5074 1 a5074 1 The rrset-order statement permits d5077 2 a5078 2 See also the sortlist statement, the section called “The sortlist Statement”. d5081 1 a5081 1 An order_spec is defined as d5091 3 a5093 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5096 1 a5096 1 The legal values for ordering are: d5100 2 a5101 2d5106 1 a5106 1 fixed
d5117 1 a5117 1random
d5127 1 a5127 1cyclic
d5158 1 a5158 1 If multiple rrset-order statements d5168 1 a5168 1 rrset-order statement does not support d5175 1 a5175 1d5178 2 a5179 2
- lame-ttl
d5196 1 a5196 1- max-ncache-ttl
d5199 1 a5199 1 the server stores negative answers. max-ncache-ttl is d5203 2 a5204 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5208 1 a5208 1- max-cache-ttl
d5218 1 a5218 1- min-roots
d5233 1 a5233 1- sig-validity-interval
d5238 1 a5238 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5255 1 a5255 1 The sig-validity-interval d5261 1 a5261 1- sig-signing-nodes
d5268 1 a5268 1- sig-signing-signatures
d5275 1 a5275 1- sig-signing-type
d5288 1 a5288 1 named to track the current state of d5292 2 a5293 2 rndc signing -listzone. Once named has finished signing d5297 1 a5297 1 rndc signing -clearkeyid/algorithmzone. d5300 1 a5300 1 rndc signing -clear allzone. d5304 1 a5304 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5328 4 a5331 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5335 1 a5335 1- edns-udp-size
d5343 1 a5343 1 edns-udp-size to a non-default d5349 1 a5349 1 named will fallback to using 512 bytes d5356 1 a5356 1- max-udp-size
d5360 1 a5360 1 named will send in bytes. d5364 1 a5364 1 max-udp-size to a non-default d5369 1 a5369 1 buffer (edns-udp-size). d5376 1 a5376 1- masterfile-format
d5380 1 a5380 1 the section called “Additional File Formats”). d5386 2 a5387 2 named-compilezone tool, or dumped by named. d5391 1 a5391 1textis loaded, named d5394 1 a5394 1 check-names checks do not apply d5398 1 a5398 1 specified in the named configuration d5400 1 a5400 1 masterfile-format for all zones, d5402 3 a5404 3 by including a masterfile-format statement within the zone or view block in the configuration d5409 1 a5409 14 max-recursion-depthSets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
- max-recursion-queries d5411 54 a5464 10
Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75.
- notify-delay
d5472 1 a5472 1 zones is controlled by serial-query-rate. d5475 1 a5475 1- max-rsa-exponent-size
d5484 1 a5484 1d5491 1 a5491 1 CHAOS class. These zones are part d5493 1 a5493 1 built-in view (see the section called “view Statement Grammar”) of d5495 3 a5497 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5499 3 a5501 3 overridden: notify, recursion and allow-new-zones are d5506 1 a5506 1 below, or hide the built-in CHAOS d5508 1 a5508 1 defining an explicit view of class CHAOS d5511 2 a5512 2
- version
d5516 1 a5516 1 with type TXT, class CHAOS. d5518 1 a5518 1 Specifying version none d5521 1 a5521 1- hostname
d5525 1 a5525 1 with type TXT, class CHAOS. d5531 1 a5531 1 answering your queries. Specifying hostname none; d5534 1 a5534 1- server-id
d5539 1 a5539 1 TXT, class CHAOS. d5542 1 a5542 1 answering your queries. Specifying server-id none; d5544 1 a5544 1 Specifying server-id hostname; will cause named to d5546 1 a5546 1 The default server-id is none. d5550 1 a5550 1d5573 98 a5670 98d5954 1 a5954 1 response-policy option for the view or among the d5959 1 a5959 1 allow-query { localhost; };. d6005 2 a6006 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6014 1 a6014 1 DISABLED actions) must be chosen. d6018 2 a6019 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a5696 1d5701 3 a5703 4
- empty-server
d5709 1 a5709 1- empty-contact
d5715 1 a5715 1- empty-zones-enable
d5720 1 a5720 1- disable-empty-zone
d5727 1 a5727 1d5731 1 a5731 1 The additional section cache, also called acache, d5736 1 a5736 1 Note that acache is an internal caching d5751 3 a5753 3 additional-from-cache to no is recommended, since the current implementation of acache d5758 1 a5758 1 One obvious disadvantage of acache is d5763 3 a5765 3 acache mechanism can be disabled by setting acache-enable to no. d5768 1 a5768 1 for acache by using max-acache-size. d5773 2 a5774 2 Without acache, cyclic order is effective for the additional d5779 1 a5779 1 setting of rrset-order. d5788 1 a5788 1 acache. d5790 2 a5791 2d5828 1 a5828 1 deny-answer-addresses option. d5833 1 a5833 1 deny-answer-aliases option, where d5837 1 a5837 1 with except-from, records whose query name d5841 1 a5841 1 corresponding zone, the deny-answer-aliases d5844 1 a5844 1 deny-answer-aliases, d5852 1 a5852 1 deny-answer-addresses option, only d5873 1 a5873 1 d5907 1 a5907 1 matches the except-from element, d5941 1 a5941 1
- Choose the triggered record in the zone that appears d6022 1 a6022 1
- Prefer QNAME to IP to NSDNAME to NSIP triggers d6025 1 a6025 1
- Among NSDNAME triggers, prefer the d6028 1 a6028 1
- Among IP or NSIP triggers, prefer the trigger d6031 1 a6031 1
- Among triggers with the same prefix length, d6049 2 a6050 2
d6219 2 a6220 2 rate-limit clause in an options or view statement. d6247 1 a6247 1 the window option to any value from d6251 1 a6251 1 or more negative than window d6262 2 a6263 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6268 1 a6268 1 with responses-per-second d6273 2 a6274 2 nodata-per-second (default responses-per-second). d6278 2 a6279 2 They are limited by nxdomain-per-second (default responses-per-second). d6286 2 a6287 2 referrals-per-second (default responses-per-second). d6301 1 a6301 1 responses-per-second value, d6303 1 a6303 1 errors-per-second. d6313 1 a6313 1 Setting slip to 2 (its default) causes every d6319 1 a6319 1 slip must be between 0 and 10. d6327 1 a6327 1 leaked at the slip rate. d6338 1 a6338 1 slip to 1, causing all rate-limited d6344 6 a6349 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6352 1 a6352 1 qps-scale 250; responses-per-second 20; and d6363 2 a6364 2 rate-limit statements in view statements instead of the global option d6366 2 a6367 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6370 1 a6370 1 with the exempt-clients clause. d6374 1 a6374 1 all-per-second phrase. d6376 3 a6378 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6383 2 a6384 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6386 1 a6386 1 An all-per-second limit should be d6394 1 a6394 1 records as it considers the STMP Mail From d6398 1 a6398 1 All-per-second is similar to the d6410 1 a6410 1 rate limit responses is set with max-table-size. d6416 1 a6416 1 min-table-size (default 500) d6418 1 a6418 1 Enable rate-limit category logging to monitor d6423 1 a6423 1 Use log-only yes to test rate limiting parameters d6428 1 a6428 1 RateDropped and QryDropped d6431 1 a6431 1 RateSlipped and RespTruncated. d6435 1 a6435 1
- The NXDOMAIN response is encoded d6053 2 a6054 2
- A CNAME whose target is the wildcard top-level domain (*.) specifies the NODATA action, d6057 1 a6057 1
- The Local Data action is d6069 2 a6070 2
- The PASSTHRU policy is specified by a CNAME whose target is rpz-passthru. d6082 2 a6083 2 policy clause in the response-policy option. d6087 3 a6089 3
- GIVEN says "do not override but d6092 2 a6093 2
- DISABLED causes policy records to do d6101 2 a6102 2
- PASSTHRU causes all policy records d6107 2 a6108 2
- NXDOMAIN causes all RPZ records d6111 2 a6112 2
- NODATA overrides with the d6115 2 a6116 2
- CNAME domain causes all RPZ d6126 1 a6126 1 with a recursive-only no clause. d6138 1 a6138 1 break-dnssec yes clause. d6147 1 a6147 1 The max-policy-ttl clause changes that d6205 1 a6205 1 RPZRewrites statistics. d6208 1 a6208 1
serverip_addr[/prefixlen]{ d6448 1 a6448 1 [ keys {key_id}; ] d6463 1 a6463 1d6465 1 a6465 1 server Statement Definition and d6468 1 a6468 1 The server statement defines d6477 1 a6477 1 The server statement can occur at d6479 1 a6479 1 configuration file or inside a view d6481 2 a6482 2 If a view statement contains one or more server statements, only d6485 1 a6485 1 If a view contains no server d6487 1 a6487 1 any top-level server statements are d6495 1 a6495 1 value of bogus is no. d6498 1 a6498 1 The provide-ixfr clause determines d6503 1 a6503 1 If set to yes, incremental transfer d6505 1 a6505 1 whenever possible. If set to no, d6509 1 a6509 1 of the provide-ixfr option in the d6514 1 a6514 1 The request-ixfr clause determines d6518 1 a6518 1 value of the request-ixfr option in d6529 3 a6531 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d6538 1 a6538 1 The edns clause determines whether d6540 1 a6540 1 with the remote server. The default is yes. d6543 2 a6544 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. d6552 2 a6553 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d6557 1 a6557 1 replies from named. d6560 3 a6562 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d6566 3 a6568 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d6570 1 a6570 1 by the options statement will be d6573 1 a6573 1transfers d6576 1 a6576 1 transfers clause is specified, the d6578 1 a6578 1 transfers-per-ns option. d6581 3 a6583 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d6592 5 a6596 1 Only a single key per server is currently supported. d6599 2 a6600 2 The transfer-source and transfer-source-v6 clauses specify d6604 1 a6604 1 For an IPv4 remote server, only transfer-source can d6607 1 a6607 1 transfer-source-v6 can be d6610 3 a6612 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d6615 2 a6616 2 The notify-source and notify-source-v6 clauses specify the d6619 1 a6619 1 IPv4 remote server, only notify-source d6621 1 a6621 1 only notify-source-v6 can be specified. d6624 2 a6625 2 The query-source and query-source-v6 clauses specify the d6628 1 a6628 1 remote server, only query-source can d6630 1 a6630 1 only query-source-v6 can be specified. d6633 1 a6633 1 The request-nsid clause determines d6636 2 a6637 2 request-nsid set at the view or option level. d6640 1 a6640 1
statistics-channels { d6650 1 a6650 1d6652 1 a6652 1 statistics-channels Statement Definition and d6655 1 a6655 1 The statistics-channels statement d6665 1 a6665 1 the statistics-channels statement is d6670 4 a6673 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d6677 1 a6677 1 use an ip_addr of::. d6682 1 a6682 1 ip_port. d6686 1 a6686 1 restricted by the optional allow clause. d6688 3 a6690 3 address_match_list. If no allow clause is present, named accepts connection d6697 2 a6698 2 If no statistics-channels statement is present, named will not open any communication channels. d6703 3 a6705 3 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables d6707 1 a6707 1 BIND 9 is configured with --enable-newstats, d6716 4 a6719 4 can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. d6725 1 a6725 1trusted-keys { d6734 1 a6734 1d6736 1 a6736 1 trusted-keys Statement Definition d6739 2 a6740 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d6751 1 a6751 1 trusted-keys are deemed to exist regardless d6753 1 a6753 1 trusted-keys only those keys are d6758 1 a6758 1 The trusted-keys statement can contain d6767 1 a6767 1 trusted-keys may be set at the top level d6774 1 a6774 1managed-keys { d6783 1 a6783 1d6785 1 a6785 1 managed-keys Statement Definition d6788 2 a6789 2 The managed-keys statement, like trusted-keys, defines DNSSEC d6791 1 a6791 1 managed-keys can be kept up to date d6799 1 a6799 1 trusted-keys statement would be d6803 1 a6803 1 trusted-keys statement with the new key. d6807 1 a6807 1 managed-keys statement instead, then the d6809 2 a6810 2 named would store the stand-by key, and when the original key was revoked, named d6817 1 a6817 1 A managed-keys statement contains a list of d6822 1 a6822 1 This means the managed-keys statement must d6828 2 a6829 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d6832 1 a6832 1 keys listed in a trusted-keys continue to be d6834 2 a6835 2named.conf, an initializing key listed in a managed-keys statement is only trusted d6841 1 a6841 1 The first time named runs with a managed key d6844 1 a6844 1 using the key specified in the managed-keys d6849 2 a6850 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d6853 1 a6853 1 key specified in the managed-keys is not d6858 1 a6858 1 The next time named runs after a name d6860 1 a6860 1 managed-keys statement, the corresponding d6866 3 a6868 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d6880 1 a6880 1 seconds. So, whenever named is using d6884 1 a6884 1 named.) d6887 2 a6888 2 If the dnssec-validation option is set toauto, named d6890 1 a6890 1 root zone. Similarly, if the dnssec-lookaside d6892 1 a6892 1 named will automatically initialize d6895 2 a6896 2 maintenance process is built into named, and can be overridden from bindkeys-file. d6899 1 a6899 1viewview_named6912 1 a6912 1d7034 1 a7034 1 zone d7036 1 a7036 1zonezone_name[class] { d7046 2 d7187 1 a7187 1 [ zone-statisticsfull|terse|none; ] d7200 2 a7201 2 [ server-names { [namelist] }; ] [ zone-statisticsfull|terse|none; ] d7224 1 a7224 1The type keyword is required for the zone configuration. Its acceptable values include:
d7232 2 a7233 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7260 1 a7260 1 zone. The masters list d7375 2 a7376 2 server-addresses and server-names zone options. d7382 1 a7382 1 databases by rndc dumpdb -all. d7400 1 a7400 1 glue A or AAAA RRs d7413 4 a7416 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d7420 1 a7420 1 name. If no forwarders d7422 1 a7422 1 an empty list for forwarders is given, then no d7425 1 a7425 1 any forwarders in the options statement. Thus d7428 1 a7428 1 global forward option d7470 1 a7470 1 per view. allow-query can be d7484 1 a7484 1 that point to the desired addresses: d7492 1 a7492 1 "*.ES." instead of "*.". To redirect all d7507 1 a7507 1 rndc reload d7510 1 a7510 1 rndc reload without specifying d7538 1 a7538 1 See caveats in root-delegation-only. d7545 1 a7545 1 d7567 1 a7567 1 d8508 1 a8508 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d8515 2 a8516 2
- allow-notify
d7574 1 a7574 1 allow-notify in the section called “Access Control”. d7576 1 a7576 1- allow-query
d7579 1 a7579 1 allow-query in the section called “Access Control”. d7581 1 a7581 1- allow-query-on
d7584 1 a7584 1 allow-query-on in the section called “Access Control”. d7586 1 a7586 1- allow-transfer
d7588 2 a7589 2 See the description of allow-transfer in the section called “Access Control”. d7591 1 a7591 1- allow-update
d7593 2 a7594 2 See the description of allow-update in the section called “Access Control”. d7596 1 a7596 1- update-policy
d7599 1 a7599 1 the section called “Dynamic Update Policies”. d7601 1 a7601 1- allow-update-forwarding
d7603 2 a7604 2 See the description of allow-update-forwarding in the section called “Access Control”. d7606 1 a7606 1- also-notify
d7608 1 a7608 1 Only meaningful if notify d7617 1 a7617 1 with also-notify. A port d7619 1 a7619 1 with each also-notify d7625 1 a7625 1 also-notify is not d7629 1 a7629 1- check-names
d7635 3 a7637 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d7639 1 a7639 1- check-mx
d7642 1 a7642 1 check-mx in the section called “Boolean Options”. d7644 1 a7644 1- check-spf
d7647 1 a7647 1 check-spf in the section called “Boolean Options”. d7649 1 a7649 1- check-wildcard
d7652 1 a7652 1 check-wildcard in the section called “Boolean Options”. d7654 1 a7654 1- check-integrity
d7657 1 a7657 1 check-integrity in the section called “Boolean Options”. d7659 1 a7659 1- check-sibling
d7662 1 a7662 1 check-sibling in the section called “Boolean Options”. d7664 1 a7664 1- zero-no-soa-ttl
d7667 1 a7667 1 zero-no-soa-ttl in the section called “Boolean Options”. d7669 1 a7669 1- update-check-ksk
d7672 1 a7672 1 update-check-ksk in the section called “Boolean Options”. d7674 1 a7674 1- dnssec-loadkeys-interval
d7677 2 a7678 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d7681 1 a7681 1- dnssec-update-mode
d7684 1 a7684 7 dnssec-update-mode in the section called “options Statement Definition and Usage”.- dnssec-dnskey-kskonly
See the description of dnssec-dnskey-kskonly in the section called “Boolean Options”. d7686 1 a7686 1
- try-tcp-refresh
d7689 1 a7689 1 try-tcp-refresh in the section called “Boolean Options”. d7691 1 a7691 1- database
d7695 1 a7695 1 zone data. The string following the database keyword d7717 1 a7717 1- dialup
d7720 1 a7720 1 dialup in the section called “Boolean Options”. d7722 1 a7722 1- delegation-only
d7731 1 a7731 1 See caveats in root-delegation-only. d7734 1 a7734 1- forward
d7737 1 a7737 1 list. The only value causes d7739 1 a7739 1 after trying the forwarders and getting no answer, while first would d7742 1 a7742 1- forwarders
d7745 1 a7745 1 If it is not specified in a zone of type forward, d7749 1 a7749 1- ixfr-base
d7761 1 a7761 1- ixfr-tmp-file
d7766 1 a7766 1- journal
d7770 1 a7770 1 This is applicable to master and slave zones. d7772 1 a7772 1- max-journal-size
d7775 1 a7775 1 max-journal-size in the section called “Server Resource Limits”. d7777 1 a7777 1- max-transfer-time-in
d7780 1 a7780 1 max-transfer-time-in in the section called “Zone Transfers”. d7782 1 a7782 1- max-transfer-idle-in
d7785 1 a7785 1 max-transfer-idle-in in the section called “Zone Transfers”. d7787 1 a7787 1- max-transfer-time-out
d7790 1 a7790 1 max-transfer-time-out in the section called “Zone Transfers”. d7792 1 a7792 1- max-transfer-idle-out
d7795 1 a7795 1 max-transfer-idle-out in the section called “Zone Transfers”. d7797 1 a7797 1- notify
d7800 1 a7800 1 notify in the section called “Boolean Options”. d7802 1 a7802 1- notify-delay
d7805 1 a7805 1 notify-delay in the section called “Tuning”. d7807 1 a7807 1- notify-to-soa
d7810 2 a7811 2 notify-to-soa in the section called “Boolean Options”. d7813 1 a7813 1- pubkey
d7822 1 a7822 1- zone-statistics
d7824 5 a7828 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d7830 1 a7830 1- server-addresses
d7844 1 a7844 1 in a server-addresses option, d7859 1 a7859 1- server-names
d7867 1 a7867 1 named needs to send queries to d7875 1 a7875 1 server-names option, but d7885 1 a7885 1 in a server-names option, d7902 1 a7902 1- sig-validity-interval
d7905 1 a7905 1 sig-validity-interval in the section called “Tuning”. d7907 1 a7907 1- sig-signing-nodes
d7910 1 a7910 1 sig-signing-nodes in the section called “Tuning”. d7912 1 a7912 1- sig-signing-signatures
d7915 1 a7915 1 sig-signing-signatures in the section called “Tuning”. d7917 1 a7917 1- sig-signing-type
d7920 1 a7920 1 sig-signing-type in the section called “Tuning”. d7922 1 a7922 1- transfer-source
d7925 1 a7925 1 transfer-source in the section called “Zone Transfers”. d7927 1 a7927 1- transfer-source-v6
d7930 1 a7930 1 transfer-source-v6 in the section called “Zone Transfers”. d7932 1 a7932 1- alt-transfer-source
d7935 1 a7935 1 alt-transfer-source in the section called “Zone Transfers”. d7937 1 a7937 1- alt-transfer-source-v6
d7940 1 a7940 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d7942 1 a7942 1- use-alt-transfer-source
d7945 1 a7945 1 use-alt-transfer-source in the section called “Zone Transfers”. d7947 1 a7947 1- notify-source
d7950 1 a7950 1 notify-source in the section called “Zone Transfers”. d7952 1 a7952 1- notify-source-v6
d7955 1 a7955 1 notify-source-v6 in the section called “Zone Transfers”. d7958 1 a7958 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d7961 1 a7961 1 See the description in the section called “Tuning”. d7963 1 a7963 1- ixfr-from-differences
d7966 2 a7967 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d7972 1 a7972 1- key-directory
d7975 2 a7976 1 key-directory in the section called “options Statement Definition and d7979 63 a8041 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8050 1 a8050 1- multi-master
d8052 2 a8053 2 See the description of multi-master in the section called “Boolean Options”. d8055 1 a8055 1- masterfile-format
d8057 2 a8058 2 See the description of masterfile-format in the section called “Tuning”. d8060 1 a8060 1- dnssec-secure-to-insecure
d8063 1 a8063 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8067 1 a8067 1d8073 2 a8074 2 allow-update and update-policy option, respectively. d8077 1 a8077 1 The allow-update clause works the d8083 1 a8083 1 The update-policy clause d8093 1 a8093 1 Rules are specified in the update-policy d8095 1 a8095 1 When the update-policy statement d8097 2 a8098 2 allow-update statement to be present. The update-policy statement d8103 1 a8103 1 There is a pre-defined update-policy d8105 1 a8105 1 update-policy local;. d8107 1 a8107 1 named to generate a TSIG session d8113 3 a8115 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8127 1 a8127 1 The command nsupdate -l sends update d8134 1 a8134 1 ( grant | deny )identitynametype[name] [types] d8189 2 a8190 2d8234 1 a8234 1 update-policy statement d8237 1 a8237 1 update-policy statement in d8257 1 a8257 1 is a valid expansion of the wildcard. d8323 1 a8323 1 and converts it machine.realm allowing the machine d8338 1 a8338 1 This rule takes a Windows machine principal d8357 1 a8357 1 and converts it machine.realm allowing the machine d8372 1 a8372 1 This rule takes a Kerberos machine principal d8430 1 a8430 1 This rule allows named d8484 1 a8484 1 d8594 2 a8595 2 a8667 64 ATMA ATM Address.
AVC
Application Visibility and Control record.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a8693 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a8706 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a8750 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a8775 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a8829 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a8842 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a8869 38 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NINFO
Contains zone status information.
NIMLOC
Nimrod Locator.
a8882 12 NSAP-PTR
Historical.
a8946 12 NULL
This is an opaque container.
a8965 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a8991 12 RKEY
Resource key.
a9047 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a9099 37 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9111 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d1502 7 a1508 4 d9144 2 a9145 2
d9234 1 a9234 1 d9276 3 a9278 3 d9394 3 a9396 3 d9437 1 a9437 1 d9477 5 a9481 5 d9620 1 a9620 1 d9712 2 a9713 2 d9745 1 a9745 1 The $ORIGIN lines in the examples d9753 1 a9753 1 d9765 2 a9766 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d9768 1 a9768 1 d9774 1 a9774 1 At the start of the zone file, it is the d9779 1 a9779 1 d9783 1 a9783 1 Syntax: $ORIGIN d9787 1 a9787 1 $ORIGIN d9790 2 a9791 2 is an implicit $ORIGIN <
d9812 1 a9812 1 Syntax: $INCLUDE d9820 3 a9822 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d9827 1 a9827 1 revert to the values they had prior to the $INCLUDE once d9835 1 a9835 1 an $INCLUDE, but it is silent d9844 1 a9844 1 d9848 1 a9848 1 Syntax: $TTL d9858 1 a9858 1zone_name>. d9793 2 a9794 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d9808 1 a9808 1$TTL d9863 1 a9863 1
d9867 1 a9867 1 Syntax: $GENERATE d9876 1 a9876 1$GENERATE d9879 1 a9879 1 iterator. $GENERATE can be used to d9921 2 a9922 2
d9927 1 a9927 1 range
d9941 1 a9941 1lhs
d9946 1 a9946 1 to be created. Any single $ d9948 1 a9948 1 symbols within the lhs string d9952 4 a9955 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d9960 4 a9963 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d9969 3 a9971 3 (d), octal (o), hexadecimal (x or X d9973 1 a9973 1 (n or N\ d9975 3 a9977 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d9989 1 a9989 1 $$ is still recognized as d9996 1 a9996 1ttl
d10004 2 a10005 2class and ttl can be d10012 1 a10012 1
class
d10020 2 a10021 2class and ttl can be d10028 1 a10028 1
type
d10038 1 a10038 1rhs
d10042 1 a10042 1 rhs, optionally, quoted string. d10049 1 a10049 1 The $GENERATE directive is a BIND extension d10056 1 a10056 1d10072 1 a10072 1 named-compilezone command. For a d10075 2 a10076 2 masterfile-format option) when named dumps the zone contents after d10082 1 a10082 1 named-compilezone command. All d10085 1 a10085 1 named-compilezone command again. d10099 1 a10099 1d10889 2 a10890 2d10117 2 a10118 2d10217 5 a10221 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a10223 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d10227 1 a10227 1 by the statistics-file configuration option. d10229 1 a10229 1 when the statistics-channels statement d10231 1 a10231 1 (see the section called “statistics-channels Statement Grammar”.) d10233 3 a10235 3
d10240 1 a10240 1 +++ Statistics Dump +++ (973798949) d10252 1 a10252 1 ++ Name Server Statistics ++ d10266 1 a10266 1 --- Statistics Dump --- (973798949) d10269 1 a10269 1d10293 3 a10295 3d10317 1 a10317 1 Requestv4
d10320 1 a10320 1RQ
d10331 1 a10331 1Requestv6
d10334 1 a10334 1RQ
d10345 1 a10345 1ReqEdns0
d10348 1 a10348 1d10358 1 a10358 1
ReqBadEDNSVer
d10361 1 a10361 1d10371 1 a10371 1
ReqTSIG
d10374 1 a10374 1d10384 1 a10384 1
ReqSIG0
d10387 1 a10387 1d10397 1 a10397 1
ReqBadSIG
d10400 1 a10400 1d10410 1 a10410 1
ReqTCP
d10413 1 a10413 1RTCP
d10423 1 a10423 1AuthQryRej
d10426 1 a10426 1RUQ
d10436 1 a10436 1RecQryRej
d10439 1 a10439 1RURQ
d10449 1 a10449 1XfrRej
d10452 1 a10452 1RUXFR
d10462 1 a10462 1UpdateRej
d10465 1 a10465 1RUUpd
d10475 1 a10475 1Response
d10478 1 a10478 1SAns
d10488 1 a10488 1RespTruncated
d10491 1 a10491 1d10501 1 a10501 1
RespEDNS0
d10504 1 a10504 1d10514 1 a10514 1
RespTSIG
d10517 1 a10517 1d10527 1 a10527 1
RespSIG0
d10530 1 a10530 1d10540 1 a10540 1
QrySuccess
d10543 1 a10543 1d10551 1 a10551 1 success counter d10559 1 a10559 1
QryAuthAns
d10562 1 a10562 1d10572 1 a10572 1
QryNoauthAns
d10575 1 a10575 1SNaAns
d10585 1 a10585 1QryReferral
d10588 1 a10588 1d10594 1 a10594 1 referral counter d10602 1 a10602 1
QryNxrrset
d10605 1 a10605 1d10611 1 a10611 1 nxrrset counter d10619 1 a10619 1
QrySERVFAIL
d10622 1 a10622 1SFail
d10632 1 a10632 1QryFORMERR
d10635 1 a10635 1SFErr
d10645 1 a10645 1QryNXDOMAIN
d10648 1 a10648 1SNXD
d10654 1 a10654 1 nxdomain counter d10662 1 a10662 1QryRecursion
d10665 1 a10665 1RFwdQ
d10672 1 a10672 1 recursion counter d10680 1 a10680 1QryDuplicate
d10683 1 a10683 1RDupQ
d10692 1 a10692 1 duplicate counter d10700 1 a10700 1QryDropped
d10703 1 a10703 1d10713 1 a10713 1 clients-per-query d10715 1 a10715 1 max-clients-per-query d10718 1 a10718 1 clients-per-query.) d10720 1 a10720 1 dropped counter d10728 1 a10728 1
QryFailure
d10731 1 a10731 1d10737 1 a10737 1 failure counter d10743 2 a10744 2 AuthQryRej and RecQryRej d10753 1 a10753 1
XfrReqDone
d10756 1 a10756 1d10766 1 a10766 1
UpdateReqFwd
d10769 1 a10769 1d10779 1 a10779 1
UpdateRespFwd
d10782 1 a10782 1d10792 1 a10792 1
UpdateFwdFail
d10795 1 a10795 1d10805 1 a10805 1
UpdateDone
d10808 1 a10808 1d10818 1 a10818 1
UpdateFail
d10821 1 a10821 1d10831 1 a10831 1
UpdateBadPrereq
d10834 1 a10834 1d10844 1 a10844 1
RPZRewrites
d10847 1 a10847 1d10857 1 a10857 1
RateDropped
d10860 1 a10860 1d10870 1 a10870 1
RateSlipped
d10873 1 a10873 1d10884 1 a10884 1
d10907 1 a10907 1 NotifyOutv4
d10917 1 a10917 1NotifyOutv6
d10927 1 a10927 1NotifyInv4
d10937 1 a10937 1NotifyInv6
d10947 1 a10947 1NotifyRej
d10957 1 a10957 1SOAOutv4
d10967 1 a10967 1SOAOutv6
d10977 1 a10977 1AXFRReqv4
d10987 1 a10987 1AXFRReqv6
d10997 1 a10997 1IXFRReqv4
d11007 1 a11007 1IXFRReqv6
d11017 1 a11017 1XfrSuccess
d11027 1 a11027 1XfrFail
d11038 1 a11038 1 d11043 3 a11045 3d11067 1 a11067 1 Queryv4
d11070 1 a11070 1SFwdQ
d11080 1 a11080 1Queryv6
d11083 1 a11083 1SFwdQ
d11093 1 a11093 1Responsev4
d11096 1 a11096 1RR
d11106 1 a11106 1Responsev6
d11109 1 a11109 1RR
d11119 1 a11119 1NXDOMAIN
d11122 1 a11122 1RNXD
d11132 1 a11132 1SERVFAIL
d11135 1 a11135 1RFail
d11145 1 a11145 1FORMERR
d11148 1 a11148 1RFErr
d11158 1 a11158 1OtherError
d11161 1 a11161 1RErr
d11171 1 a11171 1EDNS0Fail
d11174 1 a11174 1d11184 1 a11184 1
Mismatch
d11187 1 a11187 1RDupR
d11196 1 a11196 1 the port option.) d11204 1 a11204 1Truncated
d11207 1 a11207 1d11217 1 a11217 1
Lame
d11220 1 a11220 1RLame
d11230 1 a11230 1Retry
d11233 1 a11233 1SDupQ
d11243 1 a11243 1QueryAbort
d11246 1 a11246 1d11256 1 a11256 1
QuerySockFail
d11259 1 a11259 1d11272 1 a11272 1
QueryTimeout
d11275 1 a11275 1d11285 1 a11285 1
GlueFetchv4
d11288 1 a11288 1SSysQ
d11298 1 a11298 1GlueFetchv6
d11301 1 a11301 1SSysQ
d11311 1 a11311 1GlueFetchv4Fail
d11314 1 a11314 1d11324 1 a11324 1
GlueFetchv6Fail
d11327 1 a11327 1d11337 1 a11337 1
ValAttempt
d11340 1 a11340 1d11350 1 a11350 1
ValOk
d11353 1 a11353 1d11363 1 a11363 1
ValNegOk
d11366 1 a11366 1d11376 1 a11376 1
ValFail
d11379 1 a11379 1d11389 1 a11389 1
QryRTTnn
d11392 1 a11392 1d11398 1 a11398 1 Each nn specifies the corresponding d11401 2 a11402 2 nn_1, nn_2, d11404 2 a11405 2 nn_m, the value of nn_i is the d11407 2 a11408 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d11410 1 a11410 1 nn_0 to be 0. d11412 1 a11412 1 nn_m+, which means the d11414 1 a11414 1 nn_m milliseconds. d11421 1 a11421 1 d11427 6 a11432 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d11434 1 a11434 1 In the following table <TYPE> d11441 2 a11442 2
d11459 1 a11459 1 <TYPE>Open
d11465 1 a11465 1 FDwatch type. d11471 1 a11471 1<TYPE>OpenFail
d11477 1 a11477 1 FDwatch type. d11483 1 a11483 1<TYPE>Close
d11493 1 a11493 1<TYPE>BindFail
d11503 1 a11503 1<TYPE>ConnFail
d11513 1 a11513 1<TYPE>Conn
d11523 1 a11523 1<TYPE>AcceptFail
d11529 2 a11530 2 UDP and FDwatch types. d11536 1 a11536 1<TYPE>Accept
d11542 2 a11543 2 UDP and FDwatch types. d11549 1 a11549 1<TYPE>SendErr
d11555 2 a11556 2 to SErr counter of BIND 8. d11562 1 a11562 1<TYPE>RecvErr
d11576 1 a11576 1 d11581 2 a11582 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d11586 2 a11587 2d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar a2272 1 [ max-rsa-exponent-size
- RFwdR,SFwdR
d11590 1 a11590 1 because BIND 9 does not adopt d11592 1 a11592 1 as BIND 8 did. d11594 1 a11594 1- RAXFR
d11598 1 a11598 1- RIQ
d11602 1 a11602 1- ROpts
d11605 1 a11605 1 because BIND 9 does not care d11630 1 a11630 1BIND 9.9.9-P8 (Extended Support Version)
@ 1.1.1.9.4.2 log @Apply patches (requested by spz in ticket #751): external/bsd/bind/bin/dnssec/Makefile patch external/bsd/bind/bin/dnssec/dnssec-verify/Makefile patch external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/Makefile.in patch external/bsd/bind/dist/README patch external/bsd/bind/dist/acconfig.h patch external/bsd/bind/dist/config.h.in patch external/bsd/bind/dist/configure patch external/bsd/bind/dist/configure.in patch external/bsd/bind/dist/isc-config.sh.in patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/Makefile.in patch external/bsd/bind/dist/bin/check/Makefile.in patch external/bsd/bind/dist/bin/check/check-tool.c patch external/bsd/bind/dist/bin/confgen/Makefile.in patch external/bsd/bind/dist/bin/confgen/unix/Makefile.in patch external/bsd/bind/dist/bin/dig/Makefile.in patch external/bsd/bind/dist/bin/dig/nslookup.c patch external/bsd/bind/dist/bin/dnssec/Makefile.in patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.c patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.html patch external/bsd/bind/dist/bin/dnssec/dnssectool.c patch external/bsd/bind/dist/bin/dnssec/dnssectool.h patch external/bsd/bind/dist/bin/named/Makefile.in patch external/bsd/bind/dist/bin/named/bindkeys.pl patch external/bsd/bind/dist/bin/named/builtin.c patch external/bsd/bind/dist/bin/named/client.c patch external/bsd/bind/dist/bin/named/config.c patch external/bsd/bind/dist/bin/named/controlconf.c patch external/bsd/bind/dist/bin/named/convertxsl.pl patch external/bsd/bind/dist/bin/named/query.c patch external/bsd/bind/dist/bin/named/server.c patch external/bsd/bind/dist/bin/named/statschannel.c patch external/bsd/bind/dist/bin/named/unix/Makefile.in patch external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/nsupdate/Makefile.in patch external/bsd/bind/dist/bin/nsupdate/nsupdate.c patch external/bsd/bind/dist/bin/pkcs11/Makefile.in patch external/bsd/bind/dist/bin/python/Makefile.in patch external/bsd/bind/dist/bin/python/dnssec-checkds.8 patch external/bsd/bind/dist/bin/python/dnssec-checkds.docbookpatch external/bsd/bind/dist/bin/python/dnssec-checkds.html patch external/bsd/bind/dist/bin/python/dnssec-checkds.py.in patch external/bsd/bind/dist/bin/rndc/Makefile.in patch external/bsd/bind/dist/bin/tests/Makefile.in patch external/bsd/bind/dist/bin/tests/b8t.mk patch external/bsd/bind/dist/bin/tests/b9t.mk patch external/bsd/bind/dist/bin/tests/headerdep_test.sh.in patch external/bsd/bind/dist/bin/tests/rbt_test.txt patch external/bsd/bind/dist/bin/tests/resolv.conf.sample patch external/bsd/bind/dist/bin/tests/t_api.pl patch external/bsd/bind/dist/bin/tests/atomic/Makefile.in patch external/bsd/bind/dist/bin/tests/db/Makefile.in patch external/bsd/bind/dist/bin/tests/dnssec-signzone/run-test.sh patch external/bsd/bind/dist/bin/tests/dst/Makefile.in patch external/bsd/bind/dist/bin/tests/dst/t_dst.c patch external/bsd/bind/dist/bin/tests/hashes/Makefile.in patch external/bsd/bind/dist/bin/tests/master/Makefile.in patch external/bsd/bind/dist/bin/tests/mem/Makefile.in patch external/bsd/bind/dist/bin/tests/names/Makefile.in patch external/bsd/bind/dist/bin/tests/names/t_names.c patch external/bsd/bind/dist/bin/tests/net/Makefile.in patch external/bsd/bind/dist/bin/tests/rbt/Makefile.in patch external/bsd/bind/dist/bin/tests/resolver/Makefile.in patch external/bsd/bind/dist/bin/tests/resolver/t_resolver.c patch external/bsd/bind/dist/bin/tests/sockaddr/Makefile.in patch external/bsd/bind/dist/bin/tests/startperf/clean.sh patch external/bsd/bind/dist/bin/tests/startperf/makenames.pl patch external/bsd/bind/dist/bin/tests/startperf/mkzonefile.plpatch external/bsd/bind/dist/bin/tests/startperf/setup.sh patch external/bsd/bind/dist/bin/tests/system/Makefile.in patch external/bsd/bind/dist/bin/tests/system/cleanall.sh patch external/bsd/bind/dist/bin/tests/system/cleanpkcs11.sh patch external/bsd/bind/dist/bin/tests/system/conf.sh.in patch external/bsd/bind/dist/bin/tests/system/digcomp.pl patch external/bsd/bind/dist/bin/tests/system/ifconfig.sh patch external/bsd/bind/dist/bin/tests/system/org.isc.bind.system patch external/bsd/bind/dist/bin/tests/system/packet.pl patch external/bsd/bind/dist/bin/tests/system/run.sh patch external/bsd/bind/dist/bin/tests/system/runall.sh patch external/bsd/bind/dist/bin/tests/system/send.pl patch external/bsd/bind/dist/bin/tests/system/setup.sh patch external/bsd/bind/dist/bin/tests/system/start.sh patch external/bsd/bind/dist/bin/tests/system/stop.pl patch external/bsd/bind/dist/bin/tests/system/stop.sh patch external/bsd/bind/dist/bin/tests/system/testsock.pl patch external/bsd/bind/dist/bin/tests/system/testsock6.pl patch external/bsd/bind/dist/bin/tests/system/acl/clean.sh patch external/bsd/bind/dist/bin/tests/system/acl/setup.sh patch external/bsd/bind/dist/bin/tests/system/acl/tests.sh patch external/bsd/bind/dist/bin/tests/system/addzone/clean.shpatch external/bsd/bind/dist/bin/tests/system/addzone/setup.shpatch external/bsd/bind/dist/bin/tests/system/addzone/tests.shpatch external/bsd/bind/dist/bin/tests/system/allow_query/clean.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/setup.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh patch external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/autosign/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh patch external/bsd/bind/dist/bin/tests/system/builtin/tests.shpatch external/bsd/bind/dist/bin/tests/system/cacheclean/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/good.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkds/clean.shpatch external/bsd/bind/dist/bin/tests/system/checkds/dig.sh patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checkds/none.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/ok.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checkds/setup.shpatch external/bsd/bind/dist/bin/tests/system/checkds/tests.shpatch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.dnskey.db patch external/bsd/bind/dist/bin/tests/system/checkds/wrong.example.ds.db patch external/bsd/bind/dist/bin/tests/system/checknames/clean.sh patch external/bsd/bind/dist/bin/tests/system/checknames/setup.sh patch external/bsd/bind/dist/bin/tests/system/checknames/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/database/clean.sh patch external/bsd/bind/dist/bin/tests/system/database/setup.sh patch external/bsd/bind/dist/bin/tests/system/database/tests.sh patch external/bsd/bind/dist/bin/tests/system/dialup/setup.sh patch external/bsd/bind/dist/bin/tests/system/dialup/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlv/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlv/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns6/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/clean.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/setup.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/tests.shpatch external/bsd/bind/dist/bin/tests/system/dlvauto/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlz/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlz/prereq.sh.inpatch external/bsd/bind/dist/bin/tests/system/dlz/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in patch external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/setup.sh patch external/bsd/bind/dist/bin/tests/system/dname/clean.sh patch external/bsd/bind/dist/bin/tests/system/dname/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/clean.sh patch external/bsd/bind/dist/bin/tests/system/dns64/setup.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/dnssec_update_test.pl patch external/bsd/bind/dist/bin/tests/system/dnssec/prereq.shpatch external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expired.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/expiring.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/inline.example.db patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/lower.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/upper.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns4/named3.conf patch external/bsd/bind/dist/bin/tests/system/ecdsa/clean.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh.in patch external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/clean.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/forward/clean.shpatch external/bsd/bind/dist/bin/tests/system/forward/tests.shpatch external/bsd/bind/dist/bin/tests/system/glue/clean.sh patch external/bsd/bind/dist/bin/tests/system/glue/setup.sh patch external/bsd/bind/dist/bin/tests/system/glue/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/clean.sh patch external/bsd/bind/dist/bin/tests/system/gost/prereq.sh.in patch external/bsd/bind/dist/bin/tests/system/gost/setup.sh patch external/bsd/bind/dist/bin/tests/system/gost/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/ns1/sign.shpatch external/bsd/bind/dist/bin/tests/system/ixfr/prereq.sh patch external/bsd/bind/dist/bin/tests/system/limits/clean.sh patch external/bsd/bind/dist/bin/tests/system/limits/tests.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/Makefile.in patch external/bsd/bind/dist/bin/tests/system/lwresd/resolv.conf patch external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/resolv.conf patch external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh patch external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh patch external/bsd/bind/dist/bin/tests/system/metadata/clean.sh patch external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh patch external/bsd/bind/dist/bin/tests/system/metadata/setup.sh patch external/bsd/bind/dist/bin/tests/system/metadata/tests.sh patch external/bsd/bind/dist/bin/tests/system/notify/clean.sh patch external/bsd/bind/dist/bin/tests/system/notify/setup.sh patch external/bsd/bind/dist/bin/tests/system/notify/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/commandlist patch external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/update_test.pl patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/clean.shpatch external/bsd/bind/dist/bin/tests/system/pending/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pending/setup.shpatch external/bsd/bind/dist/bin/tests/system/pending/tests.shpatch external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/clean.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.shpatch external/bsd/bind/dist/bin/tests/system/pkcs11/setup.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/clean.sh patch external/bsd/bind/dist/bin/tests/system/redirect/setup.sh patch external/bsd/bind/dist/bin/tests/system/redirect/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ans2/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ans3/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh patch external/bsd/bind/dist/bin/tests/system/rndc/clean.sh patch external/bsd/bind/dist/bin/tests/system/rndc/setup.sh patch external/bsd/bind/dist/bin/tests/system/rndc/tests.sh patch external/bsd/bind/dist/bin/tests/system/rndc/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rndc/ns2/secondkey.conf patch external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rpz/clean.sh patch external/bsd/bind/dist/bin/tests/system/rpz/qperf.sh patch external/bsd/bind/dist/bin/tests/system/rpz/rpz.c patch external/bsd/bind/dist/bin/tests/system/rpz/setup.sh patch external/bsd/bind/dist/bin/tests/system/rpz/test1 patch external/bsd/bind/dist/bin/tests/system/rpz/test2 patch external/bsd/bind/dist/bin/tests/system/rpz/test5 patch external/bsd/bind/dist/bin/tests/system/rpz/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/root.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/base-tld2s.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/tld2.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash2 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/tld4.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rrsetorder/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad01.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad02.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/bad03.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good01.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good02.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/conf/good03.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.key patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.key patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+51829.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/dsset-example.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.bad patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/smartsign/clean.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh patch external/bsd/bind/dist/bin/tests/system/sortlist/clean.sh patch external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/stress/clean.sh patch external/bsd/bind/dist/bin/tests/system/stress/setup.pl patch external/bsd/bind/dist/bin/tests/system/stress/setup.sh patch external/bsd/bind/dist/bin/tests/system/stress/tests.sh patch external/bsd/bind/dist/bin/tests/system/stress/update.plpatch external/bsd/bind/dist/bin/tests/system/stub/clean.sh patch external/bsd/bind/dist/bin/tests/system/stub/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/Makefile.inpatch external/bsd/bind/dist/bin/tests/system/tkey/clean.sh patch external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tkey/setup.sh patch external/bsd/bind/dist/bin/tests/system/tkey/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsig/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsig/tests.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in patch external/bsd/bind/dist/bin/tests/system/tsiggss/authsock.pl patch external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/setup.shpatch external/bsd/bind/dist/bin/tests/system/unknown/clean.shpatch external/bsd/bind/dist/bin/tests/system/unknown/setup.shpatch external/bsd/bind/dist/bin/tests/system/unknown/tests.shpatch external/bsd/bind/dist/bin/tests/system/unknown/ns1/example-in.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns1/large.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/clean.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/setup.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/tests.shpatch external/bsd/bind/dist/bin/tests/system/upforwd/ans4/ans.pl patch external/bsd/bind/dist/bin/tests/system/v6synth/clean.shpatch external/bsd/bind/dist/bin/tests/system/v6synth/tests.shpatch external/bsd/bind/dist/bin/tests/system/verify/clean.sh patch external/bsd/bind/dist/bin/tests/system/verify/setup.sh patch external/bsd/bind/dist/bin/tests/system/verify/tests.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/genzones.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db patch external/bsd/bind/dist/bin/tests/system/views/clean.sh patch external/bsd/bind/dist/bin/tests/system/views/setup.sh patch external/bsd/bind/dist/bin/tests/system/views/tests.sh patch external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh patch external/bsd/bind/dist/bin/tests/system/xfer/setup.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/clean.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/setup.pl patch external/bsd/bind/dist/bin/tests/system/xferquota/setup.sh patch external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh patch external/bsd/bind/dist/bin/tests/tasks/Makefile.in patch external/bsd/bind/dist/bin/tests/timers/Makefile.in patch external/bsd/bind/dist/bin/tests/virtual-time/Makefile.in patch external/bsd/bind/dist/bin/tests/virtual-time/cleanall.sh patch external/bsd/bind/dist/bin/tests/virtual-time/conf.sh.inpatch external/bsd/bind/dist/bin/tests/virtual-time/run.sh patch external/bsd/bind/dist/bin/tests/virtual-time/runall.sh patch external/bsd/bind/dist/bin/tests/virtual-time/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/start.pl patch external/bsd/bind/dist/bin/tests/virtual-time/start.sh patch external/bsd/bind/dist/bin/tests/virtual-time/stop.pl patch external/bsd/bind/dist/bin/tests/virtual-time/stop.sh patch external/bsd/bind/dist/bin/tests/virtual-time/testsock.pl patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-ksk/ns1/wrap.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/virtual-time/autosign-zsk/ns1/wrap.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/clean.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/setup.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/tests.sh patch external/bsd/bind/dist/bin/tests/virtual-time/slave/ns1/wrap.sh patch external/bsd/bind/dist/bin/tools/Makefile.in patch external/bsd/bind/dist/contrib/check-secure-delegation.pl.in patch external/bsd/bind/dist/contrib/zone-edit.sh.in patch external/bsd/bind/dist/contrib/dlz/bin/dlzbdb/Makefile.in patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_dlopen_driver.c patch external/bsd/bind/dist/contrib/named-bootconf/named-bootconf.sh patch external/bsd/bind/dist/contrib/nanny/nanny.pl patch external/bsd/bind/dist/contrib/sdb/tcl/lookup.tcl patch external/bsd/bind/dist/contrib/zkt/doc/rfc5011.txt patch external/bsd/bind/dist/doc/Makefile.in patch external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/Makefile.in patch external/bsd/bind/dist/doc/arm/latex-fixup.pl patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.htmlpatch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/doc/doxygen/Makefile.in patch external/bsd/bind/dist/doc/doxygen/doxygen-input-filter.in patch external/bsd/bind/dist/doc/misc/Makefile.in patch external/bsd/bind/dist/doc/misc/format-options.pl patch external/bsd/bind/dist/doc/misc/options patch external/bsd/bind/dist/doc/misc/sort-options.pl patch external/bsd/bind/dist/doc/xsl/Makefile.in patch external/bsd/bind/dist/lib/Makefile.in patch external/bsd/bind/dist/lib/bind9/Makefile.in patch external/bsd/bind/dist/lib/bind9/api patch external/bsd/bind/dist/lib/bind9/check.c patch external/bsd/bind/dist/lib/bind9/include/Makefile.in patch external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in patch external/bsd/bind/dist/lib/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/adb.c patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/db.c patch external/bsd/bind/dist/lib/dns/dnssec.c patch external/bsd/bind/dist/lib/dns/ds.c patch external/bsd/bind/dist/lib/dns/dst_api.c patch external/bsd/bind/dist/lib/dns/dst_internal.h patch external/bsd/bind/dist/lib/dns/dst_openssl.h patch external/bsd/bind/dist/lib/dns/dst_parse.c patch external/bsd/bind/dist/lib/dns/dst_parse.h patch external/bsd/bind/dist/lib/dns/dst_result.c patch external/bsd/bind/dist/lib/dns/gssapi_link.c patch external/bsd/bind/dist/lib/dns/hmac_link.c patch external/bsd/bind/dist/lib/dns/log.c patch external/bsd/bind/dist/lib/dns/master.c patch external/bsd/bind/dist/lib/dns/masterdump.c patch external/bsd/bind/dist/lib/dns/nsec.c patch external/bsd/bind/dist/lib/dns/nsec3.c patch external/bsd/bind/dist/lib/dns/openssl_link.c patch external/bsd/bind/dist/lib/dns/openssldh_link.c patch external/bsd/bind/dist/lib/dns/openssldsa_link.c patch external/bsd/bind/dist/lib/dns/opensslecdsa_link.c patch external/bsd/bind/dist/lib/dns/opensslgost_link.c patch external/bsd/bind/dist/lib/dns/opensslrsa_link.c patch external/bsd/bind/dist/lib/dns/rbtdb.c patch external/bsd/bind/dist/lib/dns/rcode.c patch external/bsd/bind/dist/lib/dns/rdata.c patch external/bsd/bind/dist/lib/dns/rdataset.c patch external/bsd/bind/dist/lib/dns/resolver.c patch external/bsd/bind/dist/lib/dns/rpz.c patch external/bsd/bind/dist/lib/dns/spnego_asn1.pl patch external/bsd/bind/dist/lib/dns/update.c patch external/bsd/bind/dist/lib/dns/validator.c patch external/bsd/bind/dist/lib/dns/view.c patch external/bsd/bind/dist/lib/dns/zone.c patch external/bsd/bind/dist/lib/dns/zt.c patch external/bsd/bind/dist/lib/dns/include/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/db.h patch external/bsd/bind/dist/lib/dns/include/dns/dnssec.h patch external/bsd/bind/dist/lib/dns/include/dns/ds.h patch external/bsd/bind/dist/lib/dns/include/dns/iptable.h patch external/bsd/bind/dist/lib/dns/include/dns/keyvalues.h patch external/bsd/bind/dist/lib/dns/include/dns/log.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec.h patch external/bsd/bind/dist/lib/dns/include/dns/private.h patch external/bsd/bind/dist/lib/dns/include/dns/rdata.h patch external/bsd/bind/dist/lib/dns/include/dns/rdataset.h patch external/bsd/bind/dist/lib/dns/include/dns/rpz.h patch external/bsd/bind/dist/lib/dns/include/dns/stats.h patch external/bsd/bind/dist/lib/dns/include/dns/view.h patch external/bsd/bind/dist/lib/dns/include/dns/zone.h patch external/bsd/bind/dist/lib/dns/include/dst/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dst/dst.h patch external/bsd/bind/dist/lib/dns/include/dst/result.h patch external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.cpatch external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c patch external/bsd/bind/dist/lib/dns/tests/Makefile.in patch external/bsd/bind/dist/lib/dns/tests/dnstest.h patch external/bsd/bind/dist/lib/dns/tests/rdataset_test.c patch external/bsd/bind/dist/lib/dns/tests/zt_test.c patch external/bsd/bind/dist/lib/dns/win32/libdns.def patch external/bsd/bind/dist/lib/export/Makefile.in patch external/bsd/bind/dist/lib/export/dns/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/export/dns/include/dst/Makefile.in patch external/bsd/bind/dist/lib/export/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/export/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/export/samples/Makefile-postinstall.in patch external/bsd/bind/dist/lib/export/samples/Makefile.in patch external/bsd/bind/dist/lib/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/include/Makefile.in patch external/bsd/bind/dist/lib/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/isc/api patch external/bsd/bind/dist/lib/isc/mem.c patch external/bsd/bind/dist/lib/isc/task.c patch external/bsd/bind/dist/lib/isc/task_api.c patch external/bsd/bind/dist/lib/isc/alpha/Makefile.in patch external/bsd/bind/dist/lib/isc/alpha/include/Makefile.inpatch external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/ia64/include/isc/atomic.hpatch external/bsd/bind/dist/lib/isc/include/Makefile.in patch external/bsd/bind/dist/lib/isc/include/isc/file.h patch external/bsd/bind/dist/lib/isc/include/isc/heap.h patch external/bsd/bind/dist/lib/isc/include/isc/list.h patch external/bsd/bind/dist/lib/isc/include/isc/namespace.h patch external/bsd/bind/dist/lib/isc/include/isc/queue.h patch external/bsd/bind/dist/lib/isc/include/isc/task.h patch external/bsd/bind/dist/lib/isc/mips/Makefile.in patch external/bsd/bind/dist/lib/isc/mips/include/Makefile.in patch external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/include/Makefile.in patch external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/include/Makefile.in patch external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/condition.c patch external/bsd/bind/dist/lib/isc/pthreads/include/Makefile.in patch external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/sparc64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/tests/isctest.c patch external/bsd/bind/dist/lib/isc/tests/isctest.h patch external/bsd/bind/dist/lib/isc/tests/queue_test.c patch external/bsd/bind/dist/lib/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/file.c patch external/bsd/bind/dist/lib/isc/unix/include/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/file.c patch external/bsd/bind/dist/lib/isc/win32/libisc.def patch external/bsd/bind/dist/lib/isc/win32/include/Makefile.inpatch external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/win32/include/isc/stat.h patch external/bsd/bind/dist/lib/isc/x86_32/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_32/include/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/include/Makefile.in patch external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isccc/api patch external/bsd/bind/dist/lib/isccc/cc.c patch external/bsd/bind/dist/lib/isccc/include/Makefile.in patch external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in patch external/bsd/bind/dist/lib/isccfg/api patch external/bsd/bind/dist/lib/isccfg/namedconf.c patch external/bsd/bind/dist/lib/isccfg/include/Makefile.in patch external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/api patch external/bsd/bind/dist/lib/lwres/getaddrinfo.c patch external/bsd/bind/dist/lib/lwres/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/man/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/include/Makefile.in patch external/bsd/bind/dist/lib/lwres/win32/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/tests/Makefile.in patch external/bsd/bind/dist/lib/tests/include/Makefile.in patch external/bsd/bind/dist/lib/tests/include/tests/Makefile.in patch external/bsd/bind/dist/make/Makefile.in patch external/bsd/bind/dist/make/includes.in patch external/bsd/bind/dist/make/rules.in patch external/bsd/bind/dist/unit/atf-src/atf-c/macros.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text_test.c patch external/bsd/bind/include/config.h patch external/bsd/bind/lib/libbind9/shlib_version patch external/bsd/bind/lib/libdns/Makefile patch external/bsd/bind/lib/libdns/shlib_version patch external/bsd/bind/lib/libisc/shlib_version patch external/bsd/bind/lib/libisccc/shlib_version patch external/bsd/bind/lib/libisccfg/shlib_version patch external/bsd/bind/lib/liblwres/shlib_version patch distrib/sets/lists/base/ad.mips64eb patch distrib/sets/lists/base/ad.mips64el patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/mi patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/man/mi patch Update bind to version 9.9.2-P1, addressing CVE-2012-5688. [spz, ticket #751] @ text @d51 1 a51 1- Comment Syntax
d55 1 a55 1- acl Statement Grammar
d58 1 a58 1- controls Statement Grammar
d61 2 a62 2- include Statement Grammar
- include Statement Definition and d64 4 a67 4
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and d69 4 a72 4
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d74 1 a74 1
- options Statement Grammar
d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d480 1 a480 1 Syntaxnumber; ] d2292 1 a2292 5 [ response-policy {zone_name[ policy given | disabled | passthru | nxdomain | nodata | cnamedomain] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] ; ] d3727 1 a3727 1 Forwarding d3771 1 a3771 1 Dual-stack Servers d3973 2 a3974 2 to resolve a recursive query before failing. The default and minimum is10and the maximum is d3982 1 a3982 1 Interfaces d4450 1 a4450 1 UDP Port Lists d4492 1 a4492 1 Operating System Resource Limits d4654 1 a4654 1 Periodic Task Intervals a5241 7max-rsa-exponent-size d5512 1 a5512 1 Content Filtering d5635 1 a5635 1 Response Policy Zone (RPZ) Rewriting d5637 3 a5639 3 BIND 9 includes a limited mechanism to modify DNS responses for requests analogous to email anti-spam DNS blacklists. d5645 2 d5656 1 a5656 1 Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, d5658 1 a5658 1 QNAME RPZ records triggered by query names of requests and targets d5664 7 a5670 6 The second kind of RPZ trigger is an IP address in an A and AAAA record in the ANSWER section of a response. IP address triggers are encoded in records that have owner names that are subdomains of The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
rpz-iprelativized to the RPZ origin name and encode an IP address or address block. IPv4 trigger addresses are represented as d5688 3 a5690 3 NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. d5696 3 a5698 4 NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. NSIP triggers are encoded like IP triggers except as subdomains of d5703 5 a5707 6 two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. Triggers or the records that encode them are chosen in the following order: d5710 2 a5711 2Choose the triggered record in the zone that appears first in the response-policy option. d5713 2 a5714 2 Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone. d5716 2 a5717 2 Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. d5719 1 a5719 1 Among IP or NSIP triggers, prefer the trigger d5722 2 a5723 2 Among triggers with the same prefex length, prefer the IP or NSIP trigger that matches d5731 2 a5732 2 DNAME or CNAME records and a policy record set has not been triggered, d5747 9 a5755 2 RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. d5758 3 a5760 2 The NXDOMAIN response is encoded by a CNAME whose target is the root domain (.) d5763 1 a5763 1 domain (*.) specifies the NODATA action, d5766 2 a5767 8 The Local Data action is represented by a set ordinary DNS records that are used to answer queries. Queries for record types not the set are answered with NODATA. A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) d5769 2 a5770 2 The purpose for this special form is query logging in the walled garden's authority DNS server. d5773 2 a5774 2 by a CNAME whose target is rpz_passthru. It causes the response to not be rewritten a5776 2 (A CNAME whose target is the variable part of its owner name is an obsolete specification of the PASSTHRU policy.) d5782 3 a5784 3 The actions specified in an RPZ can be overridden with a policy clause in the response-policy option. d5790 1 a5790 2 GIVEN says "do not override but perform the action specified in the zone." d5796 4 a5799 4 any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first. a5822 28 By default, the actions encoded in an RPZ are applied only to queries that ask for recursion (RD=1). That default can be changed for a single RPZ or all RPZs in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values on the externally visible name server or view. Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
d5844 1 a5844 1 ok.domain.com CNAME rpz-passthru. d5854 1 a5854 1 32.1.0.0.127.rpz-ip CNAME rpz-passthru. d6071 1 a6071 1 statistics-channels Statement Definition and d6131 1 a6131 1 trusted-keys Statement Definition d6171 1 a6171 1 managed-keys Statement Grammar d6306 1 a6306 1 view Statement Definition and Usage d6474 1 a6474 1 [ inline-signing
yes_or_no; ] d6607 1 a6607 1 zone Statement Definition and Usage d6610 1 a6610 1 Zone Types d6890 1 a6890 1 Class d6912 1 a6912 1 Zone Options d7662 1 a7662 1 is specified in theidentityd7680 1 a7680 1identityfield. d7696 1 a7696 1 is specified in theidentityd7714 1 a7714 1identityfield. d7823 1 a7823 1 Zone File d7836 1 a7836 1 Resource Records d8573 1 a8573 1 Textual expression of RRs d8776 1 a8776 1 Discussion of MX Records d9032 1 a9032 1 Inverse Mapping in IPv4 d9093 1 a9093 1 Other Zone File Directives d9108 1 a9108 1 The @@ (at-sign) d9119 1 a9119 1 The $ORIGIN Directive d9148 1 a9148 1 The $INCLUDE Directive d9184 1 a9184 1 The $TTL Directive d9203 1 a9203 1 BIND Master File Extension: the $GENERATE Directive d9627 1 a9627 1 Name Server Statistics Counters d10184 1 a10184 1 Zone Maintenance Statistics Counters d10338 1 a10338 1 Resolver Statistics Counters d10721 1 a10721 1 Socket I/O Statistics Counters d10876 1 a10876 1 Compatibility with BIND 8 Counters @ 1.1.1.9.4.2.2.1 log @Pull up following revision(s) (requested by spz in ticket #1217): distrib/sets/lists/base/ad.mips64eb patch distrib/sets/lists/base/ad.mips64el patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.mips64eb patch distrib/sets/lists/comp/ad.mips64el patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch external/bsd/bind/Makefile.inc patch external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/COPYRIGHT patch external/bsd/bind/dist/FAQ patch external/bsd/bind/dist/FAQ.xml patch external/bsd/bind/dist/HISTORY patch external/bsd/bind/dist/Makefile.in patch external/bsd/bind/dist/README patch external/bsd/bind/dist/REDIRECT-NOTES delete external/bsd/bind/dist/acconfig.h patch external/bsd/bind/dist/aclocal.m4 patch external/bsd/bind/dist/config.guess patch external/bsd/bind/dist/config.h.in patch external/bsd/bind/dist/config.h.win32 patch external/bsd/bind/dist/config.sub patch external/bsd/bind/dist/configure patch external/bsd/bind/dist/configure.in patch external/bsd/bind/dist/isc-config.sh.1 patch external/bsd/bind/dist/isc-config.sh.docbook patch external/bsd/bind/dist/isc-config.sh.html patch external/bsd/bind/dist/isc-config.sh.in patch external/bsd/bind/dist/ltmain.sh patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/Makefile.in patch external/bsd/bind/dist/bin/check/Makefile.in patch external/bsd/bind/dist/bin/check/check-tool.c patch external/bsd/bind/dist/bin/check/named-checkconf.8 patch external/bsd/bind/dist/bin/check/named-checkconf.c patch external/bsd/bind/dist/bin/check/named-checkconf.docbook patch external/bsd/bind/dist/bin/check/named-checkconf.html patch external/bsd/bind/dist/bin/check/named-checkzone.8 patch external/bsd/bind/dist/bin/check/named-checkzone.c patch external/bsd/bind/dist/bin/check/named-checkzone.docbook patch external/bsd/bind/dist/bin/check/named-checkzone.html patch external/bsd/bind/dist/bin/check/win32/checktool.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.dsw delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.mak delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.dsw delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.mak delete external/bsd/bind/dist/bin/confgen/ddns-confgen.8 patch external/bsd/bind/dist/bin/confgen/ddns-confgen.c patch external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook patch external/bsd/bind/dist/bin/confgen/ddns-confgen.html patch external/bsd/bind/dist/bin/confgen/keygen.c patch external/bsd/bind/dist/bin/confgen/rndc-confgen.8 patch external/bsd/bind/dist/bin/confgen/rndc-confgen.c patch external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook patch external/bsd/bind/dist/bin/confgen/rndc-confgen.html patch external/bsd/bind/dist/bin/confgen/win32/confgentool.dsp delete external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.dsp delete external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.mak delete external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.dsp delete external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.mak delete external/bsd/bind/dist/bin/dig/Makefile.in patch external/bsd/bind/dist/bin/dig/dig.1 patch external/bsd/bind/dist/bin/dig/dig.c patch external/bsd/bind/dist/bin/dig/dig.docbook patch external/bsd/bind/dist/bin/dig/dig.html patch external/bsd/bind/dist/bin/dig/dighost.c patch external/bsd/bind/dist/bin/dig/host.1 patch external/bsd/bind/dist/bin/dig/host.c patch external/bsd/bind/dist/bin/dig/host.docbook patch external/bsd/bind/dist/bin/dig/host.html patch external/bsd/bind/dist/bin/dig/nslookup.1 patch external/bsd/bind/dist/bin/dig/nslookup.c patch external/bsd/bind/dist/bin/dig/nslookup.docbook patch external/bsd/bind/dist/bin/dig/nslookup.html patch external/bsd/bind/dist/bin/dig/include/dig/dig.h patch external/bsd/bind/dist/bin/dig/win32/dig.dsp delete external/bsd/bind/dist/bin/dig/win32/dig.mak delete external/bsd/bind/dist/bin/dig/win32/dighost.dsp delete external/bsd/bind/dist/bin/dig/win32/host.dsp delete external/bsd/bind/dist/bin/dig/win32/host.mak delete external/bsd/bind/dist/bin/dig/win32/nslookup.dsp delete external/bsd/bind/dist/bin/dig/win32/nslookup.mak delete external/bsd/bind/dist/bin/dnssec/Makefile.in patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8 new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html new external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.c patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.html patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.html patch external/bsd/bind/dist/bin/dnssec/dnssectool.c patch external/bsd/bind/dist/bin/dnssec/dnssectool.h patch external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp delete external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp delete external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak delete external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp delete external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak delete external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp delete external/bsd/bind/dist/bin/dnssec/win32/keygen.mak delete external/bsd/bind/dist/bin/dnssec/win32/nsupdate.dsp delete external/bsd/bind/dist/bin/dnssec/win32/nsupdate.dsw delete external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp delete external/bsd/bind/dist/bin/dnssec/win32/revoke.mak delete external/bsd/bind/dist/bin/dnssec/win32/settime.dsp delete external/bsd/bind/dist/bin/dnssec/win32/settime.mak delete external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp delete external/bsd/bind/dist/bin/dnssec/win32/signzone.mak delete external/bsd/bind/dist/bin/named/Makefile.in patch external/bsd/bind/dist/bin/named/bind.keys.h patch external/bsd/bind/dist/bin/named/bind9.ver3.xsl new external/bsd/bind/dist/bin/named/bind9.ver3.xsl.h new external/bsd/bind/dist/bin/named/bind9.xsl.h patch external/bsd/bind/dist/bin/named/builtin.c patch external/bsd/bind/dist/bin/named/client.c patch external/bsd/bind/dist/bin/named/config.c patch external/bsd/bind/dist/bin/named/control.c patch external/bsd/bind/dist/bin/named/controlconf.c patch external/bsd/bind/dist/bin/named/interfacemgr.c patch external/bsd/bind/dist/bin/named/log.c patch external/bsd/bind/dist/bin/named/logconf.c patch external/bsd/bind/dist/bin/named/lwaddr.c patch external/bsd/bind/dist/bin/named/lwdgnba.c patch external/bsd/bind/dist/bin/named/lwdgrbn.c patch external/bsd/bind/dist/bin/named/lwresd.8 patch external/bsd/bind/dist/bin/named/lwresd.c patch external/bsd/bind/dist/bin/named/lwresd.docbook patch external/bsd/bind/dist/bin/named/lwresd.html patch external/bsd/bind/dist/bin/named/main.c patch external/bsd/bind/dist/bin/named/named.8 patch external/bsd/bind/dist/bin/named/named.conf.5 patch external/bsd/bind/dist/bin/named/named.conf.docbook patch external/bsd/bind/dist/bin/named/named.conf.html patch external/bsd/bind/dist/bin/named/named.docbook patch external/bsd/bind/dist/bin/named/named.html patch external/bsd/bind/dist/bin/named/query.c patch external/bsd/bind/dist/bin/named/server.c patch external/bsd/bind/dist/bin/named/statschannel.c patch external/bsd/bind/dist/bin/named/tkeyconf.c patch external/bsd/bind/dist/bin/named/tsigconf.c patch external/bsd/bind/dist/bin/named/update.c patch external/bsd/bind/dist/bin/named/xfrout.c patch external/bsd/bind/dist/bin/named/zoneconf.c patch external/bsd/bind/dist/bin/named/include/named/client.h patch external/bsd/bind/dist/bin/named/include/named/globals.h patch external/bsd/bind/dist/bin/named/include/named/main.h patch external/bsd/bind/dist/bin/named/include/named/query.h patch external/bsd/bind/dist/bin/named/include/named/server.h patch external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/named/unix/os.c patch external/bsd/bind/dist/bin/named/win32/named.dsp delete external/bsd/bind/dist/bin/named/win32/named.mak delete external/bsd/bind/dist/bin/nsupdate/Makefile.in patch external/bsd/bind/dist/bin/nsupdate/nsupdate.1 patch external/bsd/bind/dist/bin/nsupdate/nsupdate.c patch external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook patch external/bsd/bind/dist/bin/nsupdate/nsupdate.html patch external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp delete external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0f-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0m-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1h-patch new external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook patch external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.mak delete external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.mak delete external/bsd/bind/dist/bin/pkcs11/win32/pk11list.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11list.mak delete external/bsd/bind/dist/bin/python/Makefile.in patch external/bsd/bind/dist/bin/python/dnssec-checkds.8 patch external/bsd/bind/dist/bin/python/dnssec-checkds.docbook patch external/bsd/bind/dist/bin/python/dnssec-checkds.html patch external/bsd/bind/dist/bin/python/dnssec-checkds.py.in patch external/bsd/bind/dist/bin/python/dnssec-coverage.8 new external/bsd/bind/dist/bin/python/dnssec-coverage.docbook new external/bsd/bind/dist/bin/python/dnssec-coverage.html new external/bsd/bind/dist/bin/python/dnssec-coverage.py.in new external/bsd/bind/dist/bin/rndc/rndc.8 patch external/bsd/bind/dist/bin/rndc/rndc.c patch external/bsd/bind/dist/bin/rndc/rndc.conf.5 patch external/bsd/bind/dist/bin/rndc/rndc.conf.docbook patch external/bsd/bind/dist/bin/rndc/rndc.conf.html patch external/bsd/bind/dist/bin/rndc/rndc.docbook patch external/bsd/bind/dist/bin/rndc/rndc.html patch external/bsd/bind/dist/bin/rndc/win32/rndc.dsp delete external/bsd/bind/dist/bin/rndc/win32/rndc.mak delete external/bsd/bind/dist/bin/rndc/win32/rndcutil.dsp delete external/bsd/bind/dist/bin/tests/Makefile.in patch external/bsd/bind/dist/bin/tests/adb_test.c patch external/bsd/bind/dist/bin/tests/backtrace_test.c patch external/bsd/bind/dist/bin/tests/byaddr_test.c patch external/bsd/bind/dist/bin/tests/byname_test.c patch external/bsd/bind/dist/bin/tests/db_test.c patch external/bsd/bind/dist/bin/tests/fsaccess_test.c patch external/bsd/bind/dist/bin/tests/hash_test.c patch external/bsd/bind/dist/bin/tests/log_test.c patch external/bsd/bind/dist/bin/tests/rdata_test.c patch external/bsd/bind/dist/bin/tests/rwlock_test.c patch external/bsd/bind/dist/bin/tests/shutdown_test.c patch external/bsd/bind/dist/bin/tests/sig0_test.c patch external/bsd/bind/dist/bin/tests/sock_test.c patch external/bsd/bind/dist/bin/tests/task_test.c patch external/bsd/bind/dist/bin/tests/timer_test.c patch external/bsd/bind/dist/bin/tests/zone_test.c patch external/bsd/bind/dist/bin/tests/atomic/t_atomic.c patch external/bsd/bind/dist/bin/tests/db/t_db.c patch external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key.in new external/bsd/bind/dist/bin/tests/dst/Makefile.in patch external/bsd/bind/dist/bin/tests/dst/dst_2_data delete external/bsd/bind/dist/bin/tests/dst/dst_2_data.in new external/bsd/bind/dist/bin/tests/dst/dst_test.c patch external/bsd/bind/dist/bin/tests/dst/gsstest.c patch external/bsd/bind/dist/bin/tests/dst/t2_data_1 delete external/bsd/bind/dist/bin/tests/dst/t2_data_1.in new external/bsd/bind/dist/bin/tests/dst/t2_data_2 delete external/bsd/bind/dist/bin/tests/dst/t2_data_2.in new external/bsd/bind/dist/bin/tests/dst/t2_dsasig delete external/bsd/bind/dist/bin/tests/dst/t2_dsasig.in new external/bsd/bind/dist/bin/tests/dst/t2_rsasig delete external/bsd/bind/dist/bin/tests/dst/t2_rsasig.in new external/bsd/bind/dist/bin/tests/dst/t_dst.c patch external/bsd/bind/dist/bin/tests/hashes/t_hashes.c patch external/bsd/bind/dist/bin/tests/master/t_master.c patch external/bsd/bind/dist/bin/tests/mem/t_mem.c patch external/bsd/bind/dist/bin/tests/names/dns_name_hash_data patch external/bsd/bind/dist/bin/tests/names/t_names.c patch external/bsd/bind/dist/bin/tests/rbt/t_rbt.c patch external/bsd/bind/dist/bin/tests/resolver/t_resolver.c patch external/bsd/bind/dist/bin/tests/sockaddr/t_sockaddr.c patch external/bsd/bind/dist/bin/tests/system/Makefile.in patch external/bsd/bind/dist/bin/tests/system/README patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/bin/tests/system/cleanall.sh patch external/bsd/bind/dist/bin/tests/system/conf.sh.in patch external/bsd/bind/dist/bin/tests/system/digcomp.pl patch external/bsd/bind/dist/bin/tests/system/genzone.sh patch external/bsd/bind/dist/bin/tests/system/ifconfig.sh patch external/bsd/bind/dist/bin/tests/system/run.sh patch external/bsd/bind/dist/bin/tests/system/runall.sh patch external/bsd/bind/dist/bin/tests/system/setup.sh patch external/bsd/bind/dist/bin/tests/system/start.pl patch external/bsd/bind/dist/bin/tests/system/testcrypto.sh new external/bsd/bind/dist/bin/tests/system/testsock.pl patch external/bsd/bind/dist/bin/tests/system/testsock6.pl patch external/bsd/bind/dist/bin/tests/system/acl/clean.sh patch external/bsd/bind/dist/bin/tests/system/acl/setup.sh patch external/bsd/bind/dist/bin/tests/system/acl/tests.sh patch external/bsd/bind/dist/bin/tests/system/acl/ns2/named5.conf new external/bsd/bind/dist/bin/tests/system/additional/clean.sh new external/bsd/bind/dist/bin/tests/system/additional/setup.sh new external/bsd/bind/dist/bin/tests/system/additional/tests.sh new external/bsd/bind/dist/bin/tests/system/addzone/clean.sh patch external/bsd/bind/dist/bin/tests/system/addzone/setup.sh patch external/bsd/bind/dist/bin/tests/system/addzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/addzone/ns1/inlineslave.db new external/bsd/bind/dist/bin/tests/system/addzone/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/addzone/ns2/added.db patch external/bsd/bind/dist/bin/tests/system/addzone/ns2/inline.db new external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/ns2/named57.conf new external/bsd/bind/dist/bin/tests/system/autosign/clean.sh patch external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/autosign/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/tests.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh patch external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in new external/bsd/bind/dist/bin/tests/system/builtin/clean.sh new external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c new external/bsd/bind/dist/bin/tests/system/builtin/tests.sh patch external/bsd/bind/dist/bin/tests/system/builtin/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/builtin/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh patch external/bsd/bind/dist/bin/tests/system/cacheclean/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/case/clean.sh new external/bsd/bind/dist/bin/tests/system/case/tests.sh new external/bsd/bind/dist/bin/tests/system/case/ns1/example.db new external/bsd/bind/dist/bin/tests/system/case/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/case/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/checkconf/altdb.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-also-notify.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-dnssec.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-hint.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-inline-slave.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-many.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-master-request-ixfr.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-noddns.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-tsig.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad.conf delete external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf delete external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-names-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-names.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/good.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/hint-nofile.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-bad.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-good.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-no.conf new external/bsd/bind/dist/bin/tests/system/checkconf/notify.conf new external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/warn-keydir.conf new external/bsd/bind/dist/bin/tests/system/checkds/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkds/dig.pl new external/bsd/bind/dist/bin/tests/system/checkds/dig.sh patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/setup.sh patch external/bsd/bind/dist/bin/tests/system/checkds/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/clean.sh patch external/bsd/bind/dist/bin/tests/system/checknames/setup.sh patch external/bsd/bind/dist/bin/tests/system/checknames/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/ns4/master-ignore.update.db.in new external/bsd/bind/dist/bin/tests/system/checknames/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/checknames/ns4/root.hints new external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3-padded.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.dbnew external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad2.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/spf.db new external/bsd/bind/dist/bin/tests/system/coverage/clean.sh new external/bsd/bind/dist/bin/tests/system/coverage/prereq.sh new external/bsd/bind/dist/bin/tests/system/coverage/setup.sh new external/bsd/bind/dist/bin/tests/system/coverage/tests.sh new external/bsd/bind/dist/bin/tests/system/coverage/01-ksk-inactive/README new external/bsd/bind/dist/bin/tests/system/coverage/01-ksk-inactive/expect new external/bsd/bind/dist/bin/tests/system/coverage/02-zsk-inactive/README new external/bsd/bind/dist/bin/tests/system/coverage/02-zsk-inactive/expect new external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/README new external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect new external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/README new external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect new external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/README new external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect new external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/README new external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect new external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/README new external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect new external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/README new external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect new external/bsd/bind/dist/bin/tests/system/dlv/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlv/prereq.sh new external/bsd/bind/dist/bin/tests/system/dlv/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns6/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/prereq.sh new external/bsd/bind/dist/bin/tests/system/dlvauto/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlz/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in patch external/bsd/bind/dist/bin/tests/system/dlzexternal/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c patch external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/clean.sh patch external/bsd/bind/dist/bin/tests/system/dns64/prereq.sh new external/bsd/bind/dist/bin/tests/system/dns64/setup.sh patch external/bsd/bind/dist/bin/tests/system/dns64/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/dns64/ns2/rpz.db new external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns2/insecure.secure.example.db patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/secure.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval.example.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval1.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval2.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns4/named4.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns6/optout-tld.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/sign.sh new external/bsd/bind/dist/bin/tests/system/dnssec/ns7/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns7/sign.sh new external/bsd/bind/dist/bin/tests/system/dnssec/ns7/split-rrsig.db.in new external/bsd/bind/dist/bin/tests/system/dsdigest/prereq.sh new external/bsd/bind/dist/bin/tests/system/ecdsa/clean.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh new external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh.in delete external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/setup.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/empty.db new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named1.conf new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named2.conf new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/rfc1918.zones new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/root.hint new external/bsd/bind/dist/bin/tests/system/filter-aaaa/clean.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/unsigned.db patch external/bsd/bind/dist/bin/tests/system/formerr/clean.sh new external/bsd/bind/dist/bin/tests/system/formerr/formerr.pl new external/bsd/bind/dist/bin/tests/system/formerr/nametoolong new external/bsd/bind/dist/bin/tests/system/formerr/noquestions new external/bsd/bind/dist/bin/tests/system/formerr/tests.sh new external/bsd/bind/dist/bin/tests/system/formerr/twoquestions new external/bsd/bind/dist/bin/tests/system/formerr/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/formerr/ns1/root.db new external/bsd/bind/dist/bin/tests/system/forward/tests.sh patch external/bsd/bind/dist/bin/tests/system/forward/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/forward/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/glue/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/clean.sh patch external/bsd/bind/dist/bin/tests/system/gost/prereq.sh new external/bsd/bind/dist/bin/tests/system/gost/prereq.sh.in delete external/bsd/bind/dist/bin/tests/system/gost/setup.sh patch external/bsd/bind/dist/bin/tests/system/gost/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/inline/checkdsa.sh.in new external/bsd/bind/dist/bin/tests/system/inline/clean.sh patch external/bsd/bind/dist/bin/tests/system/inline/prereq.sh new external/bsd/bind/dist/bin/tests/system/inline/setup.sh patch external/bsd/bind/dist/bin/tests/system/inline/tests.sh patch external/bsd/bind/dist/bin/tests/system/inline/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/inline/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/inline/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/inline/ns3/master3.db.in patch external/bsd/bind/dist/bin/tests/system/inline/ns3/master4.db.in new external/bsd/bind/dist/bin/tests/system/inline/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/inline/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/clean.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/prereq.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/setup.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c patch external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh patch external/bsd/bind/dist/bin/tests/system/masterfile/knowngood.dig.out patch external/bsd/bind/dist/bin/tests/system/masterfile/ns1/include.db patch external/bsd/bind/dist/bin/tests/system/masterformat/clean.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/prereq.sh new external/bsd/bind/dist/bin/tests/system/masterformat/setup.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/metadata/clean.sh patch external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh patch external/bsd/bind/dist/bin/tests/system/metadata/setup.sh patch external/bsd/bind/dist/bin/tests/system/metadata/tests.sh patch external/bsd/bind/dist/bin/tests/system/nslookup/clean.sh new external/bsd/bind/dist/bin/tests/system/nslookup/setup.sh new external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh new external/bsd/bind/dist/bin/tests/system/nslookup/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/prereq.sh new external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/update_test.pl patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/clean.sh patch external/bsd/bind/dist/bin/tests/system/pending/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pending/setup.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/clean.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/setup.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/clean.sh patch external/bsd/bind/dist/bin/tests/system/redirect/prereq.sh new external/bsd/bind/dist/bin/tests/system/redirect/setup.sh patch external/bsd/bind/dist/bin/tests/system/redirect/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns2/example.db.in new external/bsd/bind/dist/bin/tests/system/redirect/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db delete external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db.in new external/bsd/bind/dist/bin/tests/system/resolver/clean.sh patch external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh patch external/bsd/bind/dist/bin/tests/system/resolver/setup.sh patch external/bsd/bind/dist/bin/tests/system/resolver/tests.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ans2/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ans3/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns4/broken.db new external/bsd/bind/dist/bin/tests/system/resolver/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/broken.db new external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns7/named.conf delete external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf new external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf new external/bsd/bind/dist/bin/tests/system/rndc/clean.sh patch external/bsd/bind/dist/bin/tests/system/rndc/setup.sh patch external/bsd/bind/dist/bin/tests/system/rndc/tests.sh patch external/bsd/bind/dist/bin/tests/system/rndc/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rpz/clean.sh patch external/bsd/bind/dist/bin/tests/system/rpz/prereq.sh new external/bsd/bind/dist/bin/tests/system/rpz/qperf.sh patch external/bsd/bind/dist/bin/tests/system/rpz/rpz.c patch external/bsd/bind/dist/bin/tests/system/rpz/setup.sh patch external/bsd/bind/dist/bin/tests/system/rpz/test1 patch external/bsd/bind/dist/bin/tests/system/rpz/test2 patch external/bsd/bind/dist/bin/tests/system/rpz/test3 patch external/bsd/bind/dist/bin/tests/system/rpz/test4 patch external/bsd/bind/dist/bin/tests/system/rpz/test4a new external/bsd/bind/dist/bin/tests/system/rpz/test5 patch external/bsd/bind/dist/bin/tests/system/rpz/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/root.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/base-tld2s.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/bl.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/blv2.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/blv3.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/tld2.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash1 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash2 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/tld4.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.args new external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/tld5.db new external/bsd/bind/dist/bin/tests/system/rpz/ns6/hints new external/bsd/bind/dist/bin/tests/system/rpz/ns6/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/Makefile.in new external/bsd/bind/dist/bin/tests/system/rrl/clean.sh new external/bsd/bind/dist/bin/tests/system/rrl/prereq.sh new external/bsd/bind/dist/bin/tests/system/rrl/rrl.c new external/bsd/bind/dist/bin/tests/system/rrl/setup.sh new external/bsd/bind/dist/bin/tests/system/rrl/tests.sh new external/bsd/bind/dist/bin/tests/system/rrl/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns1/root.db new external/bsd/bind/dist/bin/tests/system/rrl/ns2/hints new external/bsd/bind/dist/bin/tests/system/rrl/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns2/tld2.db new external/bsd/bind/dist/bin/tests/system/rrl/ns3/hints new external/bsd/bind/dist/bin/tests/system/rrl/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns3/tld3.db new external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh patch external/bsd/bind/dist/bin/tests/system/rrsetorder/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/clean.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh patch external/bsd/bind/dist/bin/tests/system/spf/clean.sh new external/bsd/bind/dist/bin/tests/system/spf/tests.sh new external/bsd/bind/dist/bin/tests/system/spf/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/spf/ns1/spf.db new external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/prereq.sh new external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/stress/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/clean.sh patch external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c patch external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c patch external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tkey/setup.sh patch external/bsd/bind/dist/bin/tests/system/tkey/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/example.db new external/bsd/bind/dist/bin/tests/system/tkey/ns1/named.conf.in patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsig/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsig/tests.sh patch external/bsd/bind/dist/bin/tests/system/tsig/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/tsiggss/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh patch external/bsd/bind/dist/bin/tests/system/unknown/clean.sh patch external/bsd/bind/dist/bin/tests/system/unknown/large.out patch external/bsd/bind/dist/bin/tests/system/unknown/prereq.sh new external/bsd/bind/dist/bin/tests/system/unknown/setup.sh patch external/bsd/bind/dist/bin/tests/system/unknown/tests.sh patch external/bsd/bind/dist/bin/tests/system/unknown/ns1/example-in.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/unknown/zones/nan.bad new external/bsd/bind/dist/bin/tests/system/upforwd/prereq.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/ans4/ans.pl patch external/bsd/bind/dist/bin/tests/system/verify/clean.sh patch external/bsd/bind/dist/bin/tests/system/verify/prereq.sh new external/bsd/bind/dist/bin/tests/system/verify/setup.sh patch external/bsd/bind/dist/bin/tests/system/verify/tests.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/genzones.sh patch external/bsd/bind/dist/bin/tests/system/wildcard/clean.sh new external/bsd/bind/dist/bin/tests/system/wildcard/prereq.sh new external/bsd/bind/dist/bin/tests/system/wildcard/setup.sh new external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/dlv.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/nsec.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/nsec3.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/private.nsec.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/private.nsec3.db.innew external/bsd/bind/dist/bin/tests/system/wildcard/ns1/root.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh new external/bsd/bind/dist/bin/tests/system/wildcard/ns2/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns3/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns5/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns5/named.conf new external/bsd/bind/dist/bin/tests/system/xfer/clean.sh patch external/bsd/bind/dist/bin/tests/system/xfer/dig1.good patch external/bsd/bind/dist/bin/tests/system/xfer/dig2.good patch external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh patch external/bsd/bind/dist/bin/tests/system/xfer/setup.sh patch external/bsd/bind/dist/bin/tests/system/xfer/tests.sh patch external/bsd/bind/dist/bin/tests/system/xfer/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/xfer/ns2/slave.db.in new external/bsd/bind/dist/bin/tests/system/zero/clean.sh new external/bsd/bind/dist/bin/tests/system/zero/setup.sh new external/bsd/bind/dist/bin/tests/system/zero/tests.sh new external/bsd/bind/dist/bin/tests/system/zero/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db new external/bsd/bind/dist/bin/tests/system/zero/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns3/root.hint new external/bsd/bind/dist/bin/tests/system/zero/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/zonechecks/prereq.sh new external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh new external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/ns1/named.conf new external/bsd/bind/dist/bin/tests/tasks/t_tasks.c patch external/bsd/bind/dist/bin/tests/timers/t_timers.c patch external/bsd/bind/dist/bin/tools/arpaname.1 patch external/bsd/bind/dist/bin/tools/arpaname.docbook patch external/bsd/bind/dist/bin/tools/arpaname.html patch external/bsd/bind/dist/bin/tools/genrandom.8 patch external/bsd/bind/dist/bin/tools/genrandom.c patch external/bsd/bind/dist/bin/tools/genrandom.docbook patch external/bsd/bind/dist/bin/tools/genrandom.html patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8 patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html patch external/bsd/bind/dist/bin/tools/named-journalprint.8 patch external/bsd/bind/dist/bin/tools/named-journalprint.docbook patch external/bsd/bind/dist/bin/tools/named-journalprint.html patch external/bsd/bind/dist/bin/tools/nsec3hash.8 patch external/bsd/bind/dist/bin/tools/nsec3hash.c patch external/bsd/bind/dist/bin/tools/nsec3hash.docbook patch external/bsd/bind/dist/bin/tools/nsec3hash.html patch external/bsd/bind/dist/bin/tools/win32/arpaname.dsp delete external/bsd/bind/dist/bin/tools/win32/arpaname.mak delete external/bsd/bind/dist/bin/tools/win32/genrandom.dsp delete external/bsd/bind/dist/bin/tools/win32/genrandom.mak delete external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp delete external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak delete external/bsd/bind/dist/bin/tools/win32/journalprint.dsp delete external/bsd/bind/dist/bin/tools/win32/journalprint.mak delete external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp delete external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak delete external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.dsp delete external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.mak delete external/bsd/bind/dist/contrib/README new external/bsd/bind/dist/contrib/check5011.pl new external/bsd/bind/dist/contrib/dane/mkdane.sh new external/bsd/bind/dist/contrib/dane/tlsa6698.pem new external/bsd/bind/dist/contrib/dbus/GetForwarders delete external/bsd/bind/dist/contrib/dbus/INSTALL delete external/bsd/bind/dist/contrib/dbus/Makefile.9.3.2b1 delete external/bsd/bind/dist/contrib/dbus/Makefile.9.3.3rc2 delete external/bsd/bind/dist/contrib/dbus/README.DBUS delete external/bsd/bind/dist/contrib/dbus/SetForwarders delete external/bsd/bind/dist/contrib/dbus/bind-9.3.2b1-dbus.patch delete external/bsd/bind/dist/contrib/dbus/bind-9.3.3rc2-dbus.patch delete external/bsd/bind/dist/contrib/dbus/dbus_mgr.c delete external/bsd/bind/dist/contrib/dbus/dbus_mgr.h delete external/bsd/bind/dist/contrib/dbus/dbus_service.c delete external/bsd/bind/dist/contrib/dbus/dbus_service.h delete external/bsd/bind/dist/contrib/dbus/named-dbus-system.conf delete external/bsd/bind/dist/contrib/dbus/named-dbus.service delete external/bsd/bind/dist/contrib/dlz/config.dlz.in patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_filesystem_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_ldap_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_mysql_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_odbc_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_postgres_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/sdlz_helper.c patch external/bsd/bind/dist/contrib/dlz/example/Makefile patch external/bsd/bind/dist/contrib/dlz/example/README patch external/bsd/bind/dist/contrib/dlz/example/dlz_example.c patch external/bsd/bind/dist/contrib/dlz/example/dlz_minimal.h delete external/bsd/bind/dist/contrib/dlz/modules/dlz_minimal.h new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/Makefile new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/README.md new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/dns-data.txt new external/bsd/bind/dist/contrib/named-bootconf/named-bootconf.sh patch external/bsd/bind/dist/contrib/nslint-2.1a3/strerror.c patch external/bsd/bind/dist/contrib/perftcpdns/Makefile.in new external/bsd/bind/dist/contrib/perftcpdns/configure new external/bsd/bind/dist/contrib/perftcpdns/configure.in new external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c new external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c patch external/bsd/bind/dist/contrib/query-loc-0.4.0/loc_ntoa.c patch external/bsd/bind/dist/contrib/queryperf/queryperf.c patch external/bsd/bind/dist/contrib/sdb/bdb/bdb.c patch external/bsd/bind/dist/contrib/sdb/dir/dirdb.c patch external/bsd/bind/dist/contrib/sdb/ldap/ldapdb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/pgsqldb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/zonetodb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/sqlitedb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/zone2sqlite.c patch external/bsd/bind/dist/contrib/sdb/tcl/tcldb.c patch external/bsd/bind/dist/contrib/sdb/time/timedb.c patch external/bsd/bind/dist/contrib/zkt/Makefile.in patch external/bsd/bind/dist/contrib/zkt/dki.c patch external/bsd/bind/dist/contrib/zkt/tags new external/bsd/bind/dist/contrib/zkt/zkt-soaserial.c patch external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/Makefile.in patch external/bsd/bind/dist/doc/arm/libdns.xml patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html new external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html new external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/doc/arm/pkcs11.xml patch external/bsd/bind/dist/doc/misc/options patch external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in patch external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in patch external/bsd/bind/dist/lib/Atffile patch external/bsd/bind/dist/lib/Makefile.in patch external/bsd/bind/dist/lib/bind9/Makefile.in patch external/bsd/bind/dist/lib/bind9/api patch external/bsd/bind/dist/lib/bind9/check.c patch external/bsd/bind/dist/lib/bind9/getaddresses.c patch external/bsd/bind/dist/lib/bind9/win32/libbind9.dsp delete external/bsd/bind/dist/lib/bind9/win32/libbind9.mak delete external/bsd/bind/dist/lib/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/acache.c patch external/bsd/bind/dist/lib/dns/acl.c patch external/bsd/bind/dist/lib/dns/adb.c patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/byaddr.c patch external/bsd/bind/dist/lib/dns/cache.c patch external/bsd/bind/dist/lib/dns/client.c patch external/bsd/bind/dist/lib/dns/db.c patch external/bsd/bind/dist/lib/dns/dbtable.c patch external/bsd/bind/dist/lib/dns/diff.c patch external/bsd/bind/dist/lib/dns/dispatch.c patch external/bsd/bind/dist/lib/dns/dlz.c patch external/bsd/bind/dist/lib/dns/dns64.c patch external/bsd/bind/dist/lib/dns/dnssec.c patch external/bsd/bind/dist/lib/dns/dst_api.c patch external/bsd/bind/dist/lib/dns/dst_internal.h patch external/bsd/bind/dist/lib/dns/dst_openssl.h patch external/bsd/bind/dist/lib/dns/dst_parse.c patch external/bsd/bind/dist/lib/dns/dst_result.c patch external/bsd/bind/dist/lib/dns/ecdb.c patch external/bsd/bind/dist/lib/dns/gen-win32.h patch external/bsd/bind/dist/lib/dns/gen.c patch external/bsd/bind/dist/lib/dns/gssapi_link.c patch external/bsd/bind/dist/lib/dns/gssapictx.c patch external/bsd/bind/dist/lib/dns/hmac_link.c patch external/bsd/bind/dist/lib/dns/iptable.c patch external/bsd/bind/dist/lib/dns/journal.c patch external/bsd/bind/dist/lib/dns/keydata.c patch external/bsd/bind/dist/lib/dns/keytable.c patch external/bsd/bind/dist/lib/dns/log.c patch external/bsd/bind/dist/lib/dns/lookup.c patch external/bsd/bind/dist/lib/dns/master.c patch external/bsd/bind/dist/lib/dns/masterdump.c patch external/bsd/bind/dist/lib/dns/message.c patch external/bsd/bind/dist/lib/dns/name.c patch external/bsd/bind/dist/lib/dns/ncache.c patch external/bsd/bind/dist/lib/dns/nsec.c patch external/bsd/bind/dist/lib/dns/nsec3.c patch external/bsd/bind/dist/lib/dns/openssl_link.c patch external/bsd/bind/dist/lib/dns/openssldh_link.c patch external/bsd/bind/dist/lib/dns/openssldsa_link.c patch external/bsd/bind/dist/lib/dns/opensslecdsa_link.c patch external/bsd/bind/dist/lib/dns/opensslgost_link.c patch external/bsd/bind/dist/lib/dns/opensslrsa_link.c patch external/bsd/bind/dist/lib/dns/peer.c patch external/bsd/bind/dist/lib/dns/portlist.c patch external/bsd/bind/dist/lib/dns/private.c patch external/bsd/bind/dist/lib/dns/rbt.c patch external/bsd/bind/dist/lib/dns/rbtdb.c patch external/bsd/bind/dist/lib/dns/rcode.c patch external/bsd/bind/dist/lib/dns/rdata.c patch external/bsd/bind/dist/lib/dns/rdataslab.c patch external/bsd/bind/dist/lib/dns/request.c patch external/bsd/bind/dist/lib/dns/resolver.c patch external/bsd/bind/dist/lib/dns/result.c patch external/bsd/bind/dist/lib/dns/rootns.c patch external/bsd/bind/dist/lib/dns/rpz.c patch external/bsd/bind/dist/lib/dns/rrl.c new external/bsd/bind/dist/lib/dns/sdb.c patch external/bsd/bind/dist/lib/dns/sdlz.c patch external/bsd/bind/dist/lib/dns/spnego.c patch external/bsd/bind/dist/lib/dns/spnego_asn1.c patch external/bsd/bind/dist/lib/dns/ssu.c patch external/bsd/bind/dist/lib/dns/ssu_external.c patch external/bsd/bind/dist/lib/dns/time.c patch external/bsd/bind/dist/lib/dns/tkey.c patch external/bsd/bind/dist/lib/dns/tsig.c patch external/bsd/bind/dist/lib/dns/ttl.c patch external/bsd/bind/dist/lib/dns/update.c patch external/bsd/bind/dist/lib/dns/validator.c patch external/bsd/bind/dist/lib/dns/view.c patch external/bsd/bind/dist/lib/dns/xfrin.c patch external/bsd/bind/dist/lib/dns/zone.c patch external/bsd/bind/dist/lib/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/acache.h patch external/bsd/bind/dist/lib/dns/include/dns/adb.h patch external/bsd/bind/dist/lib/dns/include/dns/cache.h patch external/bsd/bind/dist/lib/dns/include/dns/client.h patch external/bsd/bind/dist/lib/dns/include/dns/db.h patch external/bsd/bind/dist/lib/dns/include/dns/dispatch.h patch external/bsd/bind/dist/lib/dns/include/dns/dns64.h patch external/bsd/bind/dist/lib/dns/include/dns/dnssec.h patch external/bsd/bind/dist/lib/dns/include/dns/log.h patch external/bsd/bind/dist/lib/dns/include/dns/master.h patch external/bsd/bind/dist/lib/dns/include/dns/masterdump.h patch external/bsd/bind/dist/lib/dns/include/dns/message.h patch external/bsd/bind/dist/lib/dns/include/dns/name.h patch external/bsd/bind/dist/lib/dns/include/dns/ncache.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec3.h patch external/bsd/bind/dist/lib/dns/include/dns/rbt.h patch external/bsd/bind/dist/lib/dns/include/dns/rdata.h patch external/bsd/bind/dist/lib/dns/include/dns/rdataset.h patch external/bsd/bind/dist/lib/dns/include/dns/resolver.h patch external/bsd/bind/dist/lib/dns/include/dns/result.h patch external/bsd/bind/dist/lib/dns/include/dns/rpz.h patch external/bsd/bind/dist/lib/dns/include/dns/rrl.h new external/bsd/bind/dist/lib/dns/include/dns/types.h patch external/bsd/bind/dist/lib/dns/include/dns/validator.h patch external/bsd/bind/dist/lib/dns/include/dns/view.h patch external/bsd/bind/dist/lib/dns/include/dns/zone.h patch external/bsd/bind/dist/lib/dns/include/dst/dst.h patch external/bsd/bind/dist/lib/dns/include/dst/gssapi.h patch external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c patch external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c patch external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c new external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.h new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.h new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.h new external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c patch external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c patch external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.c new external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.h new external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.c new external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.h new external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c patch external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c patch external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c patch external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c patch external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c patch external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.c new external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.h new external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.c new external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.h new external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c new external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.h new external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c patch external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c patch external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.c new external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.h new external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c patch external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c patch external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c patch external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c patch external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c patch external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c patch external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.h patch external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c patch external/bsd/bind/dist/lib/dns/rdata/generic/uri_256.c patch external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c patch external/bsd/bind/dist/lib/dns/rdata/hs_4/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/aaaa_28.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/apl_42.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c patch external/bsd/bind/dist/lib/dns/tests/Makefile.in patch external/bsd/bind/dist/lib/dns/tests/db_test.c new external/bsd/bind/dist/lib/dns/tests/dbiterator_test.c patch external/bsd/bind/dist/lib/dns/tests/dbversion_test.c patch external/bsd/bind/dist/lib/dns/tests/dispatch_test.c new external/bsd/bind/dist/lib/dns/tests/dnstest.c patch external/bsd/bind/dist/lib/dns/tests/master_test.c patch external/bsd/bind/dist/lib/dns/tests/nsec3_test.c patch external/bsd/bind/dist/lib/dns/tests/private_test.c patch external/bsd/bind/dist/lib/dns/tests/rdata_test.c patch external/bsd/bind/dist/lib/dns/tests/zonemgr_test.c patch external/bsd/bind/dist/lib/dns/tests/testdata/master/master17.data new external/bsd/bind/dist/lib/dns/win32/gen.dsp delete external/bsd/bind/dist/lib/dns/win32/gen.mak delete external/bsd/bind/dist/lib/dns/win32/libdns.def delete external/bsd/bind/dist/lib/dns/win32/libdns.dsp delete external/bsd/bind/dist/lib/dns/win32/libdns.mak delete external/bsd/bind/dist/lib/export/dns/Makefile.in patch external/bsd/bind/dist/lib/export/irs/Makefile.in patch external/bsd/bind/dist/lib/export/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/export/isccfg/Makefile.in patch external/bsd/bind/dist/lib/export/samples/Makefile.in patch external/bsd/bind/dist/lib/export/samples/nsprobe.c patch external/bsd/bind/dist/lib/export/samples/sample-async.c patch external/bsd/bind/dist/lib/export/samples/sample-gai.c patch external/bsd/bind/dist/lib/export/samples/sample-request.c patch external/bsd/bind/dist/lib/export/samples/sample-update.c patch external/bsd/bind/dist/lib/export/samples/sample.c patch external/bsd/bind/dist/lib/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/api patch external/bsd/bind/dist/lib/irs/context.c patch external/bsd/bind/dist/lib/irs/dnsconf.c patch external/bsd/bind/dist/lib/irs/getaddrinfo.c patch external/bsd/bind/dist/lib/irs/getnameinfo.c patch external/bsd/bind/dist/lib/irs/resconf.c patch external/bsd/bind/dist/lib/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/include/irs/resconf.h patch external/bsd/bind/dist/lib/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/api patch external/bsd/bind/dist/lib/isc/app_api.c patch external/bsd/bind/dist/lib/isc/backtrace.c patch external/bsd/bind/dist/lib/isc/base32.c patch external/bsd/bind/dist/lib/isc/base64.c patch external/bsd/bind/dist/lib/isc/bind9.c new external/bsd/bind/dist/lib/isc/buffer.c patch external/bsd/bind/dist/lib/isc/commandline.c patch external/bsd/bind/dist/lib/isc/counter.c new external/bsd/bind/dist/lib/isc/event.c patch external/bsd/bind/dist/lib/isc/hash.c patch external/bsd/bind/dist/lib/isc/heap.c patch external/bsd/bind/dist/lib/isc/hex.c patch external/bsd/bind/dist/lib/isc/hmacmd5.c patch external/bsd/bind/dist/lib/isc/hmacsha.c patch external/bsd/bind/dist/lib/isc/httpd.c patch external/bsd/bind/dist/lib/isc/inet_aton.c patch external/bsd/bind/dist/lib/isc/inet_pton.c patch external/bsd/bind/dist/lib/isc/lex.c patch external/bsd/bind/dist/lib/isc/lib.c patch external/bsd/bind/dist/lib/isc/log.c patch external/bsd/bind/dist/lib/isc/md5.c patch external/bsd/bind/dist/lib/isc/mem.c patch external/bsd/bind/dist/lib/isc/mem_api.c patch external/bsd/bind/dist/lib/isc/netaddr.c patch external/bsd/bind/dist/lib/isc/parseint.c patch external/bsd/bind/dist/lib/isc/pool.c new external/bsd/bind/dist/lib/isc/print.c patch external/bsd/bind/dist/lib/isc/radix.c patch external/bsd/bind/dist/lib/isc/random.c patch external/bsd/bind/dist/lib/isc/ratelimiter.c patch external/bsd/bind/dist/lib/isc/regex.c new external/bsd/bind/dist/lib/isc/result.c patch external/bsd/bind/dist/lib/isc/safe.c new external/bsd/bind/dist/lib/isc/sha1.c patch external/bsd/bind/dist/lib/isc/sha2.c patch external/bsd/bind/dist/lib/isc/sockaddr.c patch external/bsd/bind/dist/lib/isc/socket_api.c patch external/bsd/bind/dist/lib/isc/stats.c patch external/bsd/bind/dist/lib/isc/string.c patch external/bsd/bind/dist/lib/isc/strtoul.c patch external/bsd/bind/dist/lib/isc/symtab.c patch external/bsd/bind/dist/lib/isc/task.c patch external/bsd/bind/dist/lib/isc/task_api.c patch external/bsd/bind/dist/lib/isc/taskpool.c patch external/bsd/bind/dist/lib/isc/timer.c patch external/bsd/bind/dist/lib/isc/timer_api.c patch external/bsd/bind/dist/lib/isc/tm.c new external/bsd/bind/dist/lib/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/include/isc/app.h patch external/bsd/bind/dist/lib/isc/include/isc/base32.h patch external/bsd/bind/dist/lib/isc/include/isc/bind9.h patch external/bsd/bind/dist/lib/isc/include/isc/buffer.h patch external/bsd/bind/dist/lib/isc/include/isc/counter.h new external/bsd/bind/dist/lib/isc/include/isc/event.h patch external/bsd/bind/dist/lib/isc/include/isc/file.h patch external/bsd/bind/dist/lib/isc/include/isc/hash.h patch external/bsd/bind/dist/lib/isc/include/isc/httpd.h patch external/bsd/bind/dist/lib/isc/include/isc/iterated_hash.h patch external/bsd/bind/dist/lib/isc/include/isc/list.h patch external/bsd/bind/dist/lib/isc/include/isc/mem.h patch external/bsd/bind/dist/lib/isc/include/isc/namespace.h patch external/bsd/bind/dist/lib/isc/include/isc/platform.h.in patch external/bsd/bind/dist/lib/isc/include/isc/pool.h new external/bsd/bind/dist/lib/isc/include/isc/print.h patch external/bsd/bind/dist/lib/isc/include/isc/queue.h patch external/bsd/bind/dist/lib/isc/include/isc/radix.h patch external/bsd/bind/dist/lib/isc/include/isc/regex.h new external/bsd/bind/dist/lib/isc/include/isc/region.h patch external/bsd/bind/dist/lib/isc/include/isc/result.h patch external/bsd/bind/dist/lib/isc/include/isc/safe.h new external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h patch external/bsd/bind/dist/lib/isc/include/isc/socket.h patch external/bsd/bind/dist/lib/isc/include/isc/stdio.h patch external/bsd/bind/dist/lib/isc/include/isc/string.h patch external/bsd/bind/dist/lib/isc/include/isc/task.h patch external/bsd/bind/dist/lib/isc/include/isc/timer.h patch external/bsd/bind/dist/lib/isc/include/isc/tm.h new external/bsd/bind/dist/lib/isc/include/isc/types.h patch external/bsd/bind/dist/lib/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/isc/thread.h patch external/bsd/bind/dist/lib/isc/pthreads/thread.c patch external/bsd/bind/dist/lib/isc/pthreads/include/isc/thread.h patch external/bsd/bind/dist/lib/isc/sparc64/include/isc/atomic.h patch external/bsd/bind/dist/lib/isc/tests/Makefile.in patch external/bsd/bind/dist/lib/isc/tests/counter_test.c new external/bsd/bind/dist/lib/isc/tests/hash_test.c patch external/bsd/bind/dist/lib/isc/tests/isctest.c patch external/bsd/bind/dist/lib/isc/tests/isctest.h patch external/bsd/bind/dist/lib/isc/tests/lex_test.c new external/bsd/bind/dist/lib/isc/tests/parse_test.c new external/bsd/bind/dist/lib/isc/tests/pool_test.c new external/bsd/bind/dist/lib/isc/tests/print_test.c new external/bsd/bind/dist/lib/isc/tests/regex_test.c new external/bsd/bind/dist/lib/isc/tests/safe_test.c new external/bsd/bind/dist/lib/isc/tests/sockaddr_test.c new external/bsd/bind/dist/lib/isc/tests/symtab_test.c patch external/bsd/bind/dist/lib/isc/tests/time_test.c new external/bsd/bind/dist/lib/isc/unix/app.c patch external/bsd/bind/dist/lib/isc/unix/entropy.c patch external/bsd/bind/dist/lib/isc/unix/file.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_getifaddrs.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_ioctl.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_sysctl.c patch external/bsd/bind/dist/lib/isc/unix/interfaceiter.c patch external/bsd/bind/dist/lib/isc/unix/net.c patch external/bsd/bind/dist/lib/isc/unix/socket.c patch external/bsd/bind/dist/lib/isc/unix/stdio.c patch external/bsd/bind/dist/lib/isc/unix/time.c patch external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/include/isc/net.h patch external/bsd/bind/dist/lib/isc/unix/include/isc/stat.h patch external/bsd/bind/dist/lib/isc/unix/include/isc/time.h patch external/bsd/bind/dist/lib/isc/win32/libisc.def delete external/bsd/bind/dist/lib/isc/win32/libisc.dsp delete external/bsd/bind/dist/lib/isc/win32/libisc.mak delete external/bsd/bind/dist/lib/isc/win32/include/isc/platform.h delete external/bsd/bind/dist/lib/isccc/Makefile.in patch external/bsd/bind/dist/lib/isccc/api patch external/bsd/bind/dist/lib/isccc/base64.c patch external/bsd/bind/dist/lib/isccc/cc.c patch external/bsd/bind/dist/lib/isccc/sexpr.c patch external/bsd/bind/dist/lib/isccc/include/isccc/util.h patch external/bsd/bind/dist/lib/isccc/win32/libisccc.dsp delete external/bsd/bind/dist/lib/isccc/win32/libisccc.mak delete external/bsd/bind/dist/lib/isccfg/Makefile.in patch external/bsd/bind/dist/lib/isccfg/aclconf.c patch external/bsd/bind/dist/lib/isccfg/api patch external/bsd/bind/dist/lib/isccfg/namedconf.c patch external/bsd/bind/dist/lib/isccfg/parser.c patch external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/isccfg/include/isccfg/aclconf.h patch external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h patch external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h patch external/bsd/bind/dist/lib/isccfg/win32/libisccfg.dsp delete external/bsd/bind/dist/lib/isccfg/win32/libisccfg.mak delete external/bsd/bind/dist/lib/lwres/Atffile new external/bsd/bind/dist/lib/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/api patch external/bsd/bind/dist/lib/lwres/compat.c new external/bsd/bind/dist/lib/lwres/context.c patch external/bsd/bind/dist/lib/lwres/gai_strerror.c patch external/bsd/bind/dist/lib/lwres/getaddrinfo.c patch external/bsd/bind/dist/lib/lwres/gethost.c patch external/bsd/bind/dist/lib/lwres/getipnode.c patch external/bsd/bind/dist/lib/lwres/getnameinfo.c patch external/bsd/bind/dist/lib/lwres/getrrset.c patch external/bsd/bind/dist/lib/lwres/herror.c patch external/bsd/bind/dist/lib/lwres/lwbuffer.c patch external/bsd/bind/dist/lib/lwres/lwconfig.c patch external/bsd/bind/dist/lib/lwres/lwinetaton.c patch external/bsd/bind/dist/lib/lwres/lwinetpton.c patch external/bsd/bind/dist/lib/lwres/lwres_gabn.c patch external/bsd/bind/dist/lib/lwres/lwres_gnba.c patch external/bsd/bind/dist/lib/lwres/lwres_grbn.c patch external/bsd/bind/dist/lib/lwres/lwres_noop.c patch external/bsd/bind/dist/lib/lwres/lwresutil.c patch external/bsd/bind/dist/lib/lwres/print.c patch external/bsd/bind/dist/lib/lwres/strtoul.c delete external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/include/lwres/lwres.h patch external/bsd/bind/dist/lib/lwres/include/lwres/netdb.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/platform.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/stdlib.h patch external/bsd/bind/dist/lib/lwres/include/lwres/string.h new external/bsd/bind/dist/lib/lwres/man/lwres.3 patch external/bsd/bind/dist/lib/lwres/man/lwres.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres.html patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html patch external/bsd/bind/dist/lib/lwres/man/lwres_config.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_config.html patch external/bsd/bind/dist/lib/lwres/man/lwres_context.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_context.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.html patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html patch external/bsd/bind/dist/lib/lwres/tests/Atffile new external/bsd/bind/dist/lib/lwres/tests/Makefile.in new external/bsd/bind/dist/lib/lwres/tests/config_test.c new external/bsd/bind/dist/lib/lwres/tests/testdata/link-local.conf new external/bsd/bind/dist/lib/lwres/win32/liblwres.dsp delete external/bsd/bind/dist/lib/lwres/win32/liblwres.mak delete external/bsd/bind/dist/lib/tests/t_api.c patch external/bsd/bind/dist/lib/tests/include/tests/t_api.h patch external/bsd/bind/dist/lib/win32/bindevt/bindevt.dsp delete external/bsd/bind/dist/lib/win32/bindevt/bindevt.mak delete external/bsd/bind/dist/make/mkdep.in patch external/bsd/bind/dist/make/rules.in patch external/bsd/bind/dist/unit/README patch external/bsd/bind/dist/unit/unittest.sh.in patch external/bsd/bind/dist/unit/atf-src/AUTHORS patch external/bsd/bind/dist/unit/atf-src/Atffile patch external/bsd/bind/dist/unit/atf-src/COPYING patch external/bsd/bind/dist/unit/atf-src/INSTALL patch external/bsd/bind/dist/unit/atf-src/Kyuafile new external/bsd/bind/dist/unit/atf-src/Makefile.am patch external/bsd/bind/dist/unit/atf-src/Makefile.in patch external/bsd/bind/dist/unit/atf-src/NEWS patch external/bsd/bind/dist/unit/atf-src/TODO new external/bsd/bind/dist/unit/atf-src/aclocal.m4 patch external/bsd/bind/dist/unit/atf-src/atf-c++.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c.h patch external/bsd/bind/dist/unit/atf-src/configure patch external/bsd/bind/dist/unit/atf-src/configure.ac patch external/bsd/bind/dist/unit/atf-src/admin/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/admin/check-install.sh delete external/bsd/bind/dist/unit/atf-src/admin/check-style-c.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-common.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-cpp.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-man.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-shell.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style.sh patch external/bsd/bind/dist/unit/atf-src/admin/compile patch external/bsd/bind/dist/unit/atf-src/admin/depcomp patch external/bsd/bind/dist/unit/atf-src/admin/install-sh patch external/bsd/bind/dist/unit/atf-src/admin/ltmain.sh patch external/bsd/bind/dist/unit/atf-src/admin/missing patch external/bsd/bind/dist/unit/atf-src/atf-c/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c/atf-c-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-c/atf-c.m4 new external/bsd/bind/dist/unit/atf-src/atf-c/atf-common.m4 new external/bsd/bind/dist/unit/atf-src/atf-c/atf_c_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/check.c patch external/bsd/bind/dist/unit/atf-src/atf-c/check.h patch external/bsd/bind/dist/unit/atf-src/atf-c/check_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/config.c patch external/bsd/bind/dist/unit/atf-src/atf-c/config_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/defs.h.in patch external/bsd/bind/dist/unit/atf-src/atf-c/error.c patch external/bsd/bind/dist/unit/atf-src/atf-c/error.h patch external/bsd/bind/dist/unit/atf-src/atf-c/error_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/macros.h patch external/bsd/bind/dist/unit/atf-src/atf-c/macros_h_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/macros_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/pkg_config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-c/tc.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tc.h patch external/bsd/bind/dist/unit/atf-src/atf-c/tc_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tp.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tp.h patch external/bsd/bind/dist/unit/atf-src/atf-c/tp_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/unused_test.c new external/bsd/bind/dist/unit/atf-src/atf-c/utils.c patch external/bsd/bind/dist/unit/atf-src/atf-c/utils.h patch external/bsd/bind/dist/unit/atf-src/atf-c/utils_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c/detail/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/env.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/env_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_helpers.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers_test.c delete external/bsd/bind/dist/unit/atf-src/atf-c/detail/text.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/tp_main.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c++/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c++/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c++/atf-c++-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-c++/atf-c++.m4 new external/bsd/bind/dist/unit/atf-src/atf-c++/check.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/check.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/check_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros_hpp_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/noncopyable.hpp new external/bsd/bind/dist/unit/atf-src/atf-c++/pkg_config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/unused_test.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/utils.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/utils.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/utils_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/auto_array.hpp new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/auto_array_test.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/sanity.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/test_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/test_helpers.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/ui.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/ui.hpp patch external/bsd/bind/dist/unit/atf-src/atf-config/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-config/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-config/atf-config.1 patch external/bsd/bind/dist/unit/atf-src/atf-config/atf-config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-config/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-report/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-report/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-report/atf-report.1 patch external/bsd/bind/dist/unit/atf-src/atf-report/atf-report.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/fail_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-report/misc_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/pass_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader.hpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.css patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.dtd patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.xsl patch external/bsd/bind/dist/unit/atf-src/atf-run/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-run/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-run/atf-run.1 patch external/bsd/bind/dist/unit/atf-src/atf-run/atf-run.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/config_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-run/io.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/io.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/io_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/misc_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/pass_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/requirements.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/requirements_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/several_tcs_helper.c patch external/bsd/bind/dist/unit/atf-src/atf-run/signals.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/signals.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/signals_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/test-program.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/test_program_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/timer.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/timer.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/zero_tcs_helper.c patch external/bsd/bind/dist/unit/atf-src/atf-run/share/atf-run.hooks patch external/bsd/bind/dist/unit/atf-src/atf-sh/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-sh/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check.1 patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check.cpp patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.cpp patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.m4 new external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.pc.in new external/bsd/bind/dist/unit/atf-src/atf-sh/atf_check_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/libatf-sh.subr patch external/bsd/bind/dist/unit/atf-src/atf-sh/misc_helpers.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/normalize_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/tc_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/tp_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-version/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-version/atf-version.1 patch external/bsd/bind/dist/unit/atf-src/atf-version/atf-version.cpp patch external/bsd/bind/dist/unit/atf-src/atf-version/generate-revision.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_app_empty.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_app_opts_args.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_atf_check_sh.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_basic_cpp.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_basic_sh.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/package.m4 patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_application_help.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_application_opts_args.atpatch external/bsd/bind/dist/unit/atf-src/bootstrap/t_atf_config.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_atf_run.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_subr_atf_check.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_compare.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_filter.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_list.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_run.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/testsuite patch external/bsd/bind/dist/unit/atf-src/bootstrap/testsuite.at patch external/bsd/bind/dist/unit/atf-src/doc/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/doc/atf-formats.5 patch external/bsd/bind/dist/unit/atf-src/doc/atf-test-case.4 patch external/bsd/bind/dist/unit/atf-src/doc/atf-test-program.1 patch external/bsd/bind/dist/unit/atf-src/doc/atf.7.in patch external/bsd/bind/dist/unit/atf-src/m4/compiler-flags.m4 patch external/bsd/bind/dist/unit/atf-src/m4/cxx-std-funcs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/developer-mode.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-application.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-defs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-env.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-fs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-sanity.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-signals.m4 patch external/bsd/bind/dist/unit/atf-src/test-programs/Atffile patch external/bsd/bind/dist/unit/atf-src/test-programs/Kyuafile new external/bsd/bind/dist/unit/atf-src/test-programs/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/test-programs/c_helpers.c patch external/bsd/bind/dist/unit/atf-src/test-programs/config_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/cpp_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/test-programs/expect_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/fork_test.sh delete external/bsd/bind/dist/unit/atf-src/test-programs/meta_data_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/result_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/sh_helpers.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/srcdir_test.sh patch external/bsd/bind/dist/win32utils/BINDBuild.dsw delete external/bsd/bind/dist/win32utils/BuildAll.bat delete external/bsd/bind/dist/win32utils/BuildPost.bat delete external/bsd/bind/dist/win32utils/BuildSetup.bat delete external/bsd/bind/dist/win32utils/SetupLibs.bat delete external/bsd/bind/dist/win32utils/dnsheadergen.bat delete external/bsd/bind/dist/win32utils/makedefs.pl delete external/bsd/bind/dist/win32utils/makeversion.pl delete external/bsd/bind/dist/win32utils/setpk11provider.pl delete external/bsd/bind/dist/win32utils/updatelibxml2.pl delete external/bsd/bind/dist/win32utils/updateopenssl.pl delete external/bsd/bind/dist/win32utils/win32-build.txt delete external/bsd/bind/include/config.h patch external/bsd/bind/include/dns/code.h patch external/bsd/bind/include/dns/enumclass.h patch external/bsd/bind/include/dns/enumtype.h patch external/bsd/bind/include/dns/rdatastruct.h patch external/bsd/bind/include/irs/netdb.h new external/bsd/bind/include/irs/platform.h new external/bsd/bind/include/isc/platform.h patch external/bsd/bind/include/lwres/netdb.h patch external/bsd/bind/include/lwres/platform.h patch external/bsd/bind/lib/Makefile patch external/bsd/bind/lib/libbind9/Makefile patch external/bsd/bind/lib/libbind9/shlib_version patch external/bsd/bind/lib/libdns/Makefile patch external/bsd/bind/lib/libdns/shlib_version patch external/bsd/bind/lib/libirs/Makefile new external/bsd/bind/lib/libirs/shlib_version new external/bsd/bind/lib/libisc/Makefile patch external/bsd/bind/lib/libisc/shlib_version patch external/bsd/bind/lib/libisccc/Makefile patch external/bsd/bind/lib/libisccc/shlib_version patch external/bsd/bind/lib/libisccfg/Makefile patch external/bsd/bind/lib/libisccfg/shlib_version patch external/bsd/bind/lib/liblwres/shlib_version patch Update bind to 9.9.6-P1. CVE-2014-8500. @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d412 2 a413 16 A 64-bit unsigned integer, or the keywordsunlimitedordefault.Integers may take values 0 <= value <= 18446744073709551615, though certain parameters (such as max-journal-size) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible", depending on the context. See the explanations of particular parameters that use
size_specfor details on how they interpret its use. d416 7 a422 2 Numeric values can optionally be followed by a scaling factor: d427 3 a429 13Gorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.
unlimitedgenerally means "as big as possible", though in certain contexts, (includingmax-cache-size), it may mean the largest possible 32-bit unsigned integer (0xffffffff); this distinction can be important when dealing with larger quantities.unlimitedis usually the best way to safely set a very large number. d432 5 a436 2defaultuses the limit that was in force when the server was started. d480 1 a480 1 Syntax d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d909 1 a909 3 interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. a920 3 When addresses are added or removed, the localnets ACL element is updated to reflect the changes. d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1140 1 a1140 1 [ sizesize_spec] d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase a1293 3 On Windows machines syslog messages are directed to the EventViewer.d1720 2 a1721 2 delegation-only in a forward, hint or stub zone declaration. a1771 31
d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2033 2 a2034 2 IPv4 addresses (and ports) that this instance of a lightweight resolver daemon d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar d2120 1 a2120 1 [ zone-statistics rate-limit
(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
full|terse|none; ] a2133 1 [ request-nsidyes_or_no; ] a2159 1 [ check-spf (warn|ignore); ] a2178 1 [ no-case-compress {address_match_list}; ] d2260 1 a2260 1 [ dns64ipv6-prefix{ a2282 1 [ max-recursion-depthnumber; ] a2292 17 [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] d2297 1 a2297 1 [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d2427 7 a2433 16d2707 1 a2707 1 from https://www.isc.org/solutions/dlv/. d2845 1 a2845 32 via dynamic update; this is not yet implemented.) Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views, then managed keys for the server will be tracked in a single file called
managed-keys.bind. Otherwise, managed keys will be tracked in separate files, one file per view; each file name will be the SHA256 hash of the view name, followed by the extension.mkeys.zone-statistics If
full, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics terse or zone-statistics none in the zone statement). The default isterse, providing minimal statistics on zones (including name and current serial number, but not query type counters).These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions of BIND 9, the zone-statistics option can also accept
yesorno, which have the same effect asfullandterse, respectively. a3234 11request-nsid d3257 14 d3594 1 a3594 2 If
yes, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in the resolver category at level info. The default isno.a3623 8 d3606 1 a3606 12
The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with check-spf.
check-spf d3691 1 a3691 1 sets the frequency of automatic repository checks, in d3732 1 a3732 1 Forwarding d3776 1 a3776 1 Dual-stack Servers a3850 6 Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it will be refused. If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn.
a3974 51
no-case-compress d3987 1 a3987 1 Interfaces d3991 1 a3991 3 an optional port and an Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circumstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all responses for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
address_match_listof IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) a4038 2 IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning. d4455 1 a4455 1 UDP Port Lists d4497 1 a4497 1 Operating System Resource Limits d4577 2 a4578 4 will be automatically removed. The largest permitted value is 2 gigabytes. The default isunlimited, which also means 2 gigabytes. d4646 1 a4646 1 The listen queue depth. The default and minimum is 10. d4651 3 a4653 4 some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also be used; on most platforms this sets the listen queue length to a system-defined default value. d4659 1 a4659 1 Periodic Task Intervals d5081 1 a5081 1 signing state records. The default is d5089 7 a5095 14 Signing state records are used to internally by named to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command rndc signing -listzone. Once named has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running rndc signing -clearkeyid/algorithmzone. To clear all of the completed signing state records for a zone, use rndc signing -clear allzone. a5235 23max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
max-recursion-queries d5268 6 a5273 10 default view of class IN. Most global configuration options (allow-query, etc) will apply to this view, but some are locally overridden: notify, recursion and allow-new-zones are always set to Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50.
no.If you need to disable these zones, use the options d5328 1 a5328 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5359 64
64.100.IN-ADDR.ARPA 65.100.IN-ADDR.ARPA 66.100.IN-ADDR.ARPA 67.100.IN-ADDR.ARPA 68.100.IN-ADDR.ARPA 69.100.IN-ADDR.ARPA 70.100.IN-ADDR.ARPA 71.100.IN-ADDR.ARPA 72.100.IN-ADDR.ARPA 73.100.IN-ADDR.ARPA 74.100.IN-ADDR.ARPA 75.100.IN-ADDR.ARPA 76.100.IN-ADDR.ARPA 77.100.IN-ADDR.ARPA 78.100.IN-ADDR.ARPA 79.100.IN-ADDR.ARPA 80.100.IN-ADDR.ARPA 81.100.IN-ADDR.ARPA 82.100.IN-ADDR.ARPA 83.100.IN-ADDR.ARPA 84.100.IN-ADDR.ARPA 85.100.IN-ADDR.ARPA 86.100.IN-ADDR.ARPA 87.100.IN-ADDR.ARPA 88.100.IN-ADDR.ARPA 89.100.IN-ADDR.ARPA 90.100.IN-ADDR.ARPA 91.100.IN-ADDR.ARPA 92.100.IN-ADDR.ARPA 93.100.IN-ADDR.ARPA 94.100.IN-ADDR.ARPA 95.100.IN-ADDR.ARPA 96.100.IN-ADDR.ARPA 97.100.IN-ADDR.ARPA 98.100.IN-ADDR.ARPA 99.100.IN-ADDR.ARPA 100.100.IN-ADDR.ARPA 101.100.IN-ADDR.ARPA 102.100.IN-ADDR.ARPA 103.100.IN-ADDR.ARPA 104.100.IN-ADDR.ARPA 105.100.IN-ADDR.ARPA 106.100.IN-ADDR.ARPA 107.100.IN-ADDR.ARPA 108.100.IN-ADDR.ARPA 109.100.IN-ADDR.ARPA 110.100.IN-ADDR.ARPA 111.100.IN-ADDR.ARPA 112.100.IN-ADDR.ARPA 113.100.IN-ADDR.ARPA 114.100.IN-ADDR.ARPA 115.100.IN-ADDR.ARPA 116.100.IN-ADDR.ARPA 117.100.IN-ADDR.ARPA 118.100.IN-ADDR.ARPA 119.100.IN-ADDR.ARPA 120.100.IN-ADDR.ARPA 121.100.IN-ADDR.ARPA 122.100.IN-ADDR.ARPA 123.100.IN-ADDR.ARPA 124.100.IN-ADDR.ARPA 125.100.IN-ADDR.ARPA 126.100.IN-ADDR.ARPA 127.100.IN-ADDR.ARPA d5524 1 a5524 1 Content Filtering d5577 1 a5577 1 d5647 1 a5647 1 Response Policy Zone (RPZ) Rewriting d5703 2 a5709 4 NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains. d5748 10 d5782 1 a5782 1 by a CNAME whose target is rpz-passthru. a5899 245RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
d6213 2 a6214 2This feature is only available when BIND 9 is compiled with the
--enable-rrloption on the "configure" command line.Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with responses-per-second (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomain-per-second (default responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the responses-per-second value, but it can be set separately with errors-per-second.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
a5908 1 [ request-nsidyes_or_no; ] a6097 7The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
d6111 1 a6111 1 statistics-channels Statement Definition and a6158 24If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When BIND 9 is configured with --enable-newstats, a new XML schema is used (version 3) which adds additional zone statistics and uses a flatter tree for more efficient parsing. The stylesheet included uses the Google Charts API to render data into into charts and graphs when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
d6171 1 a6171 1 trusted-keys Statement Definition d6211 1 a6211 1 managed-keys Statement Grammarnameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d6322 1 a6322 1 If the dnssec-validation option is d6325 4 a6328 7 root zone. Similarly, if the dnssec-lookaside option is set toauto, named will automatically initialize a managed key for the zonedlv.isc.org. In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d6346 1 a6346 1 view Statement Definition and Usage a6473 3 [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] a6479 1 [ check-spf (warn|ignore); ] d6502 1 a6502 1 [ zone-statisticsfull|terse|none; ] d6526 1 a6527 1 [ update-check-kskyes_or_no; ] d6567 1 a6567 5 [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] a6572 3 [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] d6647 1 a6647 1 zone Statement Definition and Usage d6650 1 a6650 1 Zone Types d6887 4 a6890 6 Redirect zones are used to provide answers to queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. a6896 36To redirect all NXDOMAIN responses to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2, one would configure a type redirect zone named ".", with the zone file containing wildcard records that point to the desired addresses:
"*. IN A 100.100.100.2"and"*. IN AAAA 2001:ffff:ffff::100.100.100.2".To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced directly by name, they are not kept in the zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use rndc reload
d6930 1 a6930 1 Class d6952 1 a6952 1 Zone Options a7026 5zonenameto reload a redirect zone. However, when using rndc reload without specifying a zone name, redirect zones will be reloaded along with other zones.check-spf d7103 3 a7105 4 The flag only applies to forward, hint and stub zones. If set to See the description of check-spf in the section called “Boolean Options”.
yes, then the zone will also be treated as if it is also a delegation-only type zone. d7422 1 a7422 1 unsigned zone is transferred in or loaded from d7863 1 a7863 1 Zone File d7876 1 a7876 1 Resource Records d8613 1 a8613 1 Textual expression of RRs d8816 1 a8816 1 Discussion of MX Records d9058 2 a9059 1 servers can cache it. d9072 1 a9072 1 Inverse Mapping in IPv4 d9133 1 a9133 1 Other Zone File Directives d9148 1 a9148 1 The @@ (at-sign) d9159 1 a9159 1 The $ORIGIN Directive d9188 1 a9188 1 The $INCLUDE Directive d9224 1 a9224 1 The $TTL Directive d9243 1 a9243 1 BIND Master File Extension: the $GENERATE Directive d9311 2 a9312 3 is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. d9667 1 a9667 1 Name Server Statistics Counters a10218 39RPZRewrites
Response policy zone rewrites.
RateDropped
Responses dropped by rate limits.
d10224 1 a10224 1 Zone Maintenance Statistics Counters d10378 1 a10378 1 Resolver Statistics Counters d10761 1 a10761 1 Socket I/O Statistics Counters d10916 1 a10916 1 Compatibility with BIND 8 Counters a10967 1 RateSlipped
Responses truncated by rate limits.
BIND Version 9.9
@ 1.1.1.9.4.2.2.2 log @Pull up following revision(s) (requested by spz in ticket #1259): external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/README patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html patch external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/zone.c patch Security patch for bind from ISC (to 9.9.6-P2). Only the change to lib/dns/zone.c is security relevant (CVE-2015-1349). @ text @d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a2341 1 [ max-recursion-queriesnumber; ] d3865 1 a3865 1 Forwarding d3909 1 a3909 1 Dual-stack Servers d4177 1 a4177 1 Interfaces d4649 1 a4649 1 UDP Port Lists d4691 1 a4691 1 Operating System Resource Limits d4856 1 a4856 1 Periodic Task Intervals d5819 1 a5819 1 Content Filtering d5942 1 a5942 1 Response Policy Zone (RPZ) Rewriting d6209 1 a6209 1 Response Rate Limiting d6651 1 a6651 1 statistics-channels Statement Definition and d6735 1 a6735 1 trusted-keys Statement Definition d6775 1 a6775 1 managed-keys Statement Grammar d6913 1 a6913 1 view Statement Definition and Usage d7225 1 a7225 1 zone Statement Definition and Usage d7228 1 a7228 1 Zone Types d7546 1 a7546 1 Class d7568 1 a7568 1 Zone Options d8485 1 a8485 1 Zone File d8498 1 a8498 1 Resource Records d9235 1 a9235 1 Textual expression of RRs d9438 1 a9438 1 Discussion of MX Records d9693 1 a9693 1 Inverse Mapping in IPv4 d9754 1 a9754 1 Other Zone File Directives d9769 1 a9769 1 The @@ (at-sign) d9780 1 a9780 1 The $ORIGIN Directive d9809 1 a9809 1 The $INCLUDE Directive d9845 1 a9845 1 The $TTL Directive d9864 1 a9864 1 BIND Master File Extension: the $GENERATE Directive d10289 1 a10289 1 Name Server Statistics Counters d10885 1 a10885 1 Zone Maintenance Statistics Counters d11039 1 a11039 1 Resolver Statistics Counters d11422 1 a11422 1 Socket I/O Statistics Counters d11577 1 a11577 1 Compatibility with BIND 8 Counters @ 1.1.1.9.4.2.2.3 log @Apply patch, requested by spz in ticket 1329: Update bind to 9.9.7-P3 @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d496 1 a496 1 Syntax d505 1 a505 1 Definition and Usage d589 1 a589 1 Comment Syntax d599 1 a599 1 Syntax d615 1 a615 1 Definition and Usage d869 1 a869 1 acl Statement Grammar d885 5 d956 1 a956 1 controls Statement Grammar d1080 1 a1080 1 include Statement Grammar d1085 1 a1085 1 include Statement Definition and d1100 1 a1100 1 key Statement Grammar d1109 1 a1109 1 key Statement Definition and Usage d1156 1 a1156 1 logging Statement Grammar d1180 1 a1180 1 logging Statement Definition and d1214 1 a1214 1 The channel Phrase a1826 11d1832 1 a1832 1 The query-errors Category d2060 1 a2060 1 lwres Statement Grammar d2076 1 a2076 1 lwres Statement Definition and Usage d2127 1 a2127 1 masters Statement Grammar d2135 1 a2135 1 masters Statement Definition and d2145 1 a2145 1 options Statement Grammar d2370 5 a2374 10 [ response-policy { zone cname
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
zone_name[ policy(given | disabled | passthru | nxdomain | nodata | cname domain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; [...] } ; ] d3866 1 a3866 1 Forwarding d3910 1 a3910 1 Dual-stack Servers d4178 1 a4178 1 Interfaces d4475 1 a4475 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4650 1 a4650 1 UDP Port Lists d4692 1 a4692 1 Operating System Resource Limits d4857 1 a4857 1 Periodic Task Intervals d5461 2 a5462 4 is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 50. d5820 1 a5820 1 Content Filtering d5943 1 a5943 1 Response Policy Zone (RPZ) Rewriting d6031 1 a6031 1Among triggers with the same prefix length, d6210 1 a6210 1 Response Rate Limiting d6652 1 a6652 1 statistics-channels Statement Definition and d6736 1 a6736 1 trusted-keys Statement Definition d6776 1 a6776 1 managed-keys Statement Grammar d6914 1 a6914 1 view Statement Definition and Usage d7226 1 a7226 1 zone Statement Definition and Usage d7229 1 a7229 1 Zone Types d7547 1 a7547 1 Class d7569 1 a7569 1 Zone Options d8486 1 a8486 1 Zone File d8499 1 a8499 1 Resource Records d9236 1 a9236 1 Textual expression of RRs d9439 1 a9439 1 Discussion of MX Records d9694 1 a9694 1 Inverse Mapping in IPv4 d9755 1 a9755 1 Other Zone File Directives d9770 1 a9770 1 The @@ (at-sign) d9781 1 a9781 1 The $ORIGIN Directive d9810 1 a9810 1 The $INCLUDE Directive d9846 1 a9846 1 The $TTL Directive d9865 1 a9865 1 BIND Master File Extension: the $GENERATE Directive d10290 1 a10290 1 Name Server Statistics Counters d10886 1 a10886 1 Zone Maintenance Statistics Counters d11040 1 a11040 1 Resolver Statistics Counters d11423 1 a11423 1 Socket I/O Statistics Counters d11578 1 a11578 1 Compatibility with BIND 8 Counters d11630 1 a11630 1 BIND 9.9.7-P3 (Extended Support Version)
@ 1.1.1.9.4.2.2.4 log @Revert ticket 1329, it doens't build on this branch @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d496 1 a496 1 Syntax d505 1 a505 1 Definition and Usage d589 1 a589 1 Comment Syntax d599 1 a599 1 Syntax d615 1 a615 1 Definition and Usage d869 1 a869 1 acl Statement Grammar a884 5 Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.d951 1 a951 1 controls Statement Grammar d1075 1 a1075 1 include Statement Grammar d1080 1 a1080 1 include Statement Definition and d1095 1 a1095 1 key Statement Grammar d1104 1 a1104 1 key Statement Definition and Usage d1151 1 a1151 1 logging Statement Grammar d1175 1 a1175 1 logging Statement Definition and d1209 1 a1209 1 The channel Phrase d1822 11 d1838 1 a1838 1 The query-errors Category d2066 1 a2066 1 lwres Statement Grammar d2082 1 a2082 1 lwres Statement Definition and Usage d2133 1 a2133 1 masters Statement Grammar d2141 1 a2141 1 masters Statement Definition and d2151 1 a2151 1 options Statement Grammar d2376 10 a2385 5 [ response-policy {
zone_name[ policy given | disabled | passthru | nxdomain | nodata | cnamedomain] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d3877 1 a3877 1 Forwarding d3921 1 a3921 1 Dual-stack Servers d4189 1 a4189 1 Interfaces d4486 3 a4488 1 per second. The default is 20. d4663 1 a4663 1 UDP Port Lists d4705 1 a4705 1 Operating System Resource Limits d4870 1 a4870 1 Periodic Task Intervals d5474 4 a5477 2 is terminated and returns SERVFAIL. The default is 50. d5835 1 a5835 1 Content Filtering d5958 1 a5958 1 Response Policy Zone (RPZ) Rewriting d6046 1 a6046 1Among triggers with the same prefex length, d6225 1 a6225 1 Response Rate Limiting d6667 1 a6667 1 statistics-channels Statement Definition and d6751 1 a6751 1 trusted-keys Statement Definition d6791 1 a6791 1 managed-keys Statement Grammar d6929 1 a6929 1 view Statement Definition and Usage d7241 1 a7241 1 zone Statement Definition and Usage d7244 1 a7244 1 Zone Types d7562 1 a7562 1 Class d7584 1 a7584 1 Zone Options d8501 1 a8501 1 Zone File d8514 1 a8514 1 Resource Records d9251 1 a9251 1 Textual expression of RRs d9454 1 a9454 1 Discussion of MX Records d9709 1 a9709 1 Inverse Mapping in IPv4 d9770 1 a9770 1 Other Zone File Directives d9785 1 a9785 1 The @@ (at-sign) d9796 1 a9796 1 The $ORIGIN Directive d9825 1 a9825 1 The $INCLUDE Directive d9861 1 a9861 1 The $TTL Directive d9880 1 a9880 1 BIND Master File Extension: the $GENERATE Directive d10305 1 a10305 1 Name Server Statistics Counters d10901 1 a10901 1 Zone Maintenance Statistics Counters d11055 1 a11055 1 Resolver Statistics Counters d11438 1 a11438 1 Socket I/O Statistics Counters d11593 1 a11593 1 Compatibility with BIND 8 Counters d11645 1 a11645 1 BIND Version 9.9
@ 1.1.1.9.4.2.2.5 log @Apply patch (requested by spz in ticket #1449): Update BIND to 9.9.9-P8 Security issues fixed with this update: CVE-2015-8704 CVE-2016-1285 CVE-2016-1286 CVE-2016-2775 CVE-2016-2776 CVE-2016-8864 CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2017-3135 CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 The update also contains numerous bug fixes as well as changes to comply with recent RFCs. @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2d509 1 a509 1 the listen-on and sortlist d513 5 a517 5
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 11
- zone Statement Definition and Usage
Zone File
- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
d95 1 a95 1- BIND9 Statistics
d97 7 a103 2- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d503 1 a503 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d309 4 a312 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d420 1 a420 1 (such as max-journal-size) may d427 1 a427 1 for details on how they interpret its use. d446 1 a446 1 dealing with larger quantities. d451 1 a451 1 defaultd491 1 a491 1d597 1 a597 1 d613 1 a613 1 d687 1 a687 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d520 2 a521 2
- the name of an address match list defined with the acl statement d523 1 a523 1
- a nested address match list enclosed in braces
d547 2 a548 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d554 12 a565 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d578 1 a578 1 1.2.3/24; ! 1.2.3.13; d581 1 a581 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d587 1 a587 1d703 2 a704 2d709 1 a709 1 acl
d720 1 a720 1controls
d725 1 a725 1 by the rndc utility. d731 1 a731 1include
d741 1 a741 1key
d752 1 a752 1logging
d763 1 a763 1lwres
d767 2 a768 2 configures named to also act as a light-weight resolver daemon (lwresd). d774 1 a774 1masters
d780 2 a781 2 masters or also-notify lists. d787 1 a787 1options
d798 1 a798 1server
d809 1 a809 1statistics-channels
d814 1 a814 1 named statistics. d820 1 a820 1trusted-keys
d830 1 a830 1managed-keys
d841 1 a841 1view
d851 1 a851 1zone
d862 2 a863 2 The logging and options statements may only occur once d867 1 a867 1acl acl-name { d875 1 a875 1d877 1 a877 1 acl Statement Definition and d880 1 a880 1 The acl statement assigns a symbolic d885 5 d894 2 a895 2d900 1 a900 1 any
d910 1 a910 1none
d920 1 a920 1localhost
d926 1 a926 1 added or removed, the localhost d933 1 a933 1localnets
d940 1 a940 1 the localnets d945 1 a945 1 In such a case, localnets d947 1 a947 1 IPv6 addresses, just like localhost. d954 1 a954 1controls { d968 1 a968 1d970 1 a970 1 controls Statement Definition and d973 1 a973 1 The controls statement declares control d976 1 a976 1 used by the rndc utility to send d980 4 a983 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d987 2 a988 2 use an ip_addr of::. If you will only use rndc on the local host, d994 1 a994 1 "*" cannot be used for ip_port. d998 2 a999 2 restricted by the allow and keys clauses. d1001 3 a1003 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1007 1 a1007 1 A unix control channel is a UNIX domain d1009 2 a1010 2 Access to the socket is specified by the perm, owner and group clauses. d1012 1 a1012 1 (perm) are applied to the parent directory d1017 3 a1019 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1021 2 a1022 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1025 2 a1026 2 If no controls statement is present, named will set up a default d1029 3 a1031 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1042 1 a1042 1 messages and thus did not have a keys clause. d1046 2 a1047 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1063 1 a1063 1 named is running as) can access it. d1066 1 a1066 1 rndc commands, then you need to create d1074 2 a1075 2 controls statement: controls { };. d1078 1 a1078 1included1083 1 a1083 1 d1088 3 a1090 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1098 1 a1098 1filename;keykey_id{ algorithmalgorithm_id; secretsecret_string; d1107 1 a1107 1 d1111 2 a1112 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1114 2 a1115 1 (see the section called “controls Statement Definition and d1119 1 a1119 1 The key statement can occur at the d1121 2 a1122 2 of the configuration file or inside a view statement. Keys defined in top-level key d1124 3 a1126 2 a controls statement (see the section called “controls Statement Definition and d1133 1 a1133 1 be used in a server d1154 1 a1154 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1167 3 a1169 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1171 1 a1171 1 [ categorycategory_name{ d1178 1 a1178 1 d1183 1 a1183 1 The logging statement configures a d1185 1 a1185 1 variety of logging options for the name server. Its channel phrase d1187 1 a1187 1 a name that can then be used with the category phrase d1191 1 a1191 1 Only one logging statement is used to d1193 1 a1193 1 as many channels and categories as are wanted. If there is no logging statement, d1205 1 a1205 1 established as soon as the logging d1212 1 a1212 1 d1225 2 a1226 2 info), and whether to include a named-generated time stamp, the d1231 1 a1231 1 The null destination clause d1236 1 a1236 1 The file destination clause directs d1244 1 a1244 1 If you use the versions log file d1246 1 a1246 1 named will retain that many backup d1256 1 a1256 1 You can say versions unlimited to d1259 1 a1259 1 If a size option is associated with d1267 1 a1267 1 The size option for files is used d1269 2 a1270 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1274 1 a1274 1 versions option, no more data will d1283 2 a1284 2 Example usage of the size and versions options: d1293 1 a1293 1 The syslog destination clause d1296 9 a1304 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1307 1 a1307 1 How syslog will handle messages d1309 3 a1311 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1318 1 a1318 1 The severity clause works like syslog's d1320 1 a1320 1 straight to a file rather than using syslog. d1327 1 a1327 1 If you are using syslog, then the syslog.conf priorities d1329 7 a1335 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1339 1 a1339 1 The stderr destination clause d1352 1 a1352 1 level is set either by starting the named server d1354 1 a1354 1 or by running rndc trace. d1356 1 a1356 1 can be set to zero, and debugging mode turned off, by running rndc d1369 1 a1369 1 level. Channels with dynamic d1374 1 a1374 1 If print-time has been turned on, d1376 2 a1377 2 the date and time will be logged. print-time may be specified for a syslog channel, d1379 1 a1379 1 pointless since syslog also logs d1381 1 a1381 1 time. If print-category is d1383 2 a1384 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1388 1 a1388 1 three print- options d1396 1 a1396 1 named's default logging as follows. d1398 1 a1398 1 used is described in the section called “The category Phrase”. d1428 1 a1428 1 The default_debug channel has the d1438 1 a1438 1 is created only after named has d1440 1 a1440 1 new UID, and any debug output generated while named is d1452 1 a1452 1 d1460 1 a1460 1 in that category will be sent to the default category d1481 1 a1481 1 To discard all messages in a category, specify the null channel: d1493 2 a1494 2d1499 2 a1500 2 client
Processing of client requests.
d1512 2 a1513 2cname
d1515 5 a1519 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1523 2 a1524 2config
d1526 6 a1531 4Configuration file parsing and processing.
d1535 2 a1536 2database
d1538 4 a1541 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1545 2 a1546 2default
d1548 4 a1551 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1555 2 a1556 2delegation-only
d1558 6 a1563 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1567 2 a1568 2dispatch
d1570 4 a1573 5Dispatching of incoming packets to the server modules where they are to be processed.
d1577 2 a1578 2dnssec
d1580 4 a1583 4DNSSEC and TSIG protocol processing.
d1587 2 a1588 2edns-disabled
d1590 4 a1593 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1597 2 a1598 2general
d1600 4 a1603 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1607 2 a1608 2lame-servers
d1610 9 a1618 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1622 2 a1623 2network
d1625 4 a1628 4Network operations.
d1632 2 a1633 2notify
d1635 4 a1638 4The NOTIFY protocol.
d1642 2 a1643 2queries
d1645 4 a1648 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1652 2 a1653 2query-errors
d1655 35 a1689 5Information about queries that resulted in some failure.
d1693 2 a1694 2rate-limit
d1696 5 a1700 25(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1704 2 a1705 2resolver
d1707 5 a1711 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1715 2 a1716 2rpz
d1718 4 a1721 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1725 2 a1726 2security
d1728 6 a1733 4Approval and denial of requests.
d1737 2 a1738 2spill
d1740 8 a1747 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1751 2 a1752 2unmatched
d1754 28 a1781 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1785 2 a1786 2update
d1788 7 a1794 4Dynamic updates.
d1798 2 a1799 2update-security
d1801 25 a1825 24Approval and denial of update requests.
xfer-in
Zone transfers the server is receiving.
xfer-out
d1830 1 a1830 1 d1834 1 a1834 1 The query-errors category is d1839 1 a1839 1 with debug levels. d1902 2 a1903 2 Zone transfers the server is sending.
d2058 1 a2058 1 d2062 1 a2062 1 This is the grammar of the lwres d2065 1 a2065 1 lwres { d2074 1 a2074 1 d2078 1 a2078 1 The lwres statement configures the d2081 2 a2082 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2086 1 a2086 1 The listen-on statement specifies a d2097 1 a2097 1 The view statement binds this d2108 1 a2108 1 The search statement is equivalent to d2110 1 a2110 1 search statement in d2116 1 a2116 1 The ndots statement is equivalent to d2118 1 a2118 1 ndots statement in d2125 1 a2125 1 d2129 1 a2129 1 mastersname[portip_port] { (masters_list| d2133 1 a2133 1d2135 1 a2135 1 masters Statement Definition and d2137 1 a2137 1d2147 1 a2147 1 This is the grammar of the options d2150 1 a2150 1masters d2139 2 a2140 2 multiple stub and slave zones in their masters or also-notify lists. d2143 1 a2143 1
options { a2193 1 [ auto-dnssecallow|maintain|off; ] d2205 1 a2205 1ip_addr[portip_port] ) ; d2248 2 a2249 2 [ port (ip_port|*) ] | [ address (ip6_addr|*) ] d2258 1 a2260 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2278 3 a2280 3 [ also-notify [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] a2296 1 [ serial-update-methodincrement|unixtime|date; ] d2322 1 a2322 1 [ suffixIPv6-address; ] d2339 2 d2370 5 a2374 10 [ response-policy { zonezone_name[ policy(given | disabled | passthru | nxdomain | nodata | cname domain) ] ; [...] } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d2378 1 a2378 1d2380 1 a2380 1 options Statement Definition and d2383 1 a2383 1 The options statement sets up global d2387 1 a2387 1 once in a configuration file. If there is no options d2391 2 a2392 2d6916 1 a6916 1 The view statement is a powerful d6925 1 a6925 1 Each view statement defines a view d6931 1 a6931 1 match-clients clause and its d6935 1 a6935 1 match-destinations clause. If not d6937 1 a6937 1 match-clients and match-destinations d6940 2 a6941 2 match-clients and match-destinations can also take keys which provide an d6944 1 a6944 1 as match-recursive-only, which d6947 1 a6947 1 The order of the view statements is d6950 1 a6950 1 view that it matches. d6953 1 a6953 1 Zones defined within a view d6955 1 a6955 1 only be accessible to clients that match the view. d6962 2 a6963 2 Many of the options given in the options statement can also be used within a view d6967 1 a6967 1 value is given, the value in the options statement d6970 1 a6970 1 in the view statement; these d6972 1 a6972 1 take precedence over those in the options statement. d6980 1 a6980 1 If there are no view statements in d6984 1 a6984 1 in class IN. Any zone statements d6988 1 a6988 1 this default view, and the options d6990 2 a6991 2 apply to the default view. If any explicit view statements are present, all zone d6993 1 a6993 1 occur inside view statements. d6997 1 a6997 1 using view statements: d7032 1 a7032 1d3918 2 a3919 2
- attach-cache
d2404 2 a2405 2 The attach-cache option may also be specified in view d2407 1 a2407 1 global attach-cache option. d2412 1 a2412 1 When the named server configures d2423 1 a2423 1 the attach-cache as a global d2432 1 a2432 1 attach-cache option as a view A (or d2455 8 a2462 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2477 1 a2477 1- directory
d2492 1 a2492 1- key-directory
d2503 1 a2503 1- managed-keys-directory
d2511 1 a2511 1 If named is not configured to use views, d2520 1 a2520 1- named-xfer
d2524 1 a2524 1 the pathname to the named-xfer d2526 1 a2526 1 named-xfer program is needed; d2529 1 a2529 1- tkey-gssapi-keytab
d2536 1 a2536 1- tkey-gssapi-credential
d2547 1 a2547 1 To use GSS-TSIG, tkey-domain must d2551 1 a2551 1- tkey-domain
d2554 2 a2555 2 generated with TKEY. When a client requests a TKEY exchange, d2562 1 a2562 1 In most cases, the domainname d2569 1 a2569 1- tkey-dhkey
d2574 1 a2574 1 of TKEY. The server must be d2580 1 a2580 1- cache-file
d2584 1 a2584 1- dump-file
d2588 1 a2588 1 rndc dumpdb. d2591 1 a2591 1- memstatistics-file
d2597 1 a2597 1- pid-file
d2604 1 a2604 1 name server. Specifying pid-file none disables the d2606 1 a2606 1 existing one will be removed. Note that none d2611 1 a2611 1- recursing-file
d2615 1 a2615 1 to do so with rndc recursing. d2618 1 a2618 1- statistics-file
d2621 1 a2621 1 to when instructed to do so using rndc stats. d2625 1 a2625 1 in the section called “The Statistics File”. d2627 1 a2627 1- bindkeys-file
d2630 3 a2632 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2636 1 a2636 1- secroots-file
d2640 1 a2640 1 rndc secroots. d2644 1 a2644 1- session-keyfile
d2647 2 a2648 2 session key generated by named for use by nsupdate -l. If not specified, the d2650 1 a2650 1 (See the section called “Dynamic Update Policies”, and in d2652 1 a2652 1 update-policy statement's d2656 1 a2656 1- session-keyname
d2661 1 a2661 1- session-keyalg
d2668 1 a2668 1- port
d2678 1 a2678 1- random-device
d2692 1 a2692 1 random-device option takes d2697 1 a2697 1- preferred-glue
d2702 1 a2702 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2705 1 a2705 1 root-delegation-only d2751 1 a2751 1- disable-algorithms
d2755 1 a2755 1 Multiple disable-algorithms d2759 1 a2759 1- dnssec-lookaside
d2762 1 a2762 1 When set, dnssec-lookaside provides the d2766 1 a2766 1 dnssec-lookaside, and the normal DNSSEC d2774 1 a2774 1 If dnssec-lookaside is set to d2780 1 a2780 1 If dnssec-lookaside is set to d2787 2 a2788 2 named will load that key at startup if dnssec-lookaside is set to d2793 1 a2793 1 from https://www.isc.org/solutions/dlv/. d2798 2 a2799 2 named. Relying on this is not recommended, however, as it requires named d2803 1 a2803 1 NOTE: named only loads certain specific d2809 1 a2809 1- dnssec-must-be-secure
d2813 1 a2813 1 then named will only accept answers if d2817 3 a2819 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2821 1 a2821 1- dns64
d2824 1 a2824 1 This directive instructs named to d2828 1 a2828 1 dns64 defines one DNS64 prefix. d2839 2 a2840 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2846 2 a2847 2 Each dns64 supports an optional clients ACL that determines which d2852 3 a2854 3 Each dns64 supports an optional mapped ACL that selects which IPv4 addresses are to be mapped in the corresponding d2862 1 a2862 1 exclude ACL allows specification d2866 1 a2866 1 name owns. If not defined, exclude d2870 1 a2870 1 A optional suffix can also d2878 2 a2879 2 If recursive-only is set to yes the DNS64 synthesis will d2881 1 a2881 1 is no. d2884 2 a2885 2 If break-dnssec is set to yes the DNS64 synthesis will d2888 1 a2888 1 is set to no (the default), the DO d2903 1 a2903 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d2910 2 a2911 2 the section called “Dynamic Update Policies”), and if named has access to the d2913 1 a2913 1 named will automatically sign all new d2920 1 a2920 1 then named will sign all new or d2925 1 a2925 1 With either of these settings, named d2928 1 a2928 1 named. (A planned third option, d2934 1 a2934 23- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
- zone-statistics
d2940 3 a2942 3 zone-statistics terse or zone-statistics none in the zone statement). d2950 2 a2951 2 statistics-channel or using rndc stats, which d2953 2 a2954 2 in the statistics-file. See also the section called “The Statistics File”. d2958 1 a2958 1 of BIND 9, the zone-statistics d2966 1 a2966 1d2969 2 a2970 2d3877 2 a3878 2
- allow-new-zones
d2973 2 a2974 2 added at runtime via rndc addzone or deleted via rndc delzone. d2977 1 a2977 1- auth-nxdomain
d2979 1 a2979 1 Ifyes, then the AA bit d2988 1 a2988 1- deallocate-on-exit
d2995 1 a2995 1- memstatistics
d2998 1 a2998 1 memstatistics-file at exit. d3003 1 a3003 1- dialup
d3015 1 a3015 1 happens in a short interval, once every heartbeat-interval and d3021 4 a3024 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3037 1 a3037 1 notify and also-notify. d3045 1 a3045 1 heartbeat-interval expires in d3058 1 a3058 1 when the heartbeat-interval d3066 4 a3069 4d3096 1 a3096 1 no (default)
d3116 1 a3116 1yes
d3136 1 a3136 1notify
d3156 1 a3156 1refresh
d3176 1 a3176 1passive
d3196 1 a3196 1notify-passive
d3218 1 a3218 1 dialup. d3221 1 a3221 1- fake-iquery
d3228 1 a3228 1- fetch-glue
d3239 1 a3239 1- flush-zones-on-shutdown
d3244 1 a3244 1 flush-zones-on-shutdownno. d3246 1 a3246 1- has-old-clients
d3252 3 a3254 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3256 1 a3256 1- host-statistics
d3263 1 a3263 1- maintain-ixfr-base
d3271 1 a3271 1 transfers, use provide-ixfrno. d3273 1 a3273 1- minimal-responses
d3282 1 a3282 1- multiple-cnames
d3290 1 a3290 1- notify
d3296 1 a3296 1 changes, see the section called “Notify”. The messages are d3301 1 a3301 1 also-notify option. d3309 1 a3309 1 servers explicitly listed using also-notify. d3313 2 a3314 2 The notify option may also be specified in the zone d3316 1 a3316 1 in which case it overrides the options notify statement. d3322 1 a3322 1- notify-to-soa
d3333 1 a3333 1- recursion
d3344 1 a3344 1 Note that setting recursion no does not prevent d3350 1 d3352 1 a3352 1- request-nsid
d3355 1 a3355 1 NSID (Name Server Identifier) option is sent with all d3359 2 a3360 2 the resolver category at level info. d3363 1 a3363 1- rfc2308-type1
d3379 1 a3379 1- use-id-pool
d3385 1 a3385 1- use-ixfr
d3390 3 a3392 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3395 1 a3395 1 the section called “Incremental Zone Transfers (IXFR)”. d3397 1 a3397 1- provide-ixfr
d3400 3 a3402 2 provide-ixfr in the section called “server Statement Definition and d3405 1 a3405 1- request-ixfr
d3408 3 a3410 2 request-ixfr in the section called “server Statement Definition and d3413 1 a3413 1- treat-cr-as-space
d3417 1 a3417 1 the server treat carriage return ("\r") characters the same way d3421 2 a3422 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3427 1 a3427 1 additional-from-auth, additional-from-cache d3462 1 a3462 1 Setting these options to no d3470 1 a3470 1 them to no without also d3472 1 a3472 1 recursion no will cause the d3477 1 a3477 1 Specifying additional-from-cache no actually d3497 1 a3497 1 referrals when additional-from-cache no d3505 1 a3505 1- match-mapped-addresses
d3518 1 a3518 1 named now solves this problem d3522 1 a3522 1- filter-aaaa-on-v4
d3533 3 a3535 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3540 2 a3541 2 the DNS client is at an IPv4 address, in filter-aaaa, and if the response does not include DNSSEC signatures, d3553 2 a3554 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3573 1 a3573 1- ixfr-from-differences
d3597 3 a3599 3ixfr-from-differences also accepts master and slave at the view and options d3601 3 a3603 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3607 1 a3607 1
- multi-master
d3611 1 a3611 1 addresses refer to different machines. Ifyes, named will d3613 1 a3613 1 when the serial number on the master is less than what named d3617 4 a3620 47- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
This indicates whether DNSSEC-related resource records are to be returned by named. If set to
no, named will not return DNSSEC-related resource records unless specifically queried for. d3623 4 a3626 5- dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3634 2 a3635 2 a trusted-keys or managed-keys statement. The default d3637 2 a3638 12
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
- dnssec-accept-expired
d3643 1 a3643 1 leaves named vulnerable to d3646 1 a3646 1- querylog
d3648 1 a3648 1 Specify whether query logging should be started when named d3650 1 a3650 1 If querylog is not specified, d3652 1 a3652 1 is determined by the presence of the logging category queries. d3654 1 a3654 1- check-names
d3663 5 a3667 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3673 1 a3673 1check-names d3682 1 a3682 1
- check-dup-records
d3686 3 a3688 3 default is to warn. Other possible values are fail and ignore. d3690 1 a3690 1- check-mx
d3693 3 a3695 3 The default is to warn. Other possible values are fail and ignore. d3697 1 a3697 1- check-wildcard
d3704 1 a3704 1 affects master zones. The default (yes) is to check d3707 1 a3707 1- check-integrity
d3716 1 a3716 1 named-checkzone). d3719 2 a3720 2 checks use named-checkzone). The default is yes. d3730 1 a3730 1 check-spf. d3733 1 a3733 1- check-mx-cname
d3735 1 a3735 1 If check-integrity is set then d3737 1 a3737 1 to CNAMES. The default is to warn. d3739 1 a3739 1- check-srv-cname
d3741 1 a3741 1 If check-integrity is set then d3743 1 a3743 1 to CNAMES. The default is to warn. d3745 1 a3745 1- check-sibling
d3748 1 a3748 1 sibling glue exists. The default is yes. d3750 1 a3750 1- check-spf
d3752 1 a3752 1 If check-integrity is set then d3756 1 a3756 1 warn. d3758 1 a3758 1- zero-no-soa-ttl
d3763 1 a3763 1 The default is yes. d3765 1 a3765 1- zero-no-soa-ttl-cache
d3769 1 a3769 1 The default is no. d3771 1 a3771 1- update-check-ksk
d3786 1 a3786 1 similar to the dnssec-signzone -z d3798 1 a3798 1- dnssec-dnskey-kskonly
d3801 1 a3801 1 When this option and update-check-ksk d3808 1 a3808 1 dnssec-signzone -x command line option. d3811 2 a3812 2 The default is no. If update-check-ksk is set to d3816 16 a3831 1- try-tcp-refresh
d3835 1 a3835 1 yes. d3837 1 a3837 1- dnssec-secure-to-insecure
d3842 2 a3843 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d3856 1 a3856 1 auto-dnssec maintain and the d3859 1 a3859 1 next time named is started. d3864 1 a3864 1
- forward
d3890 1 a3890 1- forwarders
d3902 3 a3904 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d3908 1 a3908 1d4696 2 a4697 2 example, 1G can be used instead of 1073741824 to specify a limit of d4699 1 a4699 1 gigabyte. unlimited requests d4701 1 a4701 1 maximum available amount. default d4704 1 a4704 1 of size_spec in the section called “Configuration File Elements”. d4714 2 a4715 2
- dual-stack-servers
d3926 1 a3926 1 stacked, then the dual-stack-servers have no effect unless d3928 1 a3928 1 (e.g. named -4). d3932 1 a3932 1d3937 1 a3937 1 of the requesting system. See the section called “Address Match Lists” for d3940 2 a3941 2d4181 1 a4181 1 from may be specified using the listen-on option. listen-on takes d4189 1 a4189 1 Multiple listen-on statements are d4202 1 a4202 1 If no listen-on is specified, the d4206 1 a4206 1 The listen-on-v6 option is used to d4217 1 a4217 1 listen-on-v6 option, d4232 1 a4232 1 IPv4 addresses specified in listen-on-v6 d4236 1 a4236 1 Multiple listen-on-v6 options can d4255 1 a4255 1 If no listen-on-v6 option is d4257 3 a4259 3 unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default. d4262 1 a4262 1
- allow-notify
d3946 1 a3946 1 allow-notify may also be d3948 1 a3948 1 zone statement, in which case d3950 1 a3950 1 options allow-notify d3956 1 a3956 1- allow-query
d3960 2 a3961 2 DNS questions. allow-query may also be specified in the zone d3963 1 a3963 1 options allow-query statement. d3970 1 a3970 1 allow-query-cache is now d3975 1 a3975 1- allow-query-on
d3985 1 a3985 1 Note that allow-query-on is only d3987 1 a3987 1 allow-query. A query must be d3991 2 a3992 2 allow-query-on may also be specified in the zone d3994 1 a3994 1 options allow-query-on statement. d4003 1 a4003 1 allow-query-cache is d4008 1 a4008 1- allow-query-cache
d4011 7 a4017 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4019 1 a4019 1- allow-query-cache-on
d4024 2 a4025 2 localnets and localhost. d4027 1 a4027 1- allow-recursion
d4031 3 a4033 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4035 2 a4036 2 (localnets; localhost;) is used. d4038 1 a4038 1- allow-recursion-on
d4044 1 a4044 1- allow-update
d4051 1 a4051 1 the section called “Dynamic Update Security” for details. d4053 1 a4053 1- allow-update-forwarding
d4077 1 a4077 1 access control to attacks; see the section called “Dynamic Update Security” d4081 1 a4081 1- allow-v6-synthesis
d4091 1 a4091 1- allow-transfer
d4094 2 a4095 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4097 1 a4097 1 case it overrides the options allow-transfer statement. d4101 1 a4101 1- blackhole
d4109 1 a4109 1- filter-aaaa
d4112 1 a4112 1 filter-aaaa-on-v4 d4115 1 a4115 1- no-case-compress
d4120 1 a4120 1 used when named needs to work with d4127 1 a4127 1 none: case-insensitive compression d4151 1 a4151 1 There are circumstances in which named d4166 1 a4166 1- resolver-query-timeout
d4176 1 a4176 1d4267 1 a4267 1 query other name servers. query-source specifies d4269 3 a4271 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4275 1 a4275 1 If port is * or is omitted, d4279 2 a4280 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4282 2 a4283 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4286 2 a4287 2 The defaults of the query-source and query-source-v6 options d4294 3 a4296 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4300 1 a4300 1 named will use the corresponding system d4313 2 a4314 2 changed while named is running; the new range will automatically be applied when named d4317 2 a4318 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4324 1 a4324 1 where named runs may prohibit the use d4326 1 a4326 1 named running without a root privilege d4335 2 a4336 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4344 1 a4344 1 the use-queryport-pool d4350 2 a4351 2 query-source or query-source-v6 options; d4354 2 a4355 2d4652 4 a4655 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4658 1 a4658 1 See the section called “Query Address” about how the d4668 1 a4668 1 from named will be in one d4673 3 a4675 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4683 3 a4685 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4690 1 a4690 1
- use-queryport-pool
d4359 1 a4359 1- queryport-pool-ports
d4363 1 a4363 1- queryport-pool-updateinterval
d4371 1 a4371 1 The address specified in the query-source option d4387 2 a4388 2 See also transfer-source and notify-source. d4392 1 a4392 1d4401 2 a4402 2d4602 1 a4602 1
- also-notify
d4413 1 a4413 1 also-notify address to send d4420 1 a4420 1 masters lists can be used. d4423 2 a4424 2 If an also-notify list is given in a zone statement, d4426 2 a4427 2 the options also-notify statement. When a zone notify d4429 2 a4430 2 is set to no, the IP addresses in the global also-notify list will d4436 1 a4436 1- max-transfer-time-in
d4443 1 a4443 1- max-transfer-idle-in
d4450 1 a4450 1- max-transfer-time-out
d4457 1 a4457 1- max-transfer-idle-out
d4464 1 a4464 1- serial-query-rate
d4473 1 a4473 1 serial-query-rate option, an d4475 1 a4475 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4479 2 a4480 2 queries are issued at, serial-query-rate also controls d4485 1 a4485 1- serial-queries
d4487 1 a4487 1 In BIND 8, the serial-queries d4492 1 a4492 1 serial queries and ignores the serial-queries option. d4494 1 a4494 1 as defined using the serial-query-rate option. d4496 1 a4496 1- transfer-format
d4499 3 a4501 3 one-answer and many-answers. The transfer-format option is used d4503 1 a4503 1 one-answer uses one DNS message per d4505 1 a4505 1 many-answers packs as many resource d4507 1 a4507 1 many-answers is more efficient, but is d4511 1 a4511 1 The many-answers format is also supported by d4513 3 a4515 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4518 1 a4518 1- transfers-in
d4522 1 a4522 1 Increasing transfers-in may d4527 1 a4527 1- transfers-out
d4534 1 a4534 1- transfers-per-ns
d4540 1 a4540 1 Increasing transfers-per-ns d4544 3 a4546 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4548 1 a4548 1- transfer-source
d4550 1 a4550 1transfer-source d4560 1 a4560 1 allow-transfer option for the d4563 1 a4563 1 transfer-source for all zones, d4566 3 a4568 3 transfer-source statement within the view or zone block in the configuration d4579 1 a4579 1
- transfer-source-v6
d4581 1 a4581 1 The same as transfer-source, d4584 1 a4584 1- alt-transfer-source
d4588 2 a4589 2 transfer-source fails and use-alt-transfer-source is a4593 1d4596 1 a4596 1 use-alt-transfer-source d4600 1 a4600 2
- alt-transfer-source-v6
d4605 2 a4606 2 transfer-source-v6 fails and use-alt-transfer-source is d4609 1 a4609 1- use-alt-transfer-source
d4612 1 a4612 1 specified this defaults to no d4614 1 a4614 1 yes (for BIND 8 d4617 1 a4617 1- notify-source
d4619 1 a4619 1notify-source d4623 3 a4625 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4628 3 a4630 3 notify-source statement within the zone or view block in the configuration d4641 1 a4641 1
- notify-source-v6
d4643 1 a4643 1 Like notify-source, d4648 1 a4648 1
- coresize
d4720 1 a4720 1- datasize
d4733 2 a4734 2 max-cache-size and recursive-clients d4737 1 a4737 1- files
d4742 1 a4742 1- stacksize
d4749 1 a4749 1d4757 2 a4758 2
- max-ixfr-log-size
d4762 1 a4762 1 max-journal-size performs a d4765 1 a4765 1- max-journal-size
d4768 1 a4768 1 (see the section called “The journal file”). When the journal file d4778 1 a4778 1- host-statistics-max
d4784 5 a4788 6- recursive-clients
The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4791 7 a4797 24 bit of memory (on the order of 20 kilobytes), the value of the recursive-clients option may have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.- tcp-clients
d4803 1 a4803 175- clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
- fetches-per-zone
The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetches-per-server
The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetch-quota-params
Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- reserved-sockets
d4808 1 a4808 1 interfaces named listens on, tcp-clients as well as d4819 1 a4819 1- max-cache-size
d4841 1 a4841 1- tcp-listen-queue
d4850 1 a4850 1 be used; on most platforms this sets the listen queue d4855 1 a4855 1d4966 2 a4967 2 (but see the rrset-order statement in the section called “RRset Ordering”). d4978 1 a4978 1 The sortlist statement (see below) d4980 1 a4980 1 an address_match_list and d4982 1 a4982 1 more specifically than the topology d4984 3 a4986 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d4989 1 a4989 1 an IP prefix, an ACL name or a nested address_match_list) d5001 2 a5002 2 treated the same as the address_match_list in a topology statement. Each top d5067 1 a5067 1
- cleaning-interval
d4863 1 a4863 1 from the cache every cleaning-interval minutes. d4870 1 a4870 1- heartbeat-interval
d4873 1 a4873 1 for all zones marked as dialup whenever this d4880 1 a4880 1- interface-interval
d4883 1 a4883 1 every interface-interval d4891 1 a4891 1 listen-on configuration), and d4895 1 a4895 1- statistics-interval
d4899 1 a4899 1 every statistics-interval d4914 1 a4914 1d5074 1 a5074 1 The rrset-order statement permits d5077 2 a5078 2 See also the sortlist statement, the section called “The sortlist Statement”. d5081 1 a5081 1 An order_spec is defined as d5091 3 a5093 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5096 1 a5096 1 The legal values for ordering are: d5100 2 a5101 2d5106 1 a5106 1 fixed
d5117 1 a5117 1random
d5127 1 a5127 1cyclic
d5158 1 a5158 1 If multiple rrset-order statements d5168 1 a5168 1 rrset-order statement does not support d5175 1 a5175 1d5178 2 a5179 2
- lame-ttl
d5196 1 a5196 1- max-ncache-ttl
d5199 1 a5199 1 the server stores negative answers. max-ncache-ttl is d5203 2 a5204 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5208 1 a5208 1- max-cache-ttl
d5218 1 a5218 1- min-roots
d5233 1 a5233 1- sig-validity-interval
d5238 1 a5238 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5255 1 a5255 1 The sig-validity-interval d5261 1 a5261 1- sig-signing-nodes
d5268 1 a5268 1- sig-signing-signatures
d5275 1 a5275 1- sig-signing-type
d5288 1 a5288 1 named to track the current state of d5292 2 a5293 2 rndc signing -listzone. Once named has finished signing d5297 1 a5297 1 rndc signing -clearkeyid/algorithmzone. d5300 1 a5300 1 rndc signing -clear allzone. d5304 1 a5304 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5328 4 a5331 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5335 1 a5335 1- edns-udp-size
d5343 1 a5343 1 edns-udp-size to a non-default d5349 1 a5349 1 named will fallback to using 512 bytes d5356 1 a5356 1- max-udp-size
d5360 1 a5360 1 named will send in bytes. d5364 1 a5364 1 max-udp-size to a non-default d5369 1 a5369 1 buffer (edns-udp-size). d5376 1 a5376 1- masterfile-format
d5380 1 a5380 1 the section called “Additional File Formats”). d5386 2 a5387 2 named-compilezone tool, or dumped by named. d5391 1 a5391 1textis loaded, named d5394 1 a5394 1 check-names checks do not apply d5398 1 a5398 1 specified in the named configuration d5400 1 a5400 1 masterfile-format for all zones, d5402 3 a5404 3 by including a masterfile-format statement within the zone or view block in the configuration d5409 1 a5409 14 max-recursion-depthSets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
- max-recursion-queries d5411 54 a5464 10
Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75.
- notify-delay
d5472 1 a5472 1 zones is controlled by serial-query-rate. d5475 1 a5475 1- max-rsa-exponent-size
d5484 1 a5484 1d5491 1 a5491 1 CHAOS class. These zones are part d5493 1 a5493 1 built-in view (see the section called “view Statement Grammar”) of d5495 3 a5497 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5499 3 a5501 3 overridden: notify, recursion and allow-new-zones are d5506 1 a5506 1 below, or hide the built-in CHAOS d5508 1 a5508 1 defining an explicit view of class CHAOS d5511 2 a5512 2
- version
d5516 1 a5516 1 with type TXT, class CHAOS. d5518 1 a5518 1 Specifying version none d5521 1 a5521 1- hostname
d5525 1 a5525 1 with type TXT, class CHAOS. d5531 1 a5531 1 answering your queries. Specifying hostname none; d5534 1 a5534 1- server-id
d5539 1 a5539 1 TXT, class CHAOS. d5542 1 a5542 1 answering your queries. Specifying server-id none; d5544 1 a5544 1 Specifying server-id hostname; will cause named to d5546 1 a5546 1 The default server-id is none. d5550 1 a5550 1d5573 98 a5670 98d5954 1 a5954 1 response-policy option for the view or among the d5959 1 a5959 1 allow-query { localhost; };. d6005 2 a6006 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6014 1 a6014 1 DISABLED actions) must be chosen. d6018 2 a6019 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a5696 1d5701 3 a5703 4
- empty-server
d5709 1 a5709 1- empty-contact
d5715 1 a5715 1- empty-zones-enable
d5720 1 a5720 1- disable-empty-zone
d5727 1 a5727 1d5731 1 a5731 1 The additional section cache, also called acache, d5736 1 a5736 1 Note that acache is an internal caching d5751 3 a5753 3 additional-from-cache to no is recommended, since the current implementation of acache d5758 1 a5758 1 One obvious disadvantage of acache is d5763 3 a5765 3 acache mechanism can be disabled by setting acache-enable to no. d5768 1 a5768 1 for acache by using max-acache-size. d5773 2 a5774 2 Without acache, cyclic order is effective for the additional d5779 1 a5779 1 setting of rrset-order. d5788 1 a5788 1 acache. d5790 2 a5791 2d5828 1 a5828 1 deny-answer-addresses option. d5833 1 a5833 1 deny-answer-aliases option, where d5837 1 a5837 1 with except-from, records whose query name d5841 1 a5841 1 corresponding zone, the deny-answer-aliases d5844 1 a5844 1 deny-answer-aliases, d5852 1 a5852 1 deny-answer-addresses option, only d5873 1 a5873 1 d5907 1 a5907 1 matches the except-from element, d5941 1 a5941 1
- Choose the triggered record in the zone that appears d6022 1 a6022 1
- Prefer QNAME to IP to NSDNAME to NSIP triggers d6025 1 a6025 1
- Among NSDNAME triggers, prefer the d6028 1 a6028 1
- Among IP or NSIP triggers, prefer the trigger d6031 1 a6031 1
- Among triggers with the same prefix length, d6049 2 a6050 2
d6219 2 a6220 2 rate-limit clause in an options or view statement. d6247 1 a6247 1 the window option to any value from d6251 1 a6251 1 or more negative than window d6262 2 a6263 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6268 1 a6268 1 with responses-per-second d6273 2 a6274 2 nodata-per-second (default responses-per-second). d6278 2 a6279 2 They are limited by nxdomain-per-second (default responses-per-second). d6286 2 a6287 2 referrals-per-second (default responses-per-second). d6301 1 a6301 1 responses-per-second value, d6303 1 a6303 1 errors-per-second. d6313 1 a6313 1 Setting slip to 2 (its default) causes every d6319 1 a6319 1 slip must be between 0 and 10. d6327 1 a6327 1 leaked at the slip rate. d6338 1 a6338 1 slip to 1, causing all rate-limited d6344 6 a6349 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6352 1 a6352 1 qps-scale 250; responses-per-second 20; and d6363 2 a6364 2 rate-limit statements in view statements instead of the global option d6366 2 a6367 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6370 1 a6370 1 with the exempt-clients clause. d6374 1 a6374 1 all-per-second phrase. d6376 3 a6378 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6383 2 a6384 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6386 1 a6386 1 An all-per-second limit should be d6394 1 a6394 1 records as it considers the STMP Mail From d6398 1 a6398 1 All-per-second is similar to the d6410 1 a6410 1 rate limit responses is set with max-table-size. d6416 1 a6416 1 min-table-size (default 500) d6418 1 a6418 1 Enable rate-limit category logging to monitor d6423 1 a6423 1 Use log-only yes to test rate limiting parameters d6428 1 a6428 1 RateDropped and QryDropped d6431 1 a6431 1 RateSlipped and RespTruncated. d6435 1 a6435 1
- The NXDOMAIN response is encoded d6053 2 a6054 2
- A CNAME whose target is the wildcard top-level domain (*.) specifies the NODATA action, d6057 1 a6057 1
- The Local Data action is d6069 2 a6070 2
- The PASSTHRU policy is specified by a CNAME whose target is rpz-passthru. d6082 2 a6083 2 policy clause in the response-policy option. d6087 3 a6089 3
- GIVEN says "do not override but d6092 2 a6093 2
- DISABLED causes policy records to do d6101 2 a6102 2
- PASSTHRU causes all policy records d6107 2 a6108 2
- NXDOMAIN causes all RPZ records d6111 2 a6112 2
- NODATA overrides with the d6115 2 a6116 2
- CNAME domain causes all RPZ d6126 1 a6126 1 with a recursive-only no clause. d6138 1 a6138 1 break-dnssec yes clause. d6147 1 a6147 1 The max-policy-ttl clause changes that d6205 1 a6205 1 RPZRewrites statistics. d6208 1 a6208 1
serverip_addr[/prefixlen]{ d6448 1 a6448 1 [ keys {key_id}; ] d6463 1 a6463 1d6465 1 a6465 1 server Statement Definition and d6468 1 a6468 1 The server statement defines d6477 1 a6477 1 The server statement can occur at d6479 1 a6479 1 configuration file or inside a view d6481 2 a6482 2 If a view statement contains one or more server statements, only d6485 1 a6485 1 If a view contains no server d6487 1 a6487 1 any top-level server statements are d6495 1 a6495 1 value of bogus is no. d6498 1 a6498 1 The provide-ixfr clause determines d6503 1 a6503 1 If set to yes, incremental transfer d6505 1 a6505 1 whenever possible. If set to no, d6509 1 a6509 1 of the provide-ixfr option in the d6514 1 a6514 1 The request-ixfr clause determines d6518 1 a6518 1 value of the request-ixfr option in d6529 3 a6531 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d6538 1 a6538 1 The edns clause determines whether d6540 1 a6540 1 with the remote server. The default is yes. d6543 2 a6544 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. d6552 2 a6553 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d6557 1 a6557 1 replies from named. d6560 3 a6562 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d6566 3 a6568 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d6570 1 a6570 1 by the options statement will be d6573 1 a6573 1transfers d6576 1 a6576 1 transfers clause is specified, the d6578 1 a6578 1 transfers-per-ns option. d6581 3 a6583 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d6592 5 a6596 1 Only a single key per server is currently supported. d6599 2 a6600 2 The transfer-source and transfer-source-v6 clauses specify d6604 1 a6604 1 For an IPv4 remote server, only transfer-source can d6607 1 a6607 1 transfer-source-v6 can be d6610 3 a6612 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d6615 2 a6616 2 The notify-source and notify-source-v6 clauses specify the d6619 1 a6619 1 IPv4 remote server, only notify-source d6621 1 a6621 1 only notify-source-v6 can be specified. d6624 2 a6625 2 The query-source and query-source-v6 clauses specify the d6628 1 a6628 1 remote server, only query-source can d6630 1 a6630 1 only query-source-v6 can be specified. d6633 1 a6633 1 The request-nsid clause determines d6636 2 a6637 2 request-nsid set at the view or option level. d6640 1 a6640 1
statistics-channels { d6650 1 a6650 1d6652 1 a6652 1 statistics-channels Statement Definition and d6655 1 a6655 1 The statistics-channels statement d6665 1 a6665 1 the statistics-channels statement is d6670 4 a6673 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d6677 1 a6677 1 use an ip_addr of::. d6682 1 a6682 1 ip_port. d6686 1 a6686 1 restricted by the optional allow clause. d6688 3 a6690 3 address_match_list. If no allow clause is present, named accepts connection d6697 2 a6698 2 If no statistics-channels statement is present, named will not open any communication channels. d6703 3 a6705 3 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables d6707 1 a6707 1 BIND 9 is configured with --enable-newstats, d6716 4 a6719 4 can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. d6725 1 a6725 1trusted-keys { d6734 1 a6734 1d6736 1 a6736 1 trusted-keys Statement Definition d6739 2 a6740 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d6751 1 a6751 1 trusted-keys are deemed to exist regardless d6753 1 a6753 1 trusted-keys only those keys are d6758 1 a6758 1 The trusted-keys statement can contain d6767 1 a6767 1 trusted-keys may be set at the top level d6774 1 a6774 1managed-keys { d6783 1 a6783 1d6785 1 a6785 1 managed-keys Statement Definition d6788 2 a6789 2 The managed-keys statement, like trusted-keys, defines DNSSEC d6791 1 a6791 1 managed-keys can be kept up to date d6799 1 a6799 1 trusted-keys statement would be d6803 1 a6803 1 trusted-keys statement with the new key. d6807 1 a6807 1 managed-keys statement instead, then the d6809 2 a6810 2 named would store the stand-by key, and when the original key was revoked, named d6817 1 a6817 1 A managed-keys statement contains a list of d6822 1 a6822 1 This means the managed-keys statement must d6828 2 a6829 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d6832 1 a6832 1 keys listed in a trusted-keys continue to be d6834 2 a6835 2named.conf, an initializing key listed in a managed-keys statement is only trusted d6841 1 a6841 1 The first time named runs with a managed key d6844 1 a6844 1 using the key specified in the managed-keys d6849 2 a6850 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d6853 1 a6853 1 key specified in the managed-keys is not d6858 1 a6858 1 The next time named runs after a name d6860 1 a6860 1 managed-keys statement, the corresponding d6866 3 a6868 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d6880 1 a6880 1 seconds. So, whenever named is using d6884 1 a6884 1 named.) d6887 2 a6888 2 If the dnssec-validation option is set toauto, named d6890 1 a6890 1 root zone. Similarly, if the dnssec-lookaside d6892 1 a6892 1 named will automatically initialize d6895 2 a6896 2 maintenance process is built into named, and can be overridden from bindkeys-file. d6899 1 a6899 1viewview_named6912 1 a6912 1d7034 1 a7034 1 zone d7036 1 a7036 1zonezone_name[class] { d7046 2 d7187 1 a7187 1 [ zone-statisticsfull|terse|none; ] d7200 2 a7201 2 [ server-names { [namelist] }; ] [ zone-statisticsfull|terse|none; ] d7224 1 a7224 1The type keyword is required for the zone configuration. Its acceptable values include:
d7232 2 a7233 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7260 1 a7260 1 zone. The masters list d7375 2 a7376 2 server-addresses and server-names zone options. d7382 1 a7382 1 databases by rndc dumpdb -all. d7400 1 a7400 1 glue A or AAAA RRs d7413 4 a7416 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d7420 1 a7420 1 name. If no forwarders d7422 1 a7422 1 an empty list for forwarders is given, then no d7425 1 a7425 1 any forwarders in the options statement. Thus d7428 1 a7428 1 global forward option d7470 1 a7470 1 per view. allow-query can be d7484 1 a7484 1 that point to the desired addresses: d7492 1 a7492 1 "*.ES." instead of "*.". To redirect all d7507 1 a7507 1 rndc reload d7510 1 a7510 1 rndc reload without specifying d7538 1 a7538 1 See caveats in root-delegation-only. d7545 1 a7545 1 d7567 1 a7567 1 d8508 1 a8508 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d8515 2 a8516 2
- allow-notify
d7574 1 a7574 1 allow-notify in the section called “Access Control”. d7576 1 a7576 1- allow-query
d7579 1 a7579 1 allow-query in the section called “Access Control”. d7581 1 a7581 1- allow-query-on
d7584 1 a7584 1 allow-query-on in the section called “Access Control”. d7586 1 a7586 1- allow-transfer
d7588 2 a7589 2 See the description of allow-transfer in the section called “Access Control”. d7591 1 a7591 1- allow-update
d7593 2 a7594 2 See the description of allow-update in the section called “Access Control”. d7596 1 a7596 1- update-policy
d7599 1 a7599 1 the section called “Dynamic Update Policies”. d7601 1 a7601 1- allow-update-forwarding
d7603 2 a7604 2 See the description of allow-update-forwarding in the section called “Access Control”. d7606 1 a7606 1- also-notify
d7608 1 a7608 1 Only meaningful if notify d7617 1 a7617 1 with also-notify. A port d7619 1 a7619 1 with each also-notify d7625 1 a7625 1 also-notify is not d7629 1 a7629 1- check-names
d7635 3 a7637 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d7639 1 a7639 1- check-mx
d7642 1 a7642 1 check-mx in the section called “Boolean Options”. d7644 1 a7644 1- check-spf
d7647 1 a7647 1 check-spf in the section called “Boolean Options”. d7649 1 a7649 1- check-wildcard
d7652 1 a7652 1 check-wildcard in the section called “Boolean Options”. d7654 1 a7654 1- check-integrity
d7657 1 a7657 1 check-integrity in the section called “Boolean Options”. d7659 1 a7659 1- check-sibling
d7662 1 a7662 1 check-sibling in the section called “Boolean Options”. d7664 1 a7664 1- zero-no-soa-ttl
d7667 1 a7667 1 zero-no-soa-ttl in the section called “Boolean Options”. d7669 1 a7669 1- update-check-ksk
d7672 1 a7672 1 update-check-ksk in the section called “Boolean Options”. d7674 1 a7674 1- dnssec-loadkeys-interval
d7677 2 a7678 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d7681 1 a7681 1- dnssec-update-mode
d7684 1 a7684 7 dnssec-update-mode in the section called “options Statement Definition and Usage”.- dnssec-dnskey-kskonly
See the description of dnssec-dnskey-kskonly in the section called “Boolean Options”. d7686 1 a7686 1
- try-tcp-refresh
d7689 1 a7689 1 try-tcp-refresh in the section called “Boolean Options”. d7691 1 a7691 1- database
d7695 1 a7695 1 zone data. The string following the database keyword d7717 1 a7717 1- dialup
d7720 1 a7720 1 dialup in the section called “Boolean Options”. d7722 1 a7722 1- delegation-only
d7731 1 a7731 1 See caveats in root-delegation-only. d7734 1 a7734 1- forward
d7737 1 a7737 1 list. The only value causes d7739 1 a7739 1 after trying the forwarders and getting no answer, while first would d7742 1 a7742 1- forwarders
d7745 1 a7745 1 If it is not specified in a zone of type forward, d7749 1 a7749 1- ixfr-base
d7761 1 a7761 1- ixfr-tmp-file
d7766 1 a7766 1- journal
d7770 1 a7770 1 This is applicable to master and slave zones. d7772 1 a7772 1- max-journal-size
d7775 1 a7775 1 max-journal-size in the section called “Server Resource Limits”. d7777 1 a7777 1- max-transfer-time-in
d7780 1 a7780 1 max-transfer-time-in in the section called “Zone Transfers”. d7782 1 a7782 1- max-transfer-idle-in
d7785 1 a7785 1 max-transfer-idle-in in the section called “Zone Transfers”. d7787 1 a7787 1- max-transfer-time-out
d7790 1 a7790 1 max-transfer-time-out in the section called “Zone Transfers”. d7792 1 a7792 1- max-transfer-idle-out
d7795 1 a7795 1 max-transfer-idle-out in the section called “Zone Transfers”. d7797 1 a7797 1- notify
d7800 1 a7800 1 notify in the section called “Boolean Options”. d7802 1 a7802 1- notify-delay
d7805 1 a7805 1 notify-delay in the section called “Tuning”. d7807 1 a7807 1- notify-to-soa
d7810 2 a7811 2 notify-to-soa in the section called “Boolean Options”. d7813 1 a7813 1- pubkey
d7822 1 a7822 1- zone-statistics
d7824 5 a7828 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d7830 1 a7830 1- server-addresses
d7844 1 a7844 1 in a server-addresses option, d7859 1 a7859 1- server-names
d7867 1 a7867 1 named needs to send queries to d7875 1 a7875 1 server-names option, but d7885 1 a7885 1 in a server-names option, d7902 1 a7902 1- sig-validity-interval
d7905 1 a7905 1 sig-validity-interval in the section called “Tuning”. d7907 1 a7907 1- sig-signing-nodes
d7910 1 a7910 1 sig-signing-nodes in the section called “Tuning”. d7912 1 a7912 1- sig-signing-signatures
d7915 1 a7915 1 sig-signing-signatures in the section called “Tuning”. d7917 1 a7917 1- sig-signing-type
d7920 1 a7920 1 sig-signing-type in the section called “Tuning”. d7922 1 a7922 1- transfer-source
d7925 1 a7925 1 transfer-source in the section called “Zone Transfers”. d7927 1 a7927 1- transfer-source-v6
d7930 1 a7930 1 transfer-source-v6 in the section called “Zone Transfers”. d7932 1 a7932 1- alt-transfer-source
d7935 1 a7935 1 alt-transfer-source in the section called “Zone Transfers”. d7937 1 a7937 1- alt-transfer-source-v6
d7940 1 a7940 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d7942 1 a7942 1- use-alt-transfer-source
d7945 1 a7945 1 use-alt-transfer-source in the section called “Zone Transfers”. d7947 1 a7947 1- notify-source
d7950 1 a7950 1 notify-source in the section called “Zone Transfers”. d7952 1 a7952 1- notify-source-v6
d7955 1 a7955 1 notify-source-v6 in the section called “Zone Transfers”. d7958 1 a7958 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d7961 1 a7961 1 See the description in the section called “Tuning”. d7963 1 a7963 1- ixfr-from-differences
d7966 2 a7967 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d7972 1 a7972 1- key-directory
d7975 2 a7976 1 key-directory in the section called “options Statement Definition and d7979 63 a8041 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8050 1 a8050 1- multi-master
d8052 2 a8053 2 See the description of multi-master in the section called “Boolean Options”. d8055 1 a8055 1- masterfile-format
d8057 2 a8058 2 See the description of masterfile-format in the section called “Tuning”. d8060 1 a8060 1- dnssec-secure-to-insecure
d8063 1 a8063 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8067 1 a8067 1d8073 2 a8074 2 allow-update and update-policy option, respectively. d8077 1 a8077 1 The allow-update clause works the d8083 1 a8083 1 The update-policy clause d8093 1 a8093 1 Rules are specified in the update-policy d8095 1 a8095 1 When the update-policy statement d8097 2 a8098 2 allow-update statement to be present. The update-policy statement d8103 1 a8103 1 There is a pre-defined update-policy d8105 1 a8105 1 update-policy local;. d8107 1 a8107 1 named to generate a TSIG session d8113 3 a8115 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8127 1 a8127 1 The command nsupdate -l sends update d8134 1 a8134 1 ( grant | deny )identitynametype[name] [types] d8189 2 a8190 2d8234 1 a8234 1 update-policy statement d8237 1 a8237 1 update-policy statement in d8257 1 a8257 1 is a valid expansion of the wildcard. d8323 1 a8323 1 and converts it machine.realm allowing the machine d8338 1 a8338 1 This rule takes a Windows machine principal d8357 1 a8357 1 and converts it machine.realm allowing the machine d8372 1 a8372 1 This rule takes a Kerberos machine principal d8430 1 a8430 1 This rule allows named d8484 1 a8484 1 d8594 2 a8595 2 a8667 64 ATMA ATM Address.
AVC
Application Visibility and Control record.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a8693 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a8706 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a8750 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a8775 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a8829 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a8842 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a8869 38 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NINFO
Contains zone status information.
NIMLOC
Nimrod Locator.
a8882 12 NSAP-PTR
Historical.
a8946 12 NULL
This is an opaque container.
a8965 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a8991 12 RKEY
Resource key.
a9047 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a9099 37 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9111 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d9144 2 a9145 2
d9234 1 a9234 1 d9276 3 a9278 3 d9394 3 a9396 3 d9437 1 a9437 1 d9477 5 a9481 5 d9620 1 a9620 1 d9712 2 a9713 2 d9745 1 a9745 1 The $ORIGIN lines in the examples d9753 1 a9753 1 d9765 2 a9766 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d9768 1 a9768 1 d9774 1 a9774 1 At the start of the zone file, it is the d9779 1 a9779 1 d9783 1 a9783 1 Syntax: $ORIGIN d9787 1 a9787 1 $ORIGIN d9790 2 a9791 2 is an implicit $ORIGIN <
d9812 1 a9812 1 Syntax: $INCLUDE d9820 3 a9822 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d9827 1 a9827 1 revert to the values they had prior to the $INCLUDE once d9835 1 a9835 1 an $INCLUDE, but it is silent d9844 1 a9844 1 d9848 1 a9848 1 Syntax: $TTL d9858 1 a9858 1zone_name>. d9793 2 a9794 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d9808 1 a9808 1$TTL d9863 1 a9863 1
d9867 1 a9867 1 Syntax: $GENERATE d9876 1 a9876 1$GENERATE d9879 1 a9879 1 iterator. $GENERATE can be used to d9921 2 a9922 2
d9927 1 a9927 1 range
d9941 1 a9941 1lhs
d9946 1 a9946 1 to be created. Any single $ d9948 1 a9948 1 symbols within the lhs string d9952 4 a9955 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d9960 4 a9963 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d9969 3 a9971 3 (d), octal (o), hexadecimal (x or X d9973 1 a9973 1 (n or N\ d9975 3 a9977 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d9989 1 a9989 1 $$ is still recognized as d9996 1 a9996 1ttl
d10004 2 a10005 2class and ttl can be d10012 1 a10012 1
class
d10020 2 a10021 2class and ttl can be d10028 1 a10028 1
type
d10038 1 a10038 1rhs
d10042 1 a10042 1 rhs, optionally, quoted string. d10049 1 a10049 1 The $GENERATE directive is a BIND extension d10056 1 a10056 1d10072 1 a10072 1 named-compilezone command. For a d10075 2 a10076 2 masterfile-format option) when named dumps the zone contents after d10082 1 a10082 1 named-compilezone command. All d10085 1 a10085 1 named-compilezone command again. d10099 1 a10099 1d10889 2 a10890 2d10117 2 a10118 2d10217 5 a10221 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a10223 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d10227 1 a10227 1 by the statistics-file configuration option. d10229 1 a10229 1 when the statistics-channels statement d10231 1 a10231 1 (see the section called “statistics-channels Statement Grammar”.) d10233 3 a10235 3
d10240 1 a10240 1 +++ Statistics Dump +++ (973798949) d10252 1 a10252 1 ++ Name Server Statistics ++ d10266 1 a10266 1 --- Statistics Dump --- (973798949) d10269 1 a10269 1d10293 3 a10295 3d10317 1 a10317 1 Requestv4
d10320 1 a10320 1RQ
d10331 1 a10331 1Requestv6
d10334 1 a10334 1RQ
d10345 1 a10345 1ReqEdns0
d10348 1 a10348 1d10358 1 a10358 1
ReqBadEDNSVer
d10361 1 a10361 1d10371 1 a10371 1
ReqTSIG
d10374 1 a10374 1d10384 1 a10384 1
ReqSIG0
d10387 1 a10387 1d10397 1 a10397 1
ReqBadSIG
d10400 1 a10400 1d10410 1 a10410 1
ReqTCP
d10413 1 a10413 1RTCP
d10423 1 a10423 1AuthQryRej
d10426 1 a10426 1RUQ
d10436 1 a10436 1RecQryRej
d10439 1 a10439 1RURQ
d10449 1 a10449 1XfrRej
d10452 1 a10452 1RUXFR
d10462 1 a10462 1UpdateRej
d10465 1 a10465 1RUUpd
d10475 1 a10475 1Response
d10478 1 a10478 1SAns
d10488 1 a10488 1RespTruncated
d10491 1 a10491 1d10501 1 a10501 1
RespEDNS0
d10504 1 a10504 1d10514 1 a10514 1
RespTSIG
d10517 1 a10517 1d10527 1 a10527 1
RespSIG0
d10530 1 a10530 1d10540 1 a10540 1
QrySuccess
d10543 1 a10543 1d10551 1 a10551 1 success counter d10559 1 a10559 1
QryAuthAns
d10562 1 a10562 1d10572 1 a10572 1
QryNoauthAns
d10575 1 a10575 1SNaAns
d10585 1 a10585 1QryReferral
d10588 1 a10588 1d10594 1 a10594 1 referral counter d10602 1 a10602 1
QryNxrrset
d10605 1 a10605 1d10611 1 a10611 1 nxrrset counter d10619 1 a10619 1
QrySERVFAIL
d10622 1 a10622 1SFail
d10632 1 a10632 1QryFORMERR
d10635 1 a10635 1SFErr
d10645 1 a10645 1QryNXDOMAIN
d10648 1 a10648 1SNXD
d10654 1 a10654 1 nxdomain counter d10662 1 a10662 1QryRecursion
d10665 1 a10665 1RFwdQ
d10672 1 a10672 1 recursion counter d10680 1 a10680 1QryDuplicate
d10683 1 a10683 1RDupQ
d10692 1 a10692 1 duplicate counter d10700 1 a10700 1QryDropped
d10703 1 a10703 1d10713 1 a10713 1 clients-per-query d10715 1 a10715 1 max-clients-per-query d10718 1 a10718 1 clients-per-query.) d10720 1 a10720 1 dropped counter d10728 1 a10728 1
QryFailure
d10731 1 a10731 1d10737 1 a10737 1 failure counter d10743 2 a10744 2 AuthQryRej and RecQryRej d10753 1 a10753 1
XfrReqDone
d10756 1 a10756 1d10766 1 a10766 1
UpdateReqFwd
d10769 1 a10769 1d10779 1 a10779 1
UpdateRespFwd
d10782 1 a10782 1d10792 1 a10792 1
UpdateFwdFail
d10795 1 a10795 1d10805 1 a10805 1
UpdateDone
d10808 1 a10808 1d10818 1 a10818 1
UpdateFail
d10821 1 a10821 1d10831 1 a10831 1
UpdateBadPrereq
d10834 1 a10834 1d10844 1 a10844 1
RPZRewrites
d10847 1 a10847 1d10857 1 a10857 1
RateDropped
d10860 1 a10860 1d10870 1 a10870 1
RateSlipped
d10873 1 a10873 1d10884 1 a10884 1
d10907 1 a10907 1 NotifyOutv4
d10917 1 a10917 1NotifyOutv6
d10927 1 a10927 1NotifyInv4
d10937 1 a10937 1NotifyInv6
d10947 1 a10947 1NotifyRej
d10957 1 a10957 1SOAOutv4
d10967 1 a10967 1SOAOutv6
d10977 1 a10977 1AXFRReqv4
d10987 1 a10987 1AXFRReqv6
d10997 1 a10997 1IXFRReqv4
d11007 1 a11007 1IXFRReqv6
d11017 1 a11017 1XfrSuccess
d11027 1 a11027 1XfrFail
d11038 1 a11038 1 d11043 3 a11045 3d11067 1 a11067 1 Queryv4
d11070 1 a11070 1SFwdQ
d11080 1 a11080 1Queryv6
d11083 1 a11083 1SFwdQ
d11093 1 a11093 1Responsev4
d11096 1 a11096 1RR
d11106 1 a11106 1Responsev6
d11109 1 a11109 1RR
d11119 1 a11119 1NXDOMAIN
d11122 1 a11122 1RNXD
d11132 1 a11132 1SERVFAIL
d11135 1 a11135 1RFail
d11145 1 a11145 1FORMERR
d11148 1 a11148 1RFErr
d11158 1 a11158 1OtherError
d11161 1 a11161 1RErr
d11171 1 a11171 1EDNS0Fail
d11174 1 a11174 1d11184 1 a11184 1
Mismatch
d11187 1 a11187 1RDupR
d11196 1 a11196 1 the port option.) d11204 1 a11204 1Truncated
d11207 1 a11207 1d11217 1 a11217 1
Lame
d11220 1 a11220 1RLame
d11230 1 a11230 1Retry
d11233 1 a11233 1SDupQ
d11243 1 a11243 1QueryAbort
d11246 1 a11246 1d11256 1 a11256 1
QuerySockFail
d11259 1 a11259 1d11272 1 a11272 1
QueryTimeout
d11275 1 a11275 1d11285 1 a11285 1
GlueFetchv4
d11288 1 a11288 1SSysQ
d11298 1 a11298 1GlueFetchv6
d11301 1 a11301 1SSysQ
d11311 1 a11311 1GlueFetchv4Fail
d11314 1 a11314 1d11324 1 a11324 1
GlueFetchv6Fail
d11327 1 a11327 1d11337 1 a11337 1
ValAttempt
d11340 1 a11340 1d11350 1 a11350 1
ValOk
d11353 1 a11353 1d11363 1 a11363 1
ValNegOk
d11366 1 a11366 1d11376 1 a11376 1
ValFail
d11379 1 a11379 1d11389 1 a11389 1
QryRTTnn
d11392 1 a11392 1d11398 1 a11398 1 Each nn specifies the corresponding d11401 2 a11402 2 nn_1, nn_2, d11404 2 a11405 2 nn_m, the value of nn_i is the d11407 2 a11408 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d11410 1 a11410 1 nn_0 to be 0. d11412 1 a11412 1 nn_m+, which means the d11414 1 a11414 1 nn_m milliseconds. d11421 1 a11421 1 d11427 6 a11432 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d11434 1 a11434 1 In the following table <TYPE> d11441 2 a11442 2
d11459 1 a11459 1 <TYPE>Open
d11465 1 a11465 1 FDwatch type. d11471 1 a11471 1<TYPE>OpenFail
d11477 1 a11477 1 FDwatch type. d11483 1 a11483 1<TYPE>Close
d11493 1 a11493 1<TYPE>BindFail
d11503 1 a11503 1<TYPE>ConnFail
d11513 1 a11513 1<TYPE>Conn
d11523 1 a11523 1<TYPE>AcceptFail
d11529 2 a11530 2 UDP and FDwatch types. d11536 1 a11536 1<TYPE>Accept
d11542 2 a11543 2 UDP and FDwatch types. d11549 1 a11549 1<TYPE>SendErr
d11555 2 a11556 2 to SErr counter of BIND 8. d11562 1 a11562 1<TYPE>RecvErr
d11576 1 a11576 1 d11581 2 a11582 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d11586 2 a11587 2d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d909 1 a909 3 interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. a920 3 When addresses are added or removed, the localnets ACL element is updated to reflect the changes. d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1140 1 a1140 1 [ size
- RFwdR,SFwdR
d11590 1 a11590 1 because BIND 9 does not adopt d11592 1 a11592 1 as BIND 8 did. d11594 1 a11594 1- RAXFR
d11598 1 a11598 1- RIQ
d11602 1 a11602 1- ROpts
d11605 1 a11605 1 because BIND 9 does not care d11630 1 a11630 1BIND 9.9.9-P8 (Extended Support Version)
@ 1.1.1.9.4.3 log @Pull up following revision(s) (requested by spz in ticket #1217): distrib/sets/lists/base/ad.mips64eb patch distrib/sets/lists/base/ad.mips64el patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/comp/ad.mips64eb patch distrib/sets/lists/comp/ad.mips64el patch distrib/sets/lists/comp/md.amd64 patch distrib/sets/lists/comp/md.sparc64 patch distrib/sets/lists/comp/mi patch distrib/sets/lists/comp/shl.mi patch external/bsd/bind/Makefile.inc patch external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/COPYRIGHT patch external/bsd/bind/dist/FAQ patch external/bsd/bind/dist/FAQ.xml patch external/bsd/bind/dist/HISTORY patch external/bsd/bind/dist/Makefile.in patch external/bsd/bind/dist/README patch external/bsd/bind/dist/REDIRECT-NOTES delete external/bsd/bind/dist/acconfig.h patch external/bsd/bind/dist/aclocal.m4 patch external/bsd/bind/dist/config.guess patch external/bsd/bind/dist/config.h.in patch external/bsd/bind/dist/config.h.win32 patch external/bsd/bind/dist/config.sub patch external/bsd/bind/dist/configure patch external/bsd/bind/dist/configure.in patch external/bsd/bind/dist/isc-config.sh.1 patch external/bsd/bind/dist/isc-config.sh.docbook patch external/bsd/bind/dist/isc-config.sh.html patch external/bsd/bind/dist/isc-config.sh.in patch external/bsd/bind/dist/ltmain.sh patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/Makefile.in patch external/bsd/bind/dist/bin/check/Makefile.in patch external/bsd/bind/dist/bin/check/check-tool.c patch external/bsd/bind/dist/bin/check/named-checkconf.8 patch external/bsd/bind/dist/bin/check/named-checkconf.c patch external/bsd/bind/dist/bin/check/named-checkconf.docbook patch external/bsd/bind/dist/bin/check/named-checkconf.html patch external/bsd/bind/dist/bin/check/named-checkzone.8 patch external/bsd/bind/dist/bin/check/named-checkzone.c patch external/bsd/bind/dist/bin/check/named-checkzone.docbook patch external/bsd/bind/dist/bin/check/named-checkzone.html patch external/bsd/bind/dist/bin/check/win32/checktool.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.dsw delete external/bsd/bind/dist/bin/check/win32/namedcheckconf.mak delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.dsp delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.dsw delete external/bsd/bind/dist/bin/check/win32/namedcheckzone.mak delete external/bsd/bind/dist/bin/confgen/ddns-confgen.8 patch external/bsd/bind/dist/bin/confgen/ddns-confgen.c patch external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook patch external/bsd/bind/dist/bin/confgen/ddns-confgen.html patch external/bsd/bind/dist/bin/confgen/keygen.c patch external/bsd/bind/dist/bin/confgen/rndc-confgen.8 patch external/bsd/bind/dist/bin/confgen/rndc-confgen.c patch external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook patch external/bsd/bind/dist/bin/confgen/rndc-confgen.html patch external/bsd/bind/dist/bin/confgen/win32/confgentool.dsp delete external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.dsp delete external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.mak delete external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.dsp delete external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.mak delete external/bsd/bind/dist/bin/dig/Makefile.in patch external/bsd/bind/dist/bin/dig/dig.1 patch external/bsd/bind/dist/bin/dig/dig.c patch external/bsd/bind/dist/bin/dig/dig.docbook patch external/bsd/bind/dist/bin/dig/dig.html patch external/bsd/bind/dist/bin/dig/dighost.c patch external/bsd/bind/dist/bin/dig/host.1 patch external/bsd/bind/dist/bin/dig/host.c patch external/bsd/bind/dist/bin/dig/host.docbook patch external/bsd/bind/dist/bin/dig/host.html patch external/bsd/bind/dist/bin/dig/nslookup.1 patch external/bsd/bind/dist/bin/dig/nslookup.c patch external/bsd/bind/dist/bin/dig/nslookup.docbook patch external/bsd/bind/dist/bin/dig/nslookup.html patch external/bsd/bind/dist/bin/dig/include/dig/dig.h patch external/bsd/bind/dist/bin/dig/win32/dig.dsp delete external/bsd/bind/dist/bin/dig/win32/dig.mak delete external/bsd/bind/dist/bin/dig/win32/dighost.dsp delete external/bsd/bind/dist/bin/dig/win32/host.dsp delete external/bsd/bind/dist/bin/dig/win32/host.mak delete external/bsd/bind/dist/bin/dig/win32/nslookup.dsp delete external/bsd/bind/dist/bin/dig/win32/nslookup.mak delete external/bsd/bind/dist/bin/dnssec/Makefile.in patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8 new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook new external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html new external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.c patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.html patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.html patch external/bsd/bind/dist/bin/dnssec/dnssectool.c patch external/bsd/bind/dist/bin/dnssec/dnssectool.h patch external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp delete external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp delete external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak delete external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp delete external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak delete external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp delete external/bsd/bind/dist/bin/dnssec/win32/keygen.mak delete external/bsd/bind/dist/bin/dnssec/win32/nsupdate.dsp delete external/bsd/bind/dist/bin/dnssec/win32/nsupdate.dsw delete external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp delete external/bsd/bind/dist/bin/dnssec/win32/revoke.mak delete external/bsd/bind/dist/bin/dnssec/win32/settime.dsp delete external/bsd/bind/dist/bin/dnssec/win32/settime.mak delete external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp delete external/bsd/bind/dist/bin/dnssec/win32/signzone.mak delete external/bsd/bind/dist/bin/named/Makefile.in patch external/bsd/bind/dist/bin/named/bind.keys.h patch external/bsd/bind/dist/bin/named/bind9.ver3.xsl new external/bsd/bind/dist/bin/named/bind9.ver3.xsl.h new external/bsd/bind/dist/bin/named/bind9.xsl.h patch external/bsd/bind/dist/bin/named/builtin.c patch external/bsd/bind/dist/bin/named/client.c patch external/bsd/bind/dist/bin/named/config.c patch external/bsd/bind/dist/bin/named/control.c patch external/bsd/bind/dist/bin/named/controlconf.c patch external/bsd/bind/dist/bin/named/interfacemgr.c patch external/bsd/bind/dist/bin/named/log.c patch external/bsd/bind/dist/bin/named/logconf.c patch external/bsd/bind/dist/bin/named/lwaddr.c patch external/bsd/bind/dist/bin/named/lwdgnba.c patch external/bsd/bind/dist/bin/named/lwdgrbn.c patch external/bsd/bind/dist/bin/named/lwresd.8 patch external/bsd/bind/dist/bin/named/lwresd.c patch external/bsd/bind/dist/bin/named/lwresd.docbook patch external/bsd/bind/dist/bin/named/lwresd.html patch external/bsd/bind/dist/bin/named/main.c patch external/bsd/bind/dist/bin/named/named.8 patch external/bsd/bind/dist/bin/named/named.conf.5 patch external/bsd/bind/dist/bin/named/named.conf.docbook patch external/bsd/bind/dist/bin/named/named.conf.html patch external/bsd/bind/dist/bin/named/named.docbook patch external/bsd/bind/dist/bin/named/named.html patch external/bsd/bind/dist/bin/named/query.c patch external/bsd/bind/dist/bin/named/server.c patch external/bsd/bind/dist/bin/named/statschannel.c patch external/bsd/bind/dist/bin/named/tkeyconf.c patch external/bsd/bind/dist/bin/named/tsigconf.c patch external/bsd/bind/dist/bin/named/update.c patch external/bsd/bind/dist/bin/named/xfrout.c patch external/bsd/bind/dist/bin/named/zoneconf.c patch external/bsd/bind/dist/bin/named/include/named/client.h patch external/bsd/bind/dist/bin/named/include/named/globals.h patch external/bsd/bind/dist/bin/named/include/named/main.h patch external/bsd/bind/dist/bin/named/include/named/query.h patch external/bsd/bind/dist/bin/named/include/named/server.h patch external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/named/unix/os.c patch external/bsd/bind/dist/bin/named/win32/named.dsp delete external/bsd/bind/dist/bin/named/win32/named.mak delete external/bsd/bind/dist/bin/nsupdate/Makefile.in patch external/bsd/bind/dist/bin/nsupdate/nsupdate.1 patch external/bsd/bind/dist/bin/nsupdate/nsupdate.c patch external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook patch external/bsd/bind/dist/bin/nsupdate/nsupdate.html patch external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp delete external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8s-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0f-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0m-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1h-patch new external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook patch external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.mak delete external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.mak delete external/bsd/bind/dist/bin/pkcs11/win32/pk11list.dsp delete external/bsd/bind/dist/bin/pkcs11/win32/pk11list.mak delete external/bsd/bind/dist/bin/python/Makefile.in patch external/bsd/bind/dist/bin/python/dnssec-checkds.8 patch external/bsd/bind/dist/bin/python/dnssec-checkds.docbook patch external/bsd/bind/dist/bin/python/dnssec-checkds.html patch external/bsd/bind/dist/bin/python/dnssec-checkds.py.in patch external/bsd/bind/dist/bin/python/dnssec-coverage.8 new external/bsd/bind/dist/bin/python/dnssec-coverage.docbook new external/bsd/bind/dist/bin/python/dnssec-coverage.html new external/bsd/bind/dist/bin/python/dnssec-coverage.py.in new external/bsd/bind/dist/bin/rndc/rndc.8 patch external/bsd/bind/dist/bin/rndc/rndc.c patch external/bsd/bind/dist/bin/rndc/rndc.conf.5 patch external/bsd/bind/dist/bin/rndc/rndc.conf.docbook patch external/bsd/bind/dist/bin/rndc/rndc.conf.html patch external/bsd/bind/dist/bin/rndc/rndc.docbook patch external/bsd/bind/dist/bin/rndc/rndc.html patch external/bsd/bind/dist/bin/rndc/win32/rndc.dsp delete external/bsd/bind/dist/bin/rndc/win32/rndc.mak delete external/bsd/bind/dist/bin/rndc/win32/rndcutil.dsp delete external/bsd/bind/dist/bin/tests/Makefile.in patch external/bsd/bind/dist/bin/tests/adb_test.c patch external/bsd/bind/dist/bin/tests/backtrace_test.c patch external/bsd/bind/dist/bin/tests/byaddr_test.c patch external/bsd/bind/dist/bin/tests/byname_test.c patch external/bsd/bind/dist/bin/tests/db_test.c patch external/bsd/bind/dist/bin/tests/fsaccess_test.c patch external/bsd/bind/dist/bin/tests/hash_test.c patch external/bsd/bind/dist/bin/tests/log_test.c patch external/bsd/bind/dist/bin/tests/rdata_test.c patch external/bsd/bind/dist/bin/tests/rwlock_test.c patch external/bsd/bind/dist/bin/tests/shutdown_test.c patch external/bsd/bind/dist/bin/tests/sig0_test.c patch external/bsd/bind/dist/bin/tests/sock_test.c patch external/bsd/bind/dist/bin/tests/task_test.c patch external/bsd/bind/dist/bin/tests/timer_test.c patch external/bsd/bind/dist/bin/tests/zone_test.c patch external/bsd/bind/dist/bin/tests/atomic/t_atomic.c patch external/bsd/bind/dist/bin/tests/db/t_db.c patch external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.key.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+18602.private.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.key.in new external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private delete external/bsd/bind/dist/bin/tests/dst/Kdh.+002+48957.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+00002.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private delete external/bsd/bind/dist/bin/tests/dst/Ktest.+001+54622.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.key.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+23616.private.in new external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key delete external/bsd/bind/dist/bin/tests/dst/Ktest.+003+49667.key.in new external/bsd/bind/dist/bin/tests/dst/Makefile.in patch external/bsd/bind/dist/bin/tests/dst/dst_2_data delete external/bsd/bind/dist/bin/tests/dst/dst_2_data.in new external/bsd/bind/dist/bin/tests/dst/dst_test.c patch external/bsd/bind/dist/bin/tests/dst/gsstest.c patch external/bsd/bind/dist/bin/tests/dst/t2_data_1 delete external/bsd/bind/dist/bin/tests/dst/t2_data_1.in new external/bsd/bind/dist/bin/tests/dst/t2_data_2 delete external/bsd/bind/dist/bin/tests/dst/t2_data_2.in new external/bsd/bind/dist/bin/tests/dst/t2_dsasig delete external/bsd/bind/dist/bin/tests/dst/t2_dsasig.in new external/bsd/bind/dist/bin/tests/dst/t2_rsasig delete external/bsd/bind/dist/bin/tests/dst/t2_rsasig.in new external/bsd/bind/dist/bin/tests/dst/t_dst.c patch external/bsd/bind/dist/bin/tests/hashes/t_hashes.c patch external/bsd/bind/dist/bin/tests/master/t_master.c patch external/bsd/bind/dist/bin/tests/mem/t_mem.c patch external/bsd/bind/dist/bin/tests/names/dns_name_hash_data patch external/bsd/bind/dist/bin/tests/names/t_names.c patch external/bsd/bind/dist/bin/tests/rbt/t_rbt.c patch external/bsd/bind/dist/bin/tests/resolver/t_resolver.c patch external/bsd/bind/dist/bin/tests/sockaddr/t_sockaddr.c patch external/bsd/bind/dist/bin/tests/system/Makefile.in patch external/bsd/bind/dist/bin/tests/system/README patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/bin/tests/system/cleanall.sh patch external/bsd/bind/dist/bin/tests/system/conf.sh.in patch external/bsd/bind/dist/bin/tests/system/digcomp.pl patch external/bsd/bind/dist/bin/tests/system/genzone.sh patch external/bsd/bind/dist/bin/tests/system/ifconfig.sh patch external/bsd/bind/dist/bin/tests/system/run.sh patch external/bsd/bind/dist/bin/tests/system/runall.sh patch external/bsd/bind/dist/bin/tests/system/setup.sh patch external/bsd/bind/dist/bin/tests/system/start.pl patch external/bsd/bind/dist/bin/tests/system/testcrypto.sh new external/bsd/bind/dist/bin/tests/system/testsock.pl patch external/bsd/bind/dist/bin/tests/system/testsock6.pl patch external/bsd/bind/dist/bin/tests/system/acl/clean.sh patch external/bsd/bind/dist/bin/tests/system/acl/setup.sh patch external/bsd/bind/dist/bin/tests/system/acl/tests.sh patch external/bsd/bind/dist/bin/tests/system/acl/ns2/named5.conf new external/bsd/bind/dist/bin/tests/system/additional/clean.sh new external/bsd/bind/dist/bin/tests/system/additional/setup.sh new external/bsd/bind/dist/bin/tests/system/additional/tests.sh new external/bsd/bind/dist/bin/tests/system/addzone/clean.sh patch external/bsd/bind/dist/bin/tests/system/addzone/setup.sh patch external/bsd/bind/dist/bin/tests/system/addzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/addzone/ns1/inlineslave.db new external/bsd/bind/dist/bin/tests/system/addzone/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/addzone/ns2/added.db patch external/bsd/bind/dist/bin/tests/system/addzone/ns2/inline.db new external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh patch external/bsd/bind/dist/bin/tests/system/allow_query/ns2/named57.conf new external/bsd/bind/dist/bin/tests/system/autosign/clean.sh patch external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/autosign/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/tests.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh patch external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in new external/bsd/bind/dist/bin/tests/system/builtin/clean.sh new external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c new external/bsd/bind/dist/bin/tests/system/builtin/tests.sh patch external/bsd/bind/dist/bin/tests/system/builtin/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/builtin/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh patch external/bsd/bind/dist/bin/tests/system/cacheclean/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/case/clean.sh new external/bsd/bind/dist/bin/tests/system/case/tests.sh new external/bsd/bind/dist/bin/tests/system/case/ns1/example.db new external/bsd/bind/dist/bin/tests/system/case/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/case/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/checkconf/altdb.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-also-notify.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-dnssec.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-hint.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-inline-slave.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-many.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-master-request-ixfr.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-noddns.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-tsig.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad.conf delete external/bsd/bind/dist/bin/tests/system/checkconf/badtsig.conf delete external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-names-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-names.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/good.conf patch external/bsd/bind/dist/bin/tests/system/checkconf/hint-nofile.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-bad.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-good.conf new external/bsd/bind/dist/bin/tests/system/checkconf/inline-no.conf new external/bsd/bind/dist/bin/tests/system/checkconf/notify.conf new external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/warn-keydir.conf new external/bsd/bind/dist/bin/tests/system/checkds/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkds/dig.pl new external/bsd/bind/dist/bin/tests/system/checkds/dig.sh patch external/bsd/bind/dist/bin/tests/system/checkds/missing.example.dlv.example.dlv.db patch external/bsd/bind/dist/bin/tests/system/checkds/setup.sh patch external/bsd/bind/dist/bin/tests/system/checkds/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/clean.sh patch external/bsd/bind/dist/bin/tests/system/checknames/setup.sh patch external/bsd/bind/dist/bin/tests/system/checknames/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/ns4/master-ignore.update.db.in new external/bsd/bind/dist/bin/tests/system/checknames/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/checknames/ns4/root.hints new external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3-padded.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.dbnew external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad2.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/spf.db new external/bsd/bind/dist/bin/tests/system/coverage/clean.sh new external/bsd/bind/dist/bin/tests/system/coverage/prereq.sh new external/bsd/bind/dist/bin/tests/system/coverage/setup.sh new external/bsd/bind/dist/bin/tests/system/coverage/tests.sh new external/bsd/bind/dist/bin/tests/system/coverage/01-ksk-inactive/README new external/bsd/bind/dist/bin/tests/system/coverage/01-ksk-inactive/expect new external/bsd/bind/dist/bin/tests/system/coverage/02-zsk-inactive/README new external/bsd/bind/dist/bin/tests/system/coverage/02-zsk-inactive/expect new external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/README new external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect new external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/README new external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect new external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/README new external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect new external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/README new external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect new external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/README new external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect new external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/README new external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect new external/bsd/bind/dist/bin/tests/system/dlv/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlv/prereq.sh new external/bsd/bind/dist/bin/tests/system/dlv/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns6/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/prereq.sh new external/bsd/bind/dist/bin/tests/system/dlvauto/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlz/tests.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in patch external/bsd/bind/dist/bin/tests/system/dlzexternal/clean.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c patch external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/clean.sh patch external/bsd/bind/dist/bin/tests/system/dns64/prereq.sh new external/bsd/bind/dist/bin/tests/system/dns64/setup.sh patch external/bsd/bind/dist/bin/tests/system/dns64/tests.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/dns64/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/dns64/ns2/rpz.db new external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns2/insecure.secure.example.db patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/publish-inactive.example.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/secure.example.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval.example.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval1.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/siginterval2.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns4/named4.conf new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns6/optout-tld.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns6/sign.sh new external/bsd/bind/dist/bin/tests/system/dnssec/ns7/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns7/sign.sh new external/bsd/bind/dist/bin/tests/system/dnssec/ns7/split-rrsig.db.in new external/bsd/bind/dist/bin/tests/system/dsdigest/prereq.sh new external/bsd/bind/dist/bin/tests/system/ecdsa/clean.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh new external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh.in delete external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/setup.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/empty.db new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named1.conf new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named2.conf new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/rfc1918.zones new external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/root.hint new external/bsd/bind/dist/bin/tests/system/filter-aaaa/clean.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/unsigned.db patch external/bsd/bind/dist/bin/tests/system/formerr/clean.sh new external/bsd/bind/dist/bin/tests/system/formerr/formerr.pl new external/bsd/bind/dist/bin/tests/system/formerr/nametoolong new external/bsd/bind/dist/bin/tests/system/formerr/noquestions new external/bsd/bind/dist/bin/tests/system/formerr/tests.sh new external/bsd/bind/dist/bin/tests/system/formerr/twoquestions new external/bsd/bind/dist/bin/tests/system/formerr/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/formerr/ns1/root.db new external/bsd/bind/dist/bin/tests/system/forward/tests.sh patch external/bsd/bind/dist/bin/tests/system/forward/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/forward/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/glue/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/clean.sh patch external/bsd/bind/dist/bin/tests/system/gost/prereq.sh new external/bsd/bind/dist/bin/tests/system/gost/prereq.sh.in delete external/bsd/bind/dist/bin/tests/system/gost/setup.sh patch external/bsd/bind/dist/bin/tests/system/gost/tests.sh patch external/bsd/bind/dist/bin/tests/system/gost/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/inline/checkdsa.sh.in new external/bsd/bind/dist/bin/tests/system/inline/clean.sh patch external/bsd/bind/dist/bin/tests/system/inline/prereq.sh new external/bsd/bind/dist/bin/tests/system/inline/setup.sh patch external/bsd/bind/dist/bin/tests/system/inline/tests.sh patch external/bsd/bind/dist/bin/tests/system/inline/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/inline/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/inline/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/inline/ns3/master3.db.in patch external/bsd/bind/dist/bin/tests/system/inline/ns3/master4.db.in new external/bsd/bind/dist/bin/tests/system/inline/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/inline/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/clean.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/prereq.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/setup.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh patch external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh patch external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c patch external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh patch external/bsd/bind/dist/bin/tests/system/masterfile/knowngood.dig.out patch external/bsd/bind/dist/bin/tests/system/masterfile/ns1/include.db patch external/bsd/bind/dist/bin/tests/system/masterformat/clean.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/prereq.sh new external/bsd/bind/dist/bin/tests/system/masterformat/setup.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/metadata/clean.sh patch external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh patch external/bsd/bind/dist/bin/tests/system/metadata/setup.sh patch external/bsd/bind/dist/bin/tests/system/metadata/tests.sh patch external/bsd/bind/dist/bin/tests/system/nslookup/clean.sh new external/bsd/bind/dist/bin/tests/system/nslookup/setup.sh new external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh new external/bsd/bind/dist/bin/tests/system/nslookup/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/prereq.sh new external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/update_test.pl patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/clean.sh patch external/bsd/bind/dist/bin/tests/system/pending/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pending/setup.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/clean.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/setup.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/clean.sh patch external/bsd/bind/dist/bin/tests/system/redirect/prereq.sh new external/bsd/bind/dist/bin/tests/system/redirect/setup.sh patch external/bsd/bind/dist/bin/tests/system/redirect/tests.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/redirect/ns2/example.db.in new external/bsd/bind/dist/bin/tests/system/redirect/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db delete external/bsd/bind/dist/bin/tests/system/redirect/ns2/redirect.db.in new external/bsd/bind/dist/bin/tests/system/resolver/clean.sh patch external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh patch external/bsd/bind/dist/bin/tests/system/resolver/setup.sh patch external/bsd/bind/dist/bin/tests/system/resolver/tests.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ans2/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ans3/ans.pl patch external/bsd/bind/dist/bin/tests/system/resolver/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns4/broken.db new external/bsd/bind/dist/bin/tests/system/resolver/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/broken.db new external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf patch external/bsd/bind/dist/bin/tests/system/resolver/ns7/named.conf delete external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf new external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf new external/bsd/bind/dist/bin/tests/system/rndc/clean.sh patch external/bsd/bind/dist/bin/tests/system/rndc/setup.sh patch external/bsd/bind/dist/bin/tests/system/rndc/tests.sh patch external/bsd/bind/dist/bin/tests/system/rndc/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in patch external/bsd/bind/dist/bin/tests/system/rpz/clean.sh patch external/bsd/bind/dist/bin/tests/system/rpz/prereq.sh new external/bsd/bind/dist/bin/tests/system/rpz/qperf.sh patch external/bsd/bind/dist/bin/tests/system/rpz/rpz.c patch external/bsd/bind/dist/bin/tests/system/rpz/setup.sh patch external/bsd/bind/dist/bin/tests/system/rpz/test1 patch external/bsd/bind/dist/bin/tests/system/rpz/test2 patch external/bsd/bind/dist/bin/tests/system/rpz/test3 patch external/bsd/bind/dist/bin/tests/system/rpz/test4 patch external/bsd/bind/dist/bin/tests/system/rpz/test4a new external/bsd/bind/dist/bin/tests/system/rpz/test5 patch external/bsd/bind/dist/bin/tests/system/rpz/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns1/root.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/base-tld2s.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/bl.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/blv2.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/blv3.tld2.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns2/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns2/tld2.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash1 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/crash2 patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns4/tld4.db patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/hints patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.args new external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/tld5.db new external/bsd/bind/dist/bin/tests/system/rpz/ns6/hints new external/bsd/bind/dist/bin/tests/system/rpz/ns6/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/Makefile.in new external/bsd/bind/dist/bin/tests/system/rrl/clean.sh new external/bsd/bind/dist/bin/tests/system/rrl/prereq.sh new external/bsd/bind/dist/bin/tests/system/rrl/rrl.c new external/bsd/bind/dist/bin/tests/system/rrl/setup.sh new external/bsd/bind/dist/bin/tests/system/rrl/tests.sh new external/bsd/bind/dist/bin/tests/system/rrl/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns1/root.db new external/bsd/bind/dist/bin/tests/system/rrl/ns2/hints new external/bsd/bind/dist/bin/tests/system/rrl/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns2/tld2.db new external/bsd/bind/dist/bin/tests/system/rrl/ns3/hints new external/bsd/bind/dist/bin/tests/system/rrl/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/rrl/ns3/tld3.db new external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh patch external/bsd/bind/dist/bin/tests/system/rrsetorder/ns1/named.conf patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/Xexample.+005+05896.private patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/clean.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh patch external/bsd/bind/dist/bin/tests/system/spf/clean.sh new external/bsd/bind/dist/bin/tests/system/spf/tests.sh new external/bsd/bind/dist/bin/tests/system/spf/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/spf/ns1/spf.db new external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/prereq.sh new external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns4/sign.sh patch external/bsd/bind/dist/bin/tests/system/stress/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/clean.sh patch external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c patch external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c patch external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tkey/setup.sh patch external/bsd/bind/dist/bin/tests/system/tkey/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/example.db new external/bsd/bind/dist/bin/tests/system/tkey/ns1/named.conf.in patch external/bsd/bind/dist/bin/tests/system/tkey/ns1/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsig/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsig/tests.sh patch external/bsd/bind/dist/bin/tests/system/tsig/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/tsiggss/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh patch external/bsd/bind/dist/bin/tests/system/unknown/clean.sh patch external/bsd/bind/dist/bin/tests/system/unknown/large.out patch external/bsd/bind/dist/bin/tests/system/unknown/prereq.sh new external/bsd/bind/dist/bin/tests/system/unknown/setup.sh patch external/bsd/bind/dist/bin/tests/system/unknown/tests.sh patch external/bsd/bind/dist/bin/tests/system/unknown/ns1/example-in.db patch external/bsd/bind/dist/bin/tests/system/unknown/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/unknown/zones/nan.bad new external/bsd/bind/dist/bin/tests/system/upforwd/prereq.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh patch external/bsd/bind/dist/bin/tests/system/upforwd/ans4/ans.pl patch external/bsd/bind/dist/bin/tests/system/verify/clean.sh patch external/bsd/bind/dist/bin/tests/system/verify/prereq.sh new external/bsd/bind/dist/bin/tests/system/verify/setup.sh patch external/bsd/bind/dist/bin/tests/system/verify/tests.sh patch external/bsd/bind/dist/bin/tests/system/verify/zones/genzones.sh patch external/bsd/bind/dist/bin/tests/system/wildcard/clean.sh new external/bsd/bind/dist/bin/tests/system/wildcard/prereq.sh new external/bsd/bind/dist/bin/tests/system/wildcard/setup.sh new external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/dlv.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/nsec.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/nsec3.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/private.nsec.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/private.nsec3.db.innew external/bsd/bind/dist/bin/tests/system/wildcard/ns1/root.db.in new external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh new external/bsd/bind/dist/bin/tests/system/wildcard/ns2/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns3/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/wildcard/ns5/hints new external/bsd/bind/dist/bin/tests/system/wildcard/ns5/named.conf new external/bsd/bind/dist/bin/tests/system/xfer/clean.sh patch external/bsd/bind/dist/bin/tests/system/xfer/dig1.good patch external/bsd/bind/dist/bin/tests/system/xfer/dig2.good patch external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh patch external/bsd/bind/dist/bin/tests/system/xfer/setup.sh patch external/bsd/bind/dist/bin/tests/system/xfer/tests.sh patch external/bsd/bind/dist/bin/tests/system/xfer/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/xfer/ns2/slave.db.in new external/bsd/bind/dist/bin/tests/system/zero/clean.sh new external/bsd/bind/dist/bin/tests/system/zero/setup.sh new external/bsd/bind/dist/bin/tests/system/zero/tests.sh new external/bsd/bind/dist/bin/tests/system/zero/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db new external/bsd/bind/dist/bin/tests/system/zero/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/zero/ns3/root.hint new external/bsd/bind/dist/bin/tests/system/zero/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/zonechecks/prereq.sh new external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh new external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/ns1/named.conf new external/bsd/bind/dist/bin/tests/tasks/t_tasks.c patch external/bsd/bind/dist/bin/tests/timers/t_timers.c patch external/bsd/bind/dist/bin/tools/arpaname.1 patch external/bsd/bind/dist/bin/tools/arpaname.docbook patch external/bsd/bind/dist/bin/tools/arpaname.html patch external/bsd/bind/dist/bin/tools/genrandom.8 patch external/bsd/bind/dist/bin/tools/genrandom.c patch external/bsd/bind/dist/bin/tools/genrandom.docbook patch external/bsd/bind/dist/bin/tools/genrandom.html patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8 patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html patch external/bsd/bind/dist/bin/tools/named-journalprint.8 patch external/bsd/bind/dist/bin/tools/named-journalprint.docbook patch external/bsd/bind/dist/bin/tools/named-journalprint.html patch external/bsd/bind/dist/bin/tools/nsec3hash.8 patch external/bsd/bind/dist/bin/tools/nsec3hash.c patch external/bsd/bind/dist/bin/tools/nsec3hash.docbook patch external/bsd/bind/dist/bin/tools/nsec3hash.html patch external/bsd/bind/dist/bin/tools/win32/arpaname.dsp delete external/bsd/bind/dist/bin/tools/win32/arpaname.mak delete external/bsd/bind/dist/bin/tools/win32/genrandom.dsp delete external/bsd/bind/dist/bin/tools/win32/genrandom.mak delete external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp delete external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak delete external/bsd/bind/dist/bin/tools/win32/journalprint.dsp delete external/bsd/bind/dist/bin/tools/win32/journalprint.mak delete external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp delete external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak delete external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.dsp delete external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.mak delete external/bsd/bind/dist/contrib/README new external/bsd/bind/dist/contrib/check5011.pl new external/bsd/bind/dist/contrib/dane/mkdane.sh new external/bsd/bind/dist/contrib/dane/tlsa6698.pem new external/bsd/bind/dist/contrib/dbus/GetForwarders delete external/bsd/bind/dist/contrib/dbus/INSTALL delete external/bsd/bind/dist/contrib/dbus/Makefile.9.3.2b1 delete external/bsd/bind/dist/contrib/dbus/Makefile.9.3.3rc2 delete external/bsd/bind/dist/contrib/dbus/README.DBUS delete external/bsd/bind/dist/contrib/dbus/SetForwarders delete external/bsd/bind/dist/contrib/dbus/bind-9.3.2b1-dbus.patch delete external/bsd/bind/dist/contrib/dbus/bind-9.3.3rc2-dbus.patch delete external/bsd/bind/dist/contrib/dbus/dbus_mgr.c delete external/bsd/bind/dist/contrib/dbus/dbus_mgr.h delete external/bsd/bind/dist/contrib/dbus/dbus_service.c delete external/bsd/bind/dist/contrib/dbus/dbus_service.h delete external/bsd/bind/dist/contrib/dbus/named-dbus-system.conf delete external/bsd/bind/dist/contrib/dbus/named-dbus.service delete external/bsd/bind/dist/contrib/dlz/config.dlz.in patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_filesystem_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_ldap_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_mysql_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_odbc_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_postgres_driver.c patch external/bsd/bind/dist/contrib/dlz/drivers/sdlz_helper.c patch external/bsd/bind/dist/contrib/dlz/example/Makefile patch external/bsd/bind/dist/contrib/dlz/example/README patch external/bsd/bind/dist/contrib/dlz/example/dlz_example.c patch external/bsd/bind/dist/contrib/dlz/example/dlz_minimal.h delete external/bsd/bind/dist/contrib/dlz/modules/dlz_minimal.h new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/Makefile new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/README.md new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl new external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/dns-data.txt new external/bsd/bind/dist/contrib/named-bootconf/named-bootconf.sh patch external/bsd/bind/dist/contrib/nslint-2.1a3/strerror.c patch external/bsd/bind/dist/contrib/perftcpdns/Makefile.in new external/bsd/bind/dist/contrib/perftcpdns/configure new external/bsd/bind/dist/contrib/perftcpdns/configure.in new external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c new external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c patch external/bsd/bind/dist/contrib/query-loc-0.4.0/loc_ntoa.c patch external/bsd/bind/dist/contrib/queryperf/queryperf.c patch external/bsd/bind/dist/contrib/sdb/bdb/bdb.c patch external/bsd/bind/dist/contrib/sdb/dir/dirdb.c patch external/bsd/bind/dist/contrib/sdb/ldap/ldapdb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/pgsqldb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/zonetodb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/sqlitedb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/zone2sqlite.c patch external/bsd/bind/dist/contrib/sdb/tcl/tcldb.c patch external/bsd/bind/dist/contrib/sdb/time/timedb.c patch external/bsd/bind/dist/contrib/zkt/Makefile.in patch external/bsd/bind/dist/contrib/zkt/dki.c patch external/bsd/bind/dist/contrib/zkt/tags new external/bsd/bind/dist/contrib/zkt/zkt-soaserial.c patch external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/Makefile.in patch external/bsd/bind/dist/doc/arm/libdns.xml patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html new external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html new external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/doc/arm/pkcs11.xml patch external/bsd/bind/dist/doc/misc/options patch external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in patch external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in patch external/bsd/bind/dist/lib/Atffile patch external/bsd/bind/dist/lib/Makefile.in patch external/bsd/bind/dist/lib/bind9/Makefile.in patch external/bsd/bind/dist/lib/bind9/api patch external/bsd/bind/dist/lib/bind9/check.c patch external/bsd/bind/dist/lib/bind9/getaddresses.c patch external/bsd/bind/dist/lib/bind9/win32/libbind9.dsp delete external/bsd/bind/dist/lib/bind9/win32/libbind9.mak delete external/bsd/bind/dist/lib/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/acache.c patch external/bsd/bind/dist/lib/dns/acl.c patch external/bsd/bind/dist/lib/dns/adb.c patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/byaddr.c patch external/bsd/bind/dist/lib/dns/cache.c patch external/bsd/bind/dist/lib/dns/client.c patch external/bsd/bind/dist/lib/dns/db.c patch external/bsd/bind/dist/lib/dns/dbtable.c patch external/bsd/bind/dist/lib/dns/diff.c patch external/bsd/bind/dist/lib/dns/dispatch.c patch external/bsd/bind/dist/lib/dns/dlz.c patch external/bsd/bind/dist/lib/dns/dns64.c patch external/bsd/bind/dist/lib/dns/dnssec.c patch external/bsd/bind/dist/lib/dns/dst_api.c patch external/bsd/bind/dist/lib/dns/dst_internal.h patch external/bsd/bind/dist/lib/dns/dst_openssl.h patch external/bsd/bind/dist/lib/dns/dst_parse.c patch external/bsd/bind/dist/lib/dns/dst_result.c patch external/bsd/bind/dist/lib/dns/ecdb.c patch external/bsd/bind/dist/lib/dns/gen-win32.h patch external/bsd/bind/dist/lib/dns/gen.c patch external/bsd/bind/dist/lib/dns/gssapi_link.c patch external/bsd/bind/dist/lib/dns/gssapictx.c patch external/bsd/bind/dist/lib/dns/hmac_link.c patch external/bsd/bind/dist/lib/dns/iptable.c patch external/bsd/bind/dist/lib/dns/journal.c patch external/bsd/bind/dist/lib/dns/keydata.c patch external/bsd/bind/dist/lib/dns/keytable.c patch external/bsd/bind/dist/lib/dns/log.c patch external/bsd/bind/dist/lib/dns/lookup.c patch external/bsd/bind/dist/lib/dns/master.c patch external/bsd/bind/dist/lib/dns/masterdump.c patch external/bsd/bind/dist/lib/dns/message.c patch external/bsd/bind/dist/lib/dns/name.c patch external/bsd/bind/dist/lib/dns/ncache.c patch external/bsd/bind/dist/lib/dns/nsec.c patch external/bsd/bind/dist/lib/dns/nsec3.c patch external/bsd/bind/dist/lib/dns/openssl_link.c patch external/bsd/bind/dist/lib/dns/openssldh_link.c patch external/bsd/bind/dist/lib/dns/openssldsa_link.c patch external/bsd/bind/dist/lib/dns/opensslecdsa_link.c patch external/bsd/bind/dist/lib/dns/opensslgost_link.c patch external/bsd/bind/dist/lib/dns/opensslrsa_link.c patch external/bsd/bind/dist/lib/dns/peer.c patch external/bsd/bind/dist/lib/dns/portlist.c patch external/bsd/bind/dist/lib/dns/private.c patch external/bsd/bind/dist/lib/dns/rbt.c patch external/bsd/bind/dist/lib/dns/rbtdb.c patch external/bsd/bind/dist/lib/dns/rcode.c patch external/bsd/bind/dist/lib/dns/rdata.c patch external/bsd/bind/dist/lib/dns/rdataslab.c patch external/bsd/bind/dist/lib/dns/request.c patch external/bsd/bind/dist/lib/dns/resolver.c patch external/bsd/bind/dist/lib/dns/result.c patch external/bsd/bind/dist/lib/dns/rootns.c patch external/bsd/bind/dist/lib/dns/rpz.c patch external/bsd/bind/dist/lib/dns/rrl.c new external/bsd/bind/dist/lib/dns/sdb.c patch external/bsd/bind/dist/lib/dns/sdlz.c patch external/bsd/bind/dist/lib/dns/spnego.c patch external/bsd/bind/dist/lib/dns/spnego_asn1.c patch external/bsd/bind/dist/lib/dns/ssu.c patch external/bsd/bind/dist/lib/dns/ssu_external.c patch external/bsd/bind/dist/lib/dns/time.c patch external/bsd/bind/dist/lib/dns/tkey.c patch external/bsd/bind/dist/lib/dns/tsig.c patch external/bsd/bind/dist/lib/dns/ttl.c patch external/bsd/bind/dist/lib/dns/update.c patch external/bsd/bind/dist/lib/dns/validator.c patch external/bsd/bind/dist/lib/dns/view.c patch external/bsd/bind/dist/lib/dns/xfrin.c patch external/bsd/bind/dist/lib/dns/zone.c patch external/bsd/bind/dist/lib/dns/include/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/include/dns/acache.h patch external/bsd/bind/dist/lib/dns/include/dns/adb.h patch external/bsd/bind/dist/lib/dns/include/dns/cache.h patch external/bsd/bind/dist/lib/dns/include/dns/client.h patch external/bsd/bind/dist/lib/dns/include/dns/db.h patch external/bsd/bind/dist/lib/dns/include/dns/dispatch.h patch external/bsd/bind/dist/lib/dns/include/dns/dns64.h patch external/bsd/bind/dist/lib/dns/include/dns/dnssec.h patch external/bsd/bind/dist/lib/dns/include/dns/log.h patch external/bsd/bind/dist/lib/dns/include/dns/master.h patch external/bsd/bind/dist/lib/dns/include/dns/masterdump.h patch external/bsd/bind/dist/lib/dns/include/dns/message.h patch external/bsd/bind/dist/lib/dns/include/dns/name.h patch external/bsd/bind/dist/lib/dns/include/dns/ncache.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec.h patch external/bsd/bind/dist/lib/dns/include/dns/nsec3.h patch external/bsd/bind/dist/lib/dns/include/dns/rbt.h patch external/bsd/bind/dist/lib/dns/include/dns/rdata.h patch external/bsd/bind/dist/lib/dns/include/dns/rdataset.h patch external/bsd/bind/dist/lib/dns/include/dns/resolver.h patch external/bsd/bind/dist/lib/dns/include/dns/result.h patch external/bsd/bind/dist/lib/dns/include/dns/rpz.h patch external/bsd/bind/dist/lib/dns/include/dns/rrl.h new external/bsd/bind/dist/lib/dns/include/dns/types.h patch external/bsd/bind/dist/lib/dns/include/dns/validator.h patch external/bsd/bind/dist/lib/dns/include/dns/view.h patch external/bsd/bind/dist/lib/dns/include/dns/zone.h patch external/bsd/bind/dist/lib/dns/include/dst/dst.h patch external/bsd/bind/dist/lib/dns/include/dst/gssapi.h patch external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c patch external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c patch external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c new external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.h new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.h new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.h new external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c patch external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c patch external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.c new external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.h new external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.c new external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.h new external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c patch external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c patch external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c patch external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c patch external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c patch external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.c new external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.h new external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.c new external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.h new external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c new external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.h new external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c patch external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c patch external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.c new external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.h new external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c patch external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c patch external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c patch external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c patch external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c patch external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c patch external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.h patch external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c patch external/bsd/bind/dist/lib/dns/rdata/generic/uri_256.c patch external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c patch external/bsd/bind/dist/lib/dns/rdata/hs_4/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/a_1.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/aaaa_28.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/apl_42.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c patch external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c patch external/bsd/bind/dist/lib/dns/tests/Makefile.in patch external/bsd/bind/dist/lib/dns/tests/db_test.c new external/bsd/bind/dist/lib/dns/tests/dbiterator_test.c patch external/bsd/bind/dist/lib/dns/tests/dbversion_test.c patch external/bsd/bind/dist/lib/dns/tests/dispatch_test.c new external/bsd/bind/dist/lib/dns/tests/dnstest.c patch external/bsd/bind/dist/lib/dns/tests/master_test.c patch external/bsd/bind/dist/lib/dns/tests/nsec3_test.c patch external/bsd/bind/dist/lib/dns/tests/private_test.c patch external/bsd/bind/dist/lib/dns/tests/rdata_test.c patch external/bsd/bind/dist/lib/dns/tests/zonemgr_test.c patch external/bsd/bind/dist/lib/dns/tests/testdata/master/master17.data new external/bsd/bind/dist/lib/dns/win32/gen.dsp delete external/bsd/bind/dist/lib/dns/win32/gen.mak delete external/bsd/bind/dist/lib/dns/win32/libdns.def delete external/bsd/bind/dist/lib/dns/win32/libdns.dsp delete external/bsd/bind/dist/lib/dns/win32/libdns.mak delete external/bsd/bind/dist/lib/export/dns/Makefile.in patch external/bsd/bind/dist/lib/export/irs/Makefile.in patch external/bsd/bind/dist/lib/export/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nls/Makefile.in patch external/bsd/bind/dist/lib/export/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/pthreads/Makefile.in patch external/bsd/bind/dist/lib/export/isc/unix/Makefile.in patch external/bsd/bind/dist/lib/export/isccfg/Makefile.in patch external/bsd/bind/dist/lib/export/samples/Makefile.in patch external/bsd/bind/dist/lib/export/samples/nsprobe.c patch external/bsd/bind/dist/lib/export/samples/sample-async.c patch external/bsd/bind/dist/lib/export/samples/sample-gai.c patch external/bsd/bind/dist/lib/export/samples/sample-request.c patch external/bsd/bind/dist/lib/export/samples/sample-update.c patch external/bsd/bind/dist/lib/export/samples/sample.c patch external/bsd/bind/dist/lib/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/api patch external/bsd/bind/dist/lib/irs/context.c patch external/bsd/bind/dist/lib/irs/dnsconf.c patch external/bsd/bind/dist/lib/irs/getaddrinfo.c patch external/bsd/bind/dist/lib/irs/getnameinfo.c patch external/bsd/bind/dist/lib/irs/resconf.c patch external/bsd/bind/dist/lib/irs/include/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/include/irs/resconf.h patch external/bsd/bind/dist/lib/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/api patch external/bsd/bind/dist/lib/isc/app_api.c patch external/bsd/bind/dist/lib/isc/backtrace.c patch external/bsd/bind/dist/lib/isc/base32.c patch external/bsd/bind/dist/lib/isc/base64.c patch external/bsd/bind/dist/lib/isc/bind9.c new external/bsd/bind/dist/lib/isc/buffer.c patch external/bsd/bind/dist/lib/isc/commandline.c patch external/bsd/bind/dist/lib/isc/counter.c new external/bsd/bind/dist/lib/isc/event.c patch external/bsd/bind/dist/lib/isc/hash.c patch external/bsd/bind/dist/lib/isc/heap.c patch external/bsd/bind/dist/lib/isc/hex.c patch external/bsd/bind/dist/lib/isc/hmacmd5.c patch external/bsd/bind/dist/lib/isc/hmacsha.c patch external/bsd/bind/dist/lib/isc/httpd.c patch external/bsd/bind/dist/lib/isc/inet_aton.c patch external/bsd/bind/dist/lib/isc/inet_pton.c patch external/bsd/bind/dist/lib/isc/lex.c patch external/bsd/bind/dist/lib/isc/lib.c patch external/bsd/bind/dist/lib/isc/log.c patch external/bsd/bind/dist/lib/isc/md5.c patch external/bsd/bind/dist/lib/isc/mem.c patch external/bsd/bind/dist/lib/isc/mem_api.c patch external/bsd/bind/dist/lib/isc/netaddr.c patch external/bsd/bind/dist/lib/isc/parseint.c patch external/bsd/bind/dist/lib/isc/pool.c new external/bsd/bind/dist/lib/isc/print.c patch external/bsd/bind/dist/lib/isc/radix.c patch external/bsd/bind/dist/lib/isc/random.c patch external/bsd/bind/dist/lib/isc/ratelimiter.c patch external/bsd/bind/dist/lib/isc/regex.c new external/bsd/bind/dist/lib/isc/result.c patch external/bsd/bind/dist/lib/isc/safe.c new external/bsd/bind/dist/lib/isc/sha1.c patch external/bsd/bind/dist/lib/isc/sha2.c patch external/bsd/bind/dist/lib/isc/sockaddr.c patch external/bsd/bind/dist/lib/isc/socket_api.c patch external/bsd/bind/dist/lib/isc/stats.c patch external/bsd/bind/dist/lib/isc/string.c patch external/bsd/bind/dist/lib/isc/strtoul.c patch external/bsd/bind/dist/lib/isc/symtab.c patch external/bsd/bind/dist/lib/isc/task.c patch external/bsd/bind/dist/lib/isc/task_api.c patch external/bsd/bind/dist/lib/isc/taskpool.c patch external/bsd/bind/dist/lib/isc/timer.c patch external/bsd/bind/dist/lib/isc/timer_api.c patch external/bsd/bind/dist/lib/isc/tm.c new external/bsd/bind/dist/lib/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/include/isc/app.h patch external/bsd/bind/dist/lib/isc/include/isc/base32.h patch external/bsd/bind/dist/lib/isc/include/isc/bind9.h patch external/bsd/bind/dist/lib/isc/include/isc/buffer.h patch external/bsd/bind/dist/lib/isc/include/isc/counter.h new external/bsd/bind/dist/lib/isc/include/isc/event.h patch external/bsd/bind/dist/lib/isc/include/isc/file.h patch external/bsd/bind/dist/lib/isc/include/isc/hash.h patch external/bsd/bind/dist/lib/isc/include/isc/httpd.h patch external/bsd/bind/dist/lib/isc/include/isc/iterated_hash.h patch external/bsd/bind/dist/lib/isc/include/isc/list.h patch external/bsd/bind/dist/lib/isc/include/isc/mem.h patch external/bsd/bind/dist/lib/isc/include/isc/namespace.h patch external/bsd/bind/dist/lib/isc/include/isc/platform.h.in patch external/bsd/bind/dist/lib/isc/include/isc/pool.h new external/bsd/bind/dist/lib/isc/include/isc/print.h patch external/bsd/bind/dist/lib/isc/include/isc/queue.h patch external/bsd/bind/dist/lib/isc/include/isc/radix.h patch external/bsd/bind/dist/lib/isc/include/isc/regex.h new external/bsd/bind/dist/lib/isc/include/isc/region.h patch external/bsd/bind/dist/lib/isc/include/isc/result.h patch external/bsd/bind/dist/lib/isc/include/isc/safe.h new external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h patch external/bsd/bind/dist/lib/isc/include/isc/socket.h patch external/bsd/bind/dist/lib/isc/include/isc/stdio.h patch external/bsd/bind/dist/lib/isc/include/isc/string.h patch external/bsd/bind/dist/lib/isc/include/isc/task.h patch external/bsd/bind/dist/lib/isc/include/isc/timer.h patch external/bsd/bind/dist/lib/isc/include/isc/tm.h new external/bsd/bind/dist/lib/isc/include/isc/types.h patch external/bsd/bind/dist/lib/isc/nothreads/Makefile.in patch external/bsd/bind/dist/lib/isc/nothreads/include/isc/thread.h patch external/bsd/bind/dist/lib/isc/pthreads/thread.c patch external/bsd/bind/dist/lib/isc/pthreads/include/isc/thread.h patch external/bsd/bind/dist/lib/isc/sparc64/include/isc/atomic.h patch external/bsd/bind/dist/lib/isc/tests/Makefile.in patch external/bsd/bind/dist/lib/isc/tests/counter_test.c new external/bsd/bind/dist/lib/isc/tests/hash_test.c patch external/bsd/bind/dist/lib/isc/tests/isctest.c patch external/bsd/bind/dist/lib/isc/tests/isctest.h patch external/bsd/bind/dist/lib/isc/tests/lex_test.c new external/bsd/bind/dist/lib/isc/tests/parse_test.c new external/bsd/bind/dist/lib/isc/tests/pool_test.c new external/bsd/bind/dist/lib/isc/tests/print_test.c new external/bsd/bind/dist/lib/isc/tests/regex_test.c new external/bsd/bind/dist/lib/isc/tests/safe_test.c new external/bsd/bind/dist/lib/isc/tests/sockaddr_test.c new external/bsd/bind/dist/lib/isc/tests/symtab_test.c patch external/bsd/bind/dist/lib/isc/tests/time_test.c new external/bsd/bind/dist/lib/isc/unix/app.c patch external/bsd/bind/dist/lib/isc/unix/entropy.c patch external/bsd/bind/dist/lib/isc/unix/file.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_getifaddrs.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_ioctl.c patch external/bsd/bind/dist/lib/isc/unix/ifiter_sysctl.c patch external/bsd/bind/dist/lib/isc/unix/interfaceiter.c patch external/bsd/bind/dist/lib/isc/unix/net.c patch external/bsd/bind/dist/lib/isc/unix/socket.c patch external/bsd/bind/dist/lib/isc/unix/stdio.c patch external/bsd/bind/dist/lib/isc/unix/time.c patch external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/unix/include/isc/net.h patch external/bsd/bind/dist/lib/isc/unix/include/isc/stat.h patch external/bsd/bind/dist/lib/isc/unix/include/isc/time.h patch external/bsd/bind/dist/lib/isc/win32/libisc.def delete external/bsd/bind/dist/lib/isc/win32/libisc.dsp delete external/bsd/bind/dist/lib/isc/win32/libisc.mak delete external/bsd/bind/dist/lib/isc/win32/include/isc/platform.h delete external/bsd/bind/dist/lib/isccc/Makefile.in patch external/bsd/bind/dist/lib/isccc/api patch external/bsd/bind/dist/lib/isccc/base64.c patch external/bsd/bind/dist/lib/isccc/cc.c patch external/bsd/bind/dist/lib/isccc/sexpr.c patch external/bsd/bind/dist/lib/isccc/include/isccc/util.h patch external/bsd/bind/dist/lib/isccc/win32/libisccc.dsp delete external/bsd/bind/dist/lib/isccc/win32/libisccc.mak delete external/bsd/bind/dist/lib/isccfg/Makefile.in patch external/bsd/bind/dist/lib/isccfg/aclconf.c patch external/bsd/bind/dist/lib/isccfg/api patch external/bsd/bind/dist/lib/isccfg/namedconf.c patch external/bsd/bind/dist/lib/isccfg/parser.c patch external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in patch external/bsd/bind/dist/lib/isccfg/include/isccfg/aclconf.h patch external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h patch external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h patch external/bsd/bind/dist/lib/isccfg/win32/libisccfg.dsp delete external/bsd/bind/dist/lib/isccfg/win32/libisccfg.mak delete external/bsd/bind/dist/lib/lwres/Atffile new external/bsd/bind/dist/lib/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/api patch external/bsd/bind/dist/lib/lwres/compat.c new external/bsd/bind/dist/lib/lwres/context.c patch external/bsd/bind/dist/lib/lwres/gai_strerror.c patch external/bsd/bind/dist/lib/lwres/getaddrinfo.c patch external/bsd/bind/dist/lib/lwres/gethost.c patch external/bsd/bind/dist/lib/lwres/getipnode.c patch external/bsd/bind/dist/lib/lwres/getnameinfo.c patch external/bsd/bind/dist/lib/lwres/getrrset.c patch external/bsd/bind/dist/lib/lwres/herror.c patch external/bsd/bind/dist/lib/lwres/lwbuffer.c patch external/bsd/bind/dist/lib/lwres/lwconfig.c patch external/bsd/bind/dist/lib/lwres/lwinetaton.c patch external/bsd/bind/dist/lib/lwres/lwinetpton.c patch external/bsd/bind/dist/lib/lwres/lwres_gabn.c patch external/bsd/bind/dist/lib/lwres/lwres_gnba.c patch external/bsd/bind/dist/lib/lwres/lwres_grbn.c patch external/bsd/bind/dist/lib/lwres/lwres_noop.c patch external/bsd/bind/dist/lib/lwres/lwresutil.c patch external/bsd/bind/dist/lib/lwres/print.c patch external/bsd/bind/dist/lib/lwres/strtoul.c delete external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/include/lwres/lwres.h patch external/bsd/bind/dist/lib/lwres/include/lwres/netdb.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/platform.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/stdlib.h patch external/bsd/bind/dist/lib/lwres/include/lwres/string.h new external/bsd/bind/dist/lib/lwres/man/lwres.3 patch external/bsd/bind/dist/lib/lwres/man/lwres.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres.html patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html patch external/bsd/bind/dist/lib/lwres/man/lwres_config.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_config.html patch external/bsd/bind/dist/lib/lwres/man/lwres_context.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_context.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.html patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html patch external/bsd/bind/dist/lib/lwres/tests/Atffile new external/bsd/bind/dist/lib/lwres/tests/Makefile.in new external/bsd/bind/dist/lib/lwres/tests/config_test.c new external/bsd/bind/dist/lib/lwres/tests/testdata/link-local.conf new external/bsd/bind/dist/lib/lwres/win32/liblwres.dsp delete external/bsd/bind/dist/lib/lwres/win32/liblwres.mak delete external/bsd/bind/dist/lib/tests/t_api.c patch external/bsd/bind/dist/lib/tests/include/tests/t_api.h patch external/bsd/bind/dist/lib/win32/bindevt/bindevt.dsp delete external/bsd/bind/dist/lib/win32/bindevt/bindevt.mak delete external/bsd/bind/dist/make/mkdep.in patch external/bsd/bind/dist/make/rules.in patch external/bsd/bind/dist/unit/README patch external/bsd/bind/dist/unit/unittest.sh.in patch external/bsd/bind/dist/unit/atf-src/AUTHORS patch external/bsd/bind/dist/unit/atf-src/Atffile patch external/bsd/bind/dist/unit/atf-src/COPYING patch external/bsd/bind/dist/unit/atf-src/INSTALL patch external/bsd/bind/dist/unit/atf-src/Kyuafile new external/bsd/bind/dist/unit/atf-src/Makefile.am patch external/bsd/bind/dist/unit/atf-src/Makefile.in patch external/bsd/bind/dist/unit/atf-src/NEWS patch external/bsd/bind/dist/unit/atf-src/TODO new external/bsd/bind/dist/unit/atf-src/aclocal.m4 patch external/bsd/bind/dist/unit/atf-src/atf-c++.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c.h patch external/bsd/bind/dist/unit/atf-src/configure patch external/bsd/bind/dist/unit/atf-src/configure.ac patch external/bsd/bind/dist/unit/atf-src/admin/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/admin/check-install.sh delete external/bsd/bind/dist/unit/atf-src/admin/check-style-c.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-common.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-cpp.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-man.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style-shell.awk patch external/bsd/bind/dist/unit/atf-src/admin/check-style.sh patch external/bsd/bind/dist/unit/atf-src/admin/compile patch external/bsd/bind/dist/unit/atf-src/admin/depcomp patch external/bsd/bind/dist/unit/atf-src/admin/install-sh patch external/bsd/bind/dist/unit/atf-src/admin/ltmain.sh patch external/bsd/bind/dist/unit/atf-src/admin/missing patch external/bsd/bind/dist/unit/atf-src/atf-c/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c/atf-c-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-c/atf-c.m4 new external/bsd/bind/dist/unit/atf-src/atf-c/atf-common.m4 new external/bsd/bind/dist/unit/atf-src/atf-c/atf_c_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/check.c patch external/bsd/bind/dist/unit/atf-src/atf-c/check.h patch external/bsd/bind/dist/unit/atf-src/atf-c/check_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/config.c patch external/bsd/bind/dist/unit/atf-src/atf-c/config_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/defs.h.in patch external/bsd/bind/dist/unit/atf-src/atf-c/error.c patch external/bsd/bind/dist/unit/atf-src/atf-c/error.h patch external/bsd/bind/dist/unit/atf-src/atf-c/error_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/macros.h patch external/bsd/bind/dist/unit/atf-src/atf-c/macros_h_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/macros_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/pkg_config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-c/tc.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tc.h patch external/bsd/bind/dist/unit/atf-src/atf-c/tc_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tp.c patch external/bsd/bind/dist/unit/atf-src/atf-c/tp.h patch external/bsd/bind/dist/unit/atf-src/atf-c/tp_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/unused_test.c new external/bsd/bind/dist/unit/atf-src/atf-c/utils.c patch external/bsd/bind/dist/unit/atf-src/atf-c/utils.h patch external/bsd/bind/dist/unit/atf-src/atf-c/utils_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c/detail/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/dynstr_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/env.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/env_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/fs_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/list_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/map_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_helpers.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/process_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/sanity_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/test_helpers_test.c delete external/bsd/bind/dist/unit/atf-src/atf-c/detail/text.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/text_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/tp_main.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user.c patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user.h patch external/bsd/bind/dist/unit/atf-src/atf-c/detail/user_test.c patch external/bsd/bind/dist/unit/atf-src/atf-c++/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c++/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c++/atf-c++-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-c++/atf-c++.m4 new external/bsd/bind/dist/unit/atf-src/atf-c++/check.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/check.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/check_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/config_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros_hpp_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/macros_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/noncopyable.hpp new external/bsd/bind/dist/unit/atf-src/atf-c++/pkg_config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/tests_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/unused_test.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/utils.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/utils.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/utils_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Atffile patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/application_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/auto_array.hpp new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/auto_array_test.cpp new external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/env_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/exceptions_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/expand_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/fs_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/parser_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/process_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/sanity.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/test_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/test_helpers.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text.hpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/text_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/ui.cpp patch external/bsd/bind/dist/unit/atf-src/atf-c++/detail/ui.hpp patch external/bsd/bind/dist/unit/atf-src/atf-config/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-config/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-config/atf-config.1 patch external/bsd/bind/dist/unit/atf-src/atf-config/atf-config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-config/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-report/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-report/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-report/atf-report.1 patch external/bsd/bind/dist/unit/atf-src/atf-report/atf-report.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/fail_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-report/misc_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/pass_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader.hpp patch external/bsd/bind/dist/unit/atf-src/atf-report/reader_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.css patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.dtd patch external/bsd/bind/dist/unit/atf-src/atf-report/tests-results.xsl patch external/bsd/bind/dist/unit/atf-src/atf-run/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-run/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-run/atf-run.1 patch external/bsd/bind/dist/unit/atf-src/atf-run/atf-run.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/atffile_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/config.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/config_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/fs_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/integration_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-run/io.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/io.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/io_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/misc_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/pass_helper.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/requirements.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/requirements_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/several_tcs_helper.c patch external/bsd/bind/dist/unit/atf-src/atf-run/signals.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/signals.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/signals_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/test-program.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/test_program_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/timer.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/timer.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user.hpp patch external/bsd/bind/dist/unit/atf-src/atf-run/user_test.cpp patch external/bsd/bind/dist/unit/atf-src/atf-run/zero_tcs_helper.c patch external/bsd/bind/dist/unit/atf-src/atf-run/share/atf-run.hooks patch external/bsd/bind/dist/unit/atf-src/atf-sh/Kyuafile new external/bsd/bind/dist/unit/atf-src/atf-sh/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check.1 patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check.cpp patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-check_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh-api.3 patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.cpp patch external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.m4 new external/bsd/bind/dist/unit/atf-src/atf-sh/atf-sh.pc.in new external/bsd/bind/dist/unit/atf-src/atf-sh/atf_check_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/config_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/libatf-sh.subr patch external/bsd/bind/dist/unit/atf-src/atf-sh/misc_helpers.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/normalize_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/tc_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-sh/tp_test.sh patch external/bsd/bind/dist/unit/atf-src/atf-version/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/atf-version/atf-version.1 patch external/bsd/bind/dist/unit/atf-src/atf-version/atf-version.cpp patch external/bsd/bind/dist/unit/atf-src/atf-version/generate-revision.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_app_empty.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_app_opts_args.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_atf_check_sh.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_basic_cpp.cpp patch external/bsd/bind/dist/unit/atf-src/bootstrap/h_tp_basic_sh.sh patch external/bsd/bind/dist/unit/atf-src/bootstrap/package.m4 patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_application_help.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_application_opts_args.atpatch external/bsd/bind/dist/unit/atf-src/bootstrap/t_atf_config.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_atf_run.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_subr_atf_check.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_compare.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_filter.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_list.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/t_test_program_run.at patch external/bsd/bind/dist/unit/atf-src/bootstrap/testsuite patch external/bsd/bind/dist/unit/atf-src/bootstrap/testsuite.at patch external/bsd/bind/dist/unit/atf-src/doc/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/doc/atf-formats.5 patch external/bsd/bind/dist/unit/atf-src/doc/atf-test-case.4 patch external/bsd/bind/dist/unit/atf-src/doc/atf-test-program.1 patch external/bsd/bind/dist/unit/atf-src/doc/atf.7.in patch external/bsd/bind/dist/unit/atf-src/m4/compiler-flags.m4 patch external/bsd/bind/dist/unit/atf-src/m4/cxx-std-funcs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/developer-mode.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-application.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-defs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-env.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-fs.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-sanity.m4 patch external/bsd/bind/dist/unit/atf-src/m4/module-signals.m4 patch external/bsd/bind/dist/unit/atf-src/test-programs/Atffile patch external/bsd/bind/dist/unit/atf-src/test-programs/Kyuafile new external/bsd/bind/dist/unit/atf-src/test-programs/Makefile.am.inc patch external/bsd/bind/dist/unit/atf-src/test-programs/c_helpers.c patch external/bsd/bind/dist/unit/atf-src/test-programs/config_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/cpp_helpers.cpp patch external/bsd/bind/dist/unit/atf-src/test-programs/expect_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/fork_test.sh delete external/bsd/bind/dist/unit/atf-src/test-programs/meta_data_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/result_test.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/sh_helpers.sh patch external/bsd/bind/dist/unit/atf-src/test-programs/srcdir_test.sh patch external/bsd/bind/dist/win32utils/BINDBuild.dsw delete external/bsd/bind/dist/win32utils/BuildAll.bat delete external/bsd/bind/dist/win32utils/BuildPost.bat delete external/bsd/bind/dist/win32utils/BuildSetup.bat delete external/bsd/bind/dist/win32utils/SetupLibs.bat delete external/bsd/bind/dist/win32utils/dnsheadergen.bat delete external/bsd/bind/dist/win32utils/makedefs.pl delete external/bsd/bind/dist/win32utils/makeversion.pl delete external/bsd/bind/dist/win32utils/setpk11provider.pl delete external/bsd/bind/dist/win32utils/updatelibxml2.pl delete external/bsd/bind/dist/win32utils/updateopenssl.pl delete external/bsd/bind/dist/win32utils/win32-build.txt delete external/bsd/bind/include/config.h patch external/bsd/bind/include/dns/code.h patch external/bsd/bind/include/dns/enumclass.h patch external/bsd/bind/include/dns/enumtype.h patch external/bsd/bind/include/dns/rdatastruct.h patch external/bsd/bind/include/irs/netdb.h new external/bsd/bind/include/irs/platform.h new external/bsd/bind/include/isc/platform.h patch external/bsd/bind/include/lwres/netdb.h patch external/bsd/bind/include/lwres/platform.h patch external/bsd/bind/lib/Makefile patch external/bsd/bind/lib/libbind9/Makefile patch external/bsd/bind/lib/libbind9/shlib_version patch external/bsd/bind/lib/libdns/Makefile patch external/bsd/bind/lib/libdns/shlib_version patch external/bsd/bind/lib/libirs/Makefile new external/bsd/bind/lib/libirs/shlib_version new external/bsd/bind/lib/libisc/Makefile patch external/bsd/bind/lib/libisc/shlib_version patch external/bsd/bind/lib/libisccc/Makefile patch external/bsd/bind/lib/libisccc/shlib_version patch external/bsd/bind/lib/libisccfg/Makefile patch external/bsd/bind/lib/libisccfg/shlib_version patch external/bsd/bind/lib/liblwres/shlib_version patch Update bind to 9.9.6-P1. CVE-2014-8500. @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1- Comment Syntax
d55 1 a55 1- acl Statement Grammar
d58 1 a58 1- controls Statement Grammar
d61 2 a62 2- include Statement Grammar
- include Statement Definition and d64 4 a67 4
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and d69 4 a72 4
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d74 1 a74 1
- options Statement Grammar
d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d412 2 a413 16 A 64-bit unsigned integer, or the keywordsunlimitedordefault.Integers may take values 0 <= value <= 18446744073709551615, though certain parameters (such as max-journal-size) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible", depending on the context. See the explanations of particular parameters that use
size_specfor details on how they interpret its use. d416 7 a422 2 Numeric values can optionally be followed by a scaling factor: d427 3 a429 13Gorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.
unlimitedgenerally means "as big as possible", though in certain contexts, (includingmax-cache-size), it may mean the largest possible 32-bit unsigned integer (0xffffffff); this distinction can be important when dealing with larger quantities.unlimitedis usually the best way to safely set a very large number. d432 5 a436 2defaultuses the limit that was in force when the server was started. d480 1 a480 1 Syntaxsize_spec] d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase a1293 3 On Windows machines syslog messages are directed to the EventViewer.d1720 2 a1721 2 delegation-only in a forward, hint or stub zone declaration. a1771 31
d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2033 2 a2034 2 IPv4 addresses (and ports) that this instance of a lightweight resolver daemon d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar d2120 1 a2120 1 [ zone-statistics rate-limit
(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
full|terse|none; ] a2133 1 [ request-nsidyes_or_no; ] a2159 1 [ check-spf (warn|ignore); ] a2178 1 [ no-case-compress {address_match_list}; ] d2260 1 a2260 1 [ dns64ipv6-prefix{ a2282 1 [ max-recursion-depthnumber; ] a2292 17 [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] d2297 1 a2297 1 [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d2427 7 a2433 16d2707 1 a2707 1 from https://www.isc.org/solutions/dlv/. d2845 1 a2845 32 via dynamic update; this is not yet implemented.) Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views, then managed keys for the server will be tracked in a single file called
managed-keys.bind. Otherwise, managed keys will be tracked in separate files, one file per view; each file name will be the SHA256 hash of the view name, followed by the extension.mkeys.zone-statistics If
full, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics terse or zone-statistics none in the zone statement). The default isterse, providing minimal statistics on zones (including name and current serial number, but not query type counters).These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions of BIND 9, the zone-statistics option can also accept
yesorno, which have the same effect asfullandterse, respectively. a3234 11request-nsid d3257 14 d3594 1 a3594 2 If
yes, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in the resolver category at level info. The default isno.a3623 8 d3606 1 a3606 12
The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with check-spf.
check-spf d3691 1 a3691 1 sets the frequency of automatic repository checks, in d3732 1 a3732 1 Forwarding d3776 1 a3776 1 Dual-stack Servers a3850 6 Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it will be refused. If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn.
a3974 51
no-case-compress d3987 1 a3987 1 Interfaces d3991 1 a3991 3 an optional port and an Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisons.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circumstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all responses for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
address_match_listof IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) a4038 2 IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning. d4455 1 a4455 1 UDP Port Lists d4497 1 a4497 1 Operating System Resource Limits d4577 2 a4578 4 will be automatically removed. The largest permitted value is 2 gigabytes. The default isunlimited, which also means 2 gigabytes. d4646 1 a4646 1 The listen queue depth. The default and minimum is 10. d4651 3 a4653 4 some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also be used; on most platforms this sets the listen queue length to a system-defined default value. d4659 1 a4659 1 Periodic Task Intervals d5081 1 a5081 1 signing state records. The default is d5089 7 a5095 14 Signing state records are used to internally by named to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command rndc signing -listzone. Once named has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running rndc signing -clearkeyid/algorithmzone. To clear all of the completed signing state records for a zone, use rndc signing -clear allzone. a5235 23max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
max-recursion-queries d5268 6 a5273 10 default view of class IN. Most global configuration options (allow-query, etc) will apply to this view, but some are locally overridden: notify, recursion and allow-new-zones are always set to Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50.
no.If you need to disable these zones, use the options d5328 1 a5328 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5359 64
64.100.IN-ADDR.ARPA 65.100.IN-ADDR.ARPA 66.100.IN-ADDR.ARPA 67.100.IN-ADDR.ARPA 68.100.IN-ADDR.ARPA 69.100.IN-ADDR.ARPA 70.100.IN-ADDR.ARPA 71.100.IN-ADDR.ARPA 72.100.IN-ADDR.ARPA 73.100.IN-ADDR.ARPA 74.100.IN-ADDR.ARPA 75.100.IN-ADDR.ARPA 76.100.IN-ADDR.ARPA 77.100.IN-ADDR.ARPA 78.100.IN-ADDR.ARPA 79.100.IN-ADDR.ARPA 80.100.IN-ADDR.ARPA 81.100.IN-ADDR.ARPA 82.100.IN-ADDR.ARPA 83.100.IN-ADDR.ARPA 84.100.IN-ADDR.ARPA 85.100.IN-ADDR.ARPA 86.100.IN-ADDR.ARPA 87.100.IN-ADDR.ARPA 88.100.IN-ADDR.ARPA 89.100.IN-ADDR.ARPA 90.100.IN-ADDR.ARPA 91.100.IN-ADDR.ARPA 92.100.IN-ADDR.ARPA 93.100.IN-ADDR.ARPA 94.100.IN-ADDR.ARPA 95.100.IN-ADDR.ARPA 96.100.IN-ADDR.ARPA 97.100.IN-ADDR.ARPA 98.100.IN-ADDR.ARPA 99.100.IN-ADDR.ARPA 100.100.IN-ADDR.ARPA 101.100.IN-ADDR.ARPA 102.100.IN-ADDR.ARPA 103.100.IN-ADDR.ARPA 104.100.IN-ADDR.ARPA 105.100.IN-ADDR.ARPA 106.100.IN-ADDR.ARPA 107.100.IN-ADDR.ARPA 108.100.IN-ADDR.ARPA 109.100.IN-ADDR.ARPA 110.100.IN-ADDR.ARPA 111.100.IN-ADDR.ARPA 112.100.IN-ADDR.ARPA 113.100.IN-ADDR.ARPA 114.100.IN-ADDR.ARPA 115.100.IN-ADDR.ARPA 116.100.IN-ADDR.ARPA 117.100.IN-ADDR.ARPA 118.100.IN-ADDR.ARPA 119.100.IN-ADDR.ARPA 120.100.IN-ADDR.ARPA 121.100.IN-ADDR.ARPA 122.100.IN-ADDR.ARPA 123.100.IN-ADDR.ARPA 124.100.IN-ADDR.ARPA 125.100.IN-ADDR.ARPA 126.100.IN-ADDR.ARPA 127.100.IN-ADDR.ARPA d5524 1 a5524 1 Content Filtering d5577 1 a5577 1 d5647 1 a5647 1 Response Policy Zone (RPZ) Rewriting d5703 2 a5709 4 NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains. d5748 10 d5782 1 a5782 1 by a CNAME whose target is rpz-passthru. a5899 245RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
d6213 2 a6214 2This feature is only available when BIND 9 is compiled with the
--enable-rrloption on the "configure" command line.Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with responses-per-second (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomain-per-second (default responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the responses-per-second value, but it can be set separately with errors-per-second.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
a5908 1 [ request-nsidyes_or_no; ] a6097 7The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
d6111 1 a6111 1 statistics-channels Statement Definition and a6158 24If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When BIND 9 is configured with --enable-newstats, a new XML schema is used (version 3) which adds additional zone statistics and uses a flatter tree for more efficient parsing. The stylesheet included uses the Google Charts API to render data into into charts and graphs when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
d6171 1 a6171 1 trusted-keys Statement Definition d6211 1 a6211 1 managed-keys Statement Grammarnameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d6322 1 a6322 1 If the dnssec-validation option is d6325 4 a6328 7 root zone. Similarly, if the dnssec-lookaside option is set toauto, named will automatically initialize a managed key for the zonedlv.isc.org. In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d6346 1 a6346 1 view Statement Definition and Usage a6473 3 [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] a6479 1 [ check-spf (warn|ignore); ] d6502 1 a6502 1 [ zone-statisticsfull|terse|none; ] d6526 1 a6527 1 [ update-check-kskyes_or_no; ] d6567 1 a6567 5 [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] a6572 3 [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] d6647 1 a6647 1 zone Statement Definition and Usage d6650 1 a6650 1 Zone Types d6887 4 a6890 6 Redirect zones are used to provide answers to queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. a6896 36To redirect all NXDOMAIN responses to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2, one would configure a type redirect zone named ".", with the zone file containing wildcard records that point to the desired addresses:
"*. IN A 100.100.100.2"and"*. IN AAAA 2001:ffff:ffff::100.100.100.2".To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced directly by name, they are not kept in the zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use rndc reload
d6930 1 a6930 1 Class d6952 1 a6952 1 Zone Options a7026 5zonenameto reload a redirect zone. However, when using rndc reload without specifying a zone name, redirect zones will be reloaded along with other zones.check-spf d7103 3 a7105 4 The flag only applies to forward, hint and stub zones. If set to See the description of check-spf in the section called “Boolean Options”.
yes, then the zone will also be treated as if it is also a delegation-only type zone. d7422 1 a7422 1 unsigned zone is transferred in or loaded from d7863 1 a7863 1 Zone File d7876 1 a7876 1 Resource Records d8613 1 a8613 1 Textual expression of RRs d8816 1 a8816 1 Discussion of MX Records d9058 2 a9059 1 servers can cache it. d9072 1 a9072 1 Inverse Mapping in IPv4 d9133 1 a9133 1 Other Zone File Directives d9148 1 a9148 1 The @@ (at-sign) d9159 1 a9159 1 The $ORIGIN Directive d9188 1 a9188 1 The $INCLUDE Directive d9224 1 a9224 1 The $TTL Directive d9243 1 a9243 1 BIND Master File Extension: the $GENERATE Directive d9311 2 a9312 3 is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. d9667 1 a9667 1 Name Server Statistics Counters a10218 39RPZRewrites
Response policy zone rewrites.
RateDropped
Responses dropped by rate limits.
d10224 1 a10224 1 Zone Maintenance Statistics Counters d10378 1 a10378 1 Resolver Statistics Counters d10761 1 a10761 1 Socket I/O Statistics Counters d10916 1 a10916 1 Compatibility with BIND 8 Counters a10967 1 RateSlipped
Responses truncated by rate limits.
BIND Version 9.9
@ 1.1.1.9.4.4 log @Pull up following revision(s) (requested by spz in ticket #1259): external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/README patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html patch external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/zone.c patch Security patch for bind from ISC (to 9.9.6-P2). Only the change to lib/dns/zone.c is security relevant (CVE-2015-1349). @ text @d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a2341 1 [ max-recursion-queriesnumber; ] d3865 1 a3865 1 Forwarding d3909 1 a3909 1 Dual-stack Servers d4177 1 a4177 1 Interfaces d4649 1 a4649 1 UDP Port Lists d4691 1 a4691 1 Operating System Resource Limits d4856 1 a4856 1 Periodic Task Intervals d5819 1 a5819 1 Content Filtering d5942 1 a5942 1 Response Policy Zone (RPZ) Rewriting d6209 1 a6209 1 Response Rate Limiting d6651 1 a6651 1 statistics-channels Statement Definition and d6735 1 a6735 1 trusted-keys Statement Definition d6775 1 a6775 1 managed-keys Statement Grammar d6913 1 a6913 1 view Statement Definition and Usage d7225 1 a7225 1 zone Statement Definition and Usage d7228 1 a7228 1 Zone Types d7546 1 a7546 1 Class d7568 1 a7568 1 Zone Options d8485 1 a8485 1 Zone File d8498 1 a8498 1 Resource Records d9235 1 a9235 1 Textual expression of RRs d9438 1 a9438 1 Discussion of MX Records d9693 1 a9693 1 Inverse Mapping in IPv4 d9754 1 a9754 1 Other Zone File Directives d9769 1 a9769 1 The @@ (at-sign) d9780 1 a9780 1 The $ORIGIN Directive d9809 1 a9809 1 The $INCLUDE Directive d9845 1 a9845 1 The $TTL Directive d9864 1 a9864 1 BIND Master File Extension: the $GENERATE Directive d10289 1 a10289 1 Name Server Statistics Counters d10885 1 a10885 1 Zone Maintenance Statistics Counters d11039 1 a11039 1 Resolver Statistics Counters d11422 1 a11422 1 Socket I/O Statistics Counters d11577 1 a11577 1 Compatibility with BIND 8 Counters @ 1.1.1.9.4.5 log @Apply patch, requested by spz in ticket 1329: Update bind to 9.9.7-P3 @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d496 1 a496 1 Syntax d505 1 a505 1 Definition and Usage d589 1 a589 1 Comment Syntax d599 1 a599 1 Syntax d615 1 a615 1 Definition and Usage d869 1 a869 1 acl Statement Grammar d885 5 d956 1 a956 1 controls Statement Grammar d1080 1 a1080 1 include Statement Grammar d1085 1 a1085 1 include Statement Definition and d1100 1 a1100 1 key Statement Grammar d1109 1 a1109 1 key Statement Definition and Usage d1156 1 a1156 1 logging Statement Grammar d1180 1 a1180 1 logging Statement Definition and d1214 1 a1214 1 The channel Phrase a1826 11d1832 1 a1832 1 The query-errors Category d2060 1 a2060 1 lwres Statement Grammar d2076 1 a2076 1 lwres Statement Definition and Usage d2127 1 a2127 1 masters Statement Grammar d2135 1 a2135 1 masters Statement Definition and d2145 1 a2145 1 options Statement Grammar d2370 5 a2374 10 [ response-policy { zone cname
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
zone_name[ policy(given | disabled | passthru | nxdomain | nodata | cname domain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; [...] } ; ] d3866 1 a3866 1 Forwarding d3910 1 a3910 1 Dual-stack Servers d4178 1 a4178 1 Interfaces d4475 1 a4475 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4650 1 a4650 1 UDP Port Lists d4692 1 a4692 1 Operating System Resource Limits d4857 1 a4857 1 Periodic Task Intervals d5461 2 a5462 4 is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 50. d5820 1 a5820 1 Content Filtering d5943 1 a5943 1 Response Policy Zone (RPZ) Rewriting d6031 1 a6031 1Among triggers with the same prefix length, d6210 1 a6210 1 Response Rate Limiting d6652 1 a6652 1 statistics-channels Statement Definition and d6736 1 a6736 1 trusted-keys Statement Definition d6776 1 a6776 1 managed-keys Statement Grammar d6914 1 a6914 1 view Statement Definition and Usage d7226 1 a7226 1 zone Statement Definition and Usage d7229 1 a7229 1 Zone Types d7547 1 a7547 1 Class d7569 1 a7569 1 Zone Options d8486 1 a8486 1 Zone File d8499 1 a8499 1 Resource Records d9236 1 a9236 1 Textual expression of RRs d9439 1 a9439 1 Discussion of MX Records d9694 1 a9694 1 Inverse Mapping in IPv4 d9755 1 a9755 1 Other Zone File Directives d9770 1 a9770 1 The @@ (at-sign) d9781 1 a9781 1 The $ORIGIN Directive d9810 1 a9810 1 The $INCLUDE Directive d9846 1 a9846 1 The $TTL Directive d9865 1 a9865 1 BIND Master File Extension: the $GENERATE Directive d10290 1 a10290 1 Name Server Statistics Counters d10886 1 a10886 1 Zone Maintenance Statistics Counters d11040 1 a11040 1 Resolver Statistics Counters d11423 1 a11423 1 Socket I/O Statistics Counters d11578 1 a11578 1 Compatibility with BIND 8 Counters d11630 1 a11630 1 BIND 9.9.7-P3 (Extended Support Version)
@ 1.1.1.9.4.6 log @Apply patch (requested by spz in ticket #1449): Update BIND to 9.9.9-P8 Security issues fixed with this update: CVE-2015-8704 CVE-2016-1285 CVE-2016-1286 CVE-2016-2775 CVE-2016-2776 CVE-2016-8864 CVE-2016-9131 CVE-2016-9147 CVE-2016-9444 CVE-2017-3135 CVE-2017-3136 CVE-2017-3137 CVE-2017-3138 The update also contains numerous bug fixes as well as changes to comply with recent RFCs. @ text @d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2d509 1 a509 1 the listen-on and sortlist d513 5 a517 5
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 11
- zone Statement Definition and Usage
Zone File
- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
d95 1 a95 1- BIND9 Statistics
d97 7 a103 2- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d503 1 a503 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d309 4 a312 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d420 1 a420 1 (such as max-journal-size) may d427 1 a427 1 for details on how they interpret its use. d446 1 a446 1 dealing with larger quantities. d451 1 a451 1 defaultd491 1 a491 1d597 1 a597 1 d613 1 a613 1 d687 1 a687 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d520 2 a521 2
- the name of an address match list defined with the acl statement d523 1 a523 1
- a nested address match list enclosed in braces
d547 2 a548 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d554 12 a565 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d578 1 a578 1 1.2.3/24; ! 1.2.3.13; d581 1 a581 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d587 1 a587 1d703 2 a704 2d709 1 a709 1 acl
d720 1 a720 1controls
d725 1 a725 1 by the rndc utility. d731 1 a731 1include
d741 1 a741 1key
d752 1 a752 1logging
d763 1 a763 1lwres
d767 2 a768 2 configures named to also act as a light-weight resolver daemon (lwresd). d774 1 a774 1masters
d780 2 a781 2 masters or also-notify lists. d787 1 a787 1options
d798 1 a798 1server
d809 1 a809 1statistics-channels
d814 1 a814 1 named statistics. d820 1 a820 1trusted-keys
d830 1 a830 1managed-keys
d841 1 a841 1view
d851 1 a851 1zone
d862 2 a863 2 The logging and options statements may only occur once d867 1 a867 1acl acl-name { d875 1 a875 1d877 1 a877 1 acl Statement Definition and d880 1 a880 1 The acl statement assigns a symbolic d889 2 a890 2d895 1 a895 1 any
d905 1 a905 1none
d915 1 a915 1localhost
d921 1 a921 1 added or removed, the localhost d928 1 a928 1localnets
d935 1 a935 1 the localnets d940 1 a940 1 In such a case, localnets d942 1 a942 1 IPv6 addresses, just like localhost. d949 1 a949 1controls { d963 1 a963 1d965 1 a965 1 controls Statement Definition and d968 1 a968 1 The controls statement declares control d971 1 a971 1 used by the rndc utility to send d975 4 a978 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d982 2 a983 2 use an ip_addr of::. If you will only use rndc on the local host, d989 1 a989 1 "*" cannot be used for ip_port. d993 2 a994 2 restricted by the allow and keys clauses. d996 3 a998 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1002 1 a1002 1 A unix control channel is a UNIX domain d1004 2 a1005 2 Access to the socket is specified by the perm, owner and group clauses. d1007 1 a1007 1 (perm) are applied to the parent directory d1012 3 a1014 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1016 2 a1017 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1020 2 a1021 2 If no controls statement is present, named will set up a default d1024 3 a1026 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1037 1 a1037 1 messages and thus did not have a keys clause. d1041 2 a1042 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1058 1 a1058 1 named is running as) can access it. d1061 1 a1061 1 rndc commands, then you need to create d1069 2 a1070 2 controls statement: controls { };. d1073 1 a1073 1included1078 1 a1078 1 d1083 3 a1085 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1093 1 a1093 1filename;keykey_id{ algorithmalgorithm_id; secretsecret_string; d1102 1 a1102 1 d1106 2 a1107 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1109 2 a1110 1 (see the section called “controls Statement Definition and d1114 1 a1114 1 The key statement can occur at the d1116 2 a1117 2 of the configuration file or inside a view statement. Keys defined in top-level key d1119 3 a1121 2 a controls statement (see the section called “controls Statement Definition and d1128 1 a1128 1 be used in a server d1149 1 a1149 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1162 3 a1164 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1166 1 a1166 1 [ categorycategory_name{ d1173 1 a1173 1 d1178 1 a1178 1 The logging statement configures a d1180 1 a1180 1 variety of logging options for the name server. Its channel phrase d1182 1 a1182 1 a name that can then be used with the category phrase d1186 1 a1186 1 Only one logging statement is used to d1188 1 a1188 1 as many channels and categories as are wanted. If there is no logging statement, d1200 1 a1200 1 established as soon as the logging d1207 1 a1207 1 d1220 2 a1221 2 info), and whether to include a named-generated time stamp, the d1226 1 a1226 1 The null destination clause d1231 1 a1231 1 The file destination clause directs d1239 1 a1239 1 If you use the versions log file d1241 1 a1241 1 named will retain that many backup d1251 1 a1251 1 You can say versions unlimited to d1254 1 a1254 1 If a size option is associated with d1262 1 a1262 1 The size option for files is used d1264 2 a1265 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1269 1 a1269 1 versions option, no more data will d1278 2 a1279 2 Example usage of the size and versions options: d1288 1 a1288 1 The syslog destination clause d1291 9 a1299 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1302 1 a1302 1 How syslog will handle messages d1304 3 a1306 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1313 1 a1313 1 The severity clause works like syslog's d1315 1 a1315 1 straight to a file rather than using syslog. d1322 1 a1322 1 If you are using syslog, then the syslog.conf priorities d1324 7 a1330 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1334 1 a1334 1 The stderr destination clause d1347 1 a1347 1 level is set either by starting the named server d1349 1 a1349 1 or by running rndc trace. d1351 1 a1351 1 can be set to zero, and debugging mode turned off, by running rndc d1364 1 a1364 1 level. Channels with dynamic d1369 1 a1369 1 If print-time has been turned on, d1371 2 a1372 2 the date and time will be logged. print-time may be specified for a syslog channel, d1374 1 a1374 1 pointless since syslog also logs d1376 1 a1376 1 time. If print-category is d1378 2 a1379 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1383 1 a1383 1 three print- options d1391 1 a1391 1 named's default logging as follows. d1393 1 a1393 1 used is described in the section called “The category Phrase”. d1423 1 a1423 1 The default_debug channel has the d1433 1 a1433 1 is created only after named has d1435 1 a1435 1 new UID, and any debug output generated while named is d1447 1 a1447 1 d1455 1 a1455 1 in that category will be sent to the default category d1476 1 a1476 1 To discard all messages in a category, specify the null channel: d1488 2 a1489 2d1494 2 a1495 2 client
d1497 7 a1503 4Processing of client requests.
d1507 2 a1508 2cname
d1510 5 a1514 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1518 2 a1519 2config
d1521 6 a1526 4Configuration file parsing and processing.
d1530 2 a1531 2database
d1533 4 a1536 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1540 2 a1541 2default
d1543 4 a1546 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1550 2 a1551 2delegation-only
d1553 6 a1558 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1562 2 a1563 2dispatch
d1565 4 a1568 5Dispatching of incoming packets to the server modules where they are to be processed.
d1572 2 a1573 2dnssec
d1575 4 a1578 4DNSSEC and TSIG protocol processing.
d1582 2 a1583 2edns-disabled
d1585 4 a1588 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1592 2 a1593 2general
d1595 4 a1598 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1602 2 a1603 2lame-servers
d1605 9 a1613 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1617 2 a1618 2network
d1620 4 a1623 4Network operations.
d1627 2 a1628 2notify
d1630 4 a1633 4The NOTIFY protocol.
d1637 2 a1638 2queries
d1640 4 a1643 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1647 2 a1648 2query-errors
d1650 35 a1684 5Information about queries that resulted in some failure.
d1688 2 a1689 2rate-limit
d1691 5 a1695 25(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1699 2 a1700 2resolver
d1702 5 a1706 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1710 2 a1711 2rpz
d1713 4 a1716 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1720 2 a1721 2security
d1723 6 a1728 4Approval and denial of requests.
d1732 2 a1733 2spill
d1735 8 a1742 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1746 2 a1747 2unmatched
d1749 28 a1776 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1780 2 a1781 2update
d1783 7 a1789 4Dynamic updates.
d1793 2 a1794 2update-security
d1796 25 a1820 4Approval and denial of update requests.
d1824 2 a1825 2xfer-in
d1827 5 a1831 14Zone transfers the server is receiving.
xfer-out
d1836 1 a1836 1 d1840 1 a1840 1 The query-errors category is d1845 1 a1845 1 with debug levels. d1908 2 a1909 2 Zone transfers the server is sending.
d2064 1 a2064 1 d2068 1 a2068 1 This is the grammar of the lwres d2071 1 a2071 1 lwres { d2080 1 a2080 1 d2084 1 a2084 1 The lwres statement configures the d2087 2 a2088 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2092 1 a2092 1 The listen-on statement specifies a d2103 1 a2103 1 The view statement binds this d2114 1 a2114 1 The search statement is equivalent to d2116 1 a2116 1 search statement in d2122 1 a2122 1 The ndots statement is equivalent to d2124 1 a2124 1 ndots statement in d2131 1 a2131 1 d2135 1 a2135 1 mastersname[portip_port] { (masters_list| d2139 1 a2139 1d2141 1 a2141 1 masters Statement Definition and d2143 1 a2143 1d2153 1 a2153 1 This is the grammar of the options d2156 1 a2156 1masters d2145 2 a2146 2 multiple stub and slave zones in their masters or also-notify lists. d2149 1 a2149 1
options { a2199 1 [ auto-dnssecallow|maintain|off; ] d2211 1 a2211 1ip_addr[portip_port] ) ; d2254 2 a2255 2 [ port (ip_port|*) ] | [ address (ip6_addr|*) ] d2264 1 a2266 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2284 3 a2286 3 [ also-notify [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] a2302 1 [ serial-update-methodincrement|unixtime|date; ] d2328 1 a2328 1 [ suffixIPv6-address; ] d2345 2 d2380 4 d2385 1 a2385 5 } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ; ] d2389 1 a2389 1d2391 1 a2391 1 options Statement Definition and d2394 1 a2394 1 The options statement sets up global d2398 1 a2398 1 once in a configuration file. If there is no options d2402 2 a2403 2d6931 1 a6931 1 The view statement is a powerful d6940 1 a6940 1 Each view statement defines a view d6946 1 a6946 1 match-clients clause and its d6950 1 a6950 1 match-destinations clause. If not d6952 1 a6952 1 match-clients and match-destinations d6955 2 a6956 2 match-clients and match-destinations can also take keys which provide an d6959 1 a6959 1 as match-recursive-only, which d6962 1 a6962 1 The order of the view statements is d6965 1 a6965 1 view that it matches. d6968 1 a6968 1 Zones defined within a view d6970 1 a6970 1 only be accessible to clients that match the view. d6977 2 a6978 2 Many of the options given in the options statement can also be used within a view d6982 1 a6982 1 value is given, the value in the options statement d6985 1 a6985 1 in the view statement; these d6987 1 a6987 1 take precedence over those in the options statement. d6995 1 a6995 1 If there are no view statements in d6999 1 a6999 1 in class IN. Any zone statements d7003 1 a7003 1 this default view, and the options d7005 2 a7006 2 apply to the default view. If any explicit view statements are present, all zone d7008 1 a7008 1 occur inside view statements. d7012 1 a7012 1 using view statements: d7047 1 a7047 1d3929 2 a3930 2
- attach-cache
d2415 2 a2416 2 The attach-cache option may also be specified in view d2418 1 a2418 1 global attach-cache option. d2423 1 a2423 1 When the named server configures d2434 1 a2434 1 the attach-cache as a global d2443 1 a2443 1 attach-cache option as a view A (or d2466 8 a2473 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2488 1 a2488 1- directory
d2503 1 a2503 1- key-directory
d2514 1 a2514 1- managed-keys-directory
d2522 1 a2522 1 If named is not configured to use views, d2531 1 a2531 1- named-xfer
d2535 1 a2535 1 the pathname to the named-xfer d2537 1 a2537 1 named-xfer program is needed; d2540 1 a2540 1- tkey-gssapi-keytab
d2547 1 a2547 1- tkey-gssapi-credential
d2558 1 a2558 1 To use GSS-TSIG, tkey-domain must d2562 1 a2562 1- tkey-domain
d2565 2 a2566 2 generated with TKEY. When a client requests a TKEY exchange, d2573 1 a2573 1 In most cases, the domainname d2580 1 a2580 1- tkey-dhkey
d2585 1 a2585 1 of TKEY. The server must be d2591 1 a2591 1- cache-file
d2595 1 a2595 1- dump-file
d2599 1 a2599 1 rndc dumpdb. d2602 1 a2602 1- memstatistics-file
d2608 1 a2608 1- pid-file
d2615 1 a2615 1 name server. Specifying pid-file none disables the d2617 1 a2617 1 existing one will be removed. Note that none d2622 1 a2622 1- recursing-file
d2626 1 a2626 1 to do so with rndc recursing. d2629 1 a2629 1- statistics-file
d2632 1 a2632 1 to when instructed to do so using rndc stats. d2636 1 a2636 1 in the section called “The Statistics File”. d2638 1 a2638 1- bindkeys-file
d2641 3 a2643 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2647 1 a2647 1- secroots-file
d2651 1 a2651 1 rndc secroots. d2655 1 a2655 1- session-keyfile
d2658 2 a2659 2 session key generated by named for use by nsupdate -l. If not specified, the d2661 1 a2661 1 (See the section called “Dynamic Update Policies”, and in d2663 1 a2663 1 update-policy statement's d2667 1 a2667 1- session-keyname
d2672 1 a2672 1- session-keyalg
d2679 1 a2679 1- port
d2689 1 a2689 1- random-device
d2703 1 a2703 1 random-device option takes d2708 1 a2708 1- preferred-glue
d2713 1 a2713 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2716 1 a2716 1 root-delegation-only d2762 1 a2762 1- disable-algorithms
d2766 1 a2766 1 Multiple disable-algorithms d2770 1 a2770 1- dnssec-lookaside
d2773 1 a2773 1 When set, dnssec-lookaside provides the d2777 1 a2777 1 dnssec-lookaside, and the normal DNSSEC d2785 1 a2785 1 If dnssec-lookaside is set to d2791 1 a2791 1 If dnssec-lookaside is set to d2798 2 a2799 2 named will load that key at startup if dnssec-lookaside is set to d2804 1 a2804 1 from https://www.isc.org/solutions/dlv/. d2809 2 a2810 2 named. Relying on this is not recommended, however, as it requires named d2814 1 a2814 1 NOTE: named only loads certain specific d2820 1 a2820 1- dnssec-must-be-secure
d2824 1 a2824 1 then named will only accept answers if d2828 3 a2830 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2832 1 a2832 1- dns64
d2835 1 a2835 1 This directive instructs named to d2839 1 a2839 1 dns64 defines one DNS64 prefix. d2850 2 a2851 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2857 2 a2858 2 Each dns64 supports an optional clients ACL that determines which d2863 3 a2865 3 Each dns64 supports an optional mapped ACL that selects which IPv4 addresses are to be mapped in the corresponding d2873 1 a2873 1 exclude ACL allows specification d2877 1 a2877 1 name owns. If not defined, exclude d2881 1 a2881 1 A optional suffix can also d2889 2 a2890 2 If recursive-only is set to yes the DNS64 synthesis will d2892 1 a2892 1 is no. d2895 2 a2896 2 If break-dnssec is set to yes the DNS64 synthesis will d2899 1 a2899 1 is set to no (the default), the DO d2914 1 a2914 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d2921 2 a2922 2 the section called “Dynamic Update Policies”), and if named has access to the d2924 1 a2924 1 named will automatically sign all new d2931 1 a2931 1 then named will sign all new or d2936 1 a2936 1 With either of these settings, named d2939 1 a2939 1 named. (A planned third option, d2945 1 a2945 23- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
- zone-statistics
d2951 3 a2953 3 zone-statistics terse or zone-statistics none in the zone statement). d2961 2 a2962 2 statistics-channel or using rndc stats, which d2964 2 a2965 2 in the statistics-file. See also the section called “The Statistics File”. d2969 1 a2969 1 of BIND 9, the zone-statistics d2977 1 a2977 1d2980 2 a2981 2d3888 2 a3889 2
- allow-new-zones
d2984 2 a2985 2 added at runtime via rndc addzone or deleted via rndc delzone. d2988 1 a2988 1- auth-nxdomain
d2990 1 a2990 1 Ifyes, then the AA bit d2999 1 a2999 1- deallocate-on-exit
d3006 1 a3006 1- memstatistics
d3009 1 a3009 1 memstatistics-file at exit. d3014 1 a3014 1- dialup
d3026 1 a3026 1 happens in a short interval, once every heartbeat-interval and d3032 4 a3035 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3048 1 a3048 1 notify and also-notify. d3056 1 a3056 1 heartbeat-interval expires in d3069 1 a3069 1 when the heartbeat-interval d3077 4 a3080 4d3107 1 a3107 1 no (default)
d3127 1 a3127 1yes
d3147 1 a3147 1notify
d3167 1 a3167 1refresh
d3187 1 a3187 1passive
d3207 1 a3207 1notify-passive
d3229 1 a3229 1 dialup. d3232 1 a3232 1- fake-iquery
d3239 1 a3239 1- fetch-glue
d3250 1 a3250 1- flush-zones-on-shutdown
d3255 1 a3255 1 flush-zones-on-shutdownno. d3257 1 a3257 1- has-old-clients
d3263 3 a3265 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3267 1 a3267 1- host-statistics
d3274 1 a3274 1- maintain-ixfr-base
d3282 1 a3282 1 transfers, use provide-ixfrno. d3284 1 a3284 1- minimal-responses
d3293 1 a3293 1- multiple-cnames
d3301 1 a3301 1- notify
d3307 1 a3307 1 changes, see the section called “Notify”. The messages are d3312 1 a3312 1 also-notify option. d3320 1 a3320 1 servers explicitly listed using also-notify. d3324 2 a3325 2 The notify option may also be specified in the zone d3327 1 a3327 1 in which case it overrides the options notify statement. d3333 1 a3333 1- notify-to-soa
d3344 1 a3344 1- recursion
d3355 1 a3355 1 Note that setting recursion no does not prevent d3361 1 d3363 1 a3363 1- request-nsid
d3366 1 a3366 1 NSID (Name Server Identifier) option is sent with all d3370 2 a3371 2 the resolver category at level info. d3374 1 a3374 1- rfc2308-type1
d3390 1 a3390 1- use-id-pool
d3396 1 a3396 1- use-ixfr
d3401 3 a3403 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3406 1 a3406 1 the section called “Incremental Zone Transfers (IXFR)”. d3408 1 a3408 1- provide-ixfr
d3411 3 a3413 2 provide-ixfr in the section called “server Statement Definition and d3416 1 a3416 1- request-ixfr
d3419 3 a3421 2 request-ixfr in the section called “server Statement Definition and d3424 1 a3424 1- treat-cr-as-space
d3428 1 a3428 1 the server treat carriage return ("\r") characters the same way d3432 2 a3433 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3438 1 a3438 1 additional-from-auth, additional-from-cache d3473 1 a3473 1 Setting these options to no d3481 1 a3481 1 them to no without also d3483 1 a3483 1 recursion no will cause the d3488 1 a3488 1 Specifying additional-from-cache no actually d3508 1 a3508 1 referrals when additional-from-cache no d3516 1 a3516 1- match-mapped-addresses
d3529 1 a3529 1 named now solves this problem d3533 1 a3533 1- filter-aaaa-on-v4
d3544 3 a3546 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3551 2 a3552 2 the DNS client is at an IPv4 address, in filter-aaaa, and if the response does not include DNSSEC signatures, d3564 2 a3565 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3584 1 a3584 1- ixfr-from-differences
d3608 3 a3610 3ixfr-from-differences also accepts master and slave at the view and options d3612 3 a3614 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3618 1 a3618 1
- multi-master
d3622 1 a3622 1 addresses refer to different machines. Ifyes, named will d3624 1 a3624 1 when the serial number on the master is less than what named d3628 4 a3631 47- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
This indicates whether DNSSEC-related resource records are to be returned by named. If set to
no, named will not return DNSSEC-related resource records unless specifically queried for. d3634 4 a3637 5- dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3645 2 a3646 2 a trusted-keys or managed-keys statement. The default d3648 2 a3649 12
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
- dnssec-accept-expired
d3654 1 a3654 1 leaves named vulnerable to d3657 1 a3657 1- querylog
d3659 1 a3659 1 Specify whether query logging should be started when named d3661 1 a3661 1 If querylog is not specified, d3663 1 a3663 1 is determined by the presence of the logging category queries. d3665 1 a3665 1- check-names
d3674 5 a3678 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3684 1 a3684 1check-names d3693 1 a3693 1
- check-dup-records
d3697 3 a3699 3 default is to warn. Other possible values are fail and ignore. d3701 1 a3701 1- check-mx
d3704 3 a3706 3 The default is to warn. Other possible values are fail and ignore. d3708 1 a3708 1- check-wildcard
d3715 1 a3715 1 affects master zones. The default (yes) is to check d3718 1 a3718 1- check-integrity
d3727 1 a3727 1 named-checkzone). d3730 2 a3731 2 checks use named-checkzone). The default is yes. d3741 1 a3741 1 check-spf. d3744 1 a3744 1- check-mx-cname
d3746 1 a3746 1 If check-integrity is set then d3748 1 a3748 1 to CNAMES. The default is to warn. d3750 1 a3750 1- check-srv-cname
d3752 1 a3752 1 If check-integrity is set then d3754 1 a3754 1 to CNAMES. The default is to warn. d3756 1 a3756 1- check-sibling
d3759 1 a3759 1 sibling glue exists. The default is yes. d3761 1 a3761 1- check-spf
d3763 1 a3763 1 If check-integrity is set then d3767 1 a3767 1 warn. d3769 1 a3769 1- zero-no-soa-ttl
d3774 1 a3774 1 The default is yes. d3776 1 a3776 1- zero-no-soa-ttl-cache
d3780 1 a3780 1 The default is no. d3782 1 a3782 1- update-check-ksk
d3797 1 a3797 1 similar to the dnssec-signzone -z d3809 1 a3809 1- dnssec-dnskey-kskonly
d3812 1 a3812 1 When this option and update-check-ksk d3819 1 a3819 1 dnssec-signzone -x command line option. d3822 2 a3823 2 The default is no. If update-check-ksk is set to d3827 16 a3842 1- try-tcp-refresh
d3846 1 a3846 1 yes. d3848 1 a3848 1- dnssec-secure-to-insecure
d3853 2 a3854 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d3867 1 a3867 1 auto-dnssec maintain and the d3870 1 a3870 1 next time named is started. d3875 1 a3875 1
- forward
d3901 1 a3901 1- forwarders
d3913 3 a3915 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d3919 1 a3919 1d4709 2 a4710 2 example, 1G can be used instead of 1073741824 to specify a limit of d4712 1 a4712 1 gigabyte. unlimited requests d4714 1 a4714 1 maximum available amount. default d4717 1 a4717 1 of size_spec in the section called “Configuration File Elements”. d4727 2 a4728 2
- dual-stack-servers
d3937 1 a3937 1 stacked, then the dual-stack-servers have no effect unless d3939 1 a3939 1 (e.g. named -4). d3943 1 a3943 1d3948 1 a3948 1 of the requesting system. See the section called “Address Match Lists” for d3951 2 a3952 2d4192 1 a4192 1 from may be specified using the listen-on option. listen-on takes d4200 1 a4200 1 Multiple listen-on statements are d4213 1 a4213 1 If no listen-on is specified, the d4217 1 a4217 1 The listen-on-v6 option is used to d4228 1 a4228 1 listen-on-v6 option, d4243 1 a4243 1 IPv4 addresses specified in listen-on-v6 d4247 1 a4247 1 Multiple listen-on-v6 options can d4266 1 a4266 1 If no listen-on-v6 option is d4268 3 a4270 3 unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default. d4273 1 a4273 1
- allow-notify
d3957 1 a3957 1 allow-notify may also be d3959 1 a3959 1 zone statement, in which case d3961 1 a3961 1 options allow-notify d3967 1 a3967 1- allow-query
d3971 2 a3972 2 DNS questions. allow-query may also be specified in the zone d3974 1 a3974 1 options allow-query statement. d3981 1 a3981 1 allow-query-cache is now d3986 1 a3986 1- allow-query-on
d3996 1 a3996 1 Note that allow-query-on is only d3998 1 a3998 1 allow-query. A query must be d4002 2 a4003 2 allow-query-on may also be specified in the zone d4005 1 a4005 1 options allow-query-on statement. d4014 1 a4014 1 allow-query-cache is d4019 1 a4019 1- allow-query-cache
d4022 7 a4028 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4030 1 a4030 1- allow-query-cache-on
d4035 2 a4036 2 localnets and localhost. d4038 1 a4038 1- allow-recursion
d4042 3 a4044 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4046 2 a4047 2 (localnets; localhost;) is used. d4049 1 a4049 1- allow-recursion-on
d4055 1 a4055 1- allow-update
d4062 1 a4062 1 the section called “Dynamic Update Security” for details. d4064 1 a4064 1- allow-update-forwarding
d4088 1 a4088 1 access control to attacks; see the section called “Dynamic Update Security” d4092 1 a4092 1- allow-v6-synthesis
d4102 1 a4102 1- allow-transfer
d4105 2 a4106 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4108 1 a4108 1 case it overrides the options allow-transfer statement. d4112 1 a4112 1- blackhole
d4120 1 a4120 1- filter-aaaa
d4123 1 a4123 1 filter-aaaa-on-v4 d4126 1 a4126 1- no-case-compress
d4131 1 a4131 1 used when named needs to work with d4138 1 a4138 1 none: case-insensitive compression d4162 1 a4162 1 There are circumstances in which named d4177 1 a4177 1- resolver-query-timeout
d4187 1 a4187 1d4278 1 a4278 1 query other name servers. query-source specifies d4280 3 a4282 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4286 1 a4286 1 If port is * or is omitted, d4290 2 a4291 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4293 2 a4294 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4297 2 a4298 2 The defaults of the query-source and query-source-v6 options d4305 3 a4307 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4311 1 a4311 1 named will use the corresponding system d4324 2 a4325 2 changed while named is running; the new range will automatically be applied when named d4328 2 a4329 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4335 1 a4335 1 where named runs may prohibit the use d4337 1 a4337 1 named running without a root privilege d4346 2 a4347 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4355 1 a4355 1 the use-queryport-pool d4361 2 a4362 2 query-source or query-source-v6 options; d4365 2 a4366 2d4665 4 a4668 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4671 1 a4671 1 See the section called “Query Address” about how the d4681 1 a4681 1 from named will be in one d4686 3 a4688 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4696 3 a4698 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4703 1 a4703 1
- use-queryport-pool
d4370 1 a4370 1- queryport-pool-ports
d4374 1 a4374 1- queryport-pool-updateinterval
d4382 1 a4382 1 The address specified in the query-source option d4398 2 a4399 2 See also transfer-source and notify-source. d4403 1 a4403 1d4412 2 a4413 2d4615 1 a4615 1
- also-notify
d4424 1 a4424 1 also-notify address to send d4431 1 a4431 1 masters lists can be used. d4434 2 a4435 2 If an also-notify list is given in a zone statement, d4437 2 a4438 2 the options also-notify statement. When a zone notify d4440 2 a4441 2 is set to no, the IP addresses in the global also-notify list will d4447 1 a4447 1- max-transfer-time-in
d4454 1 a4454 1- max-transfer-idle-in
d4461 1 a4461 1- max-transfer-time-out
d4468 1 a4468 1- max-transfer-idle-out
d4475 1 a4475 1- serial-query-rate
d4484 1 a4484 1 serial-query-rate option, an d4492 2 a4493 2 queries are issued at, serial-query-rate also controls d4498 1 a4498 1- serial-queries
d4500 1 a4500 1 In BIND 8, the serial-queries d4505 1 a4505 1 serial queries and ignores the serial-queries option. d4507 1 a4507 1 as defined using the serial-query-rate option. d4509 1 a4509 1- transfer-format
d4512 3 a4514 3 one-answer and many-answers. The transfer-format option is used d4516 1 a4516 1 one-answer uses one DNS message per d4518 1 a4518 1 many-answers packs as many resource d4520 1 a4520 1 many-answers is more efficient, but is d4524 1 a4524 1 The many-answers format is also supported by d4526 3 a4528 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4531 1 a4531 1- transfers-in
d4535 1 a4535 1 Increasing transfers-in may d4540 1 a4540 1- transfers-out
d4547 1 a4547 1- transfers-per-ns
d4553 1 a4553 1 Increasing transfers-per-ns d4557 3 a4559 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4561 1 a4561 1- transfer-source
d4563 1 a4563 1transfer-source d4573 1 a4573 1 allow-transfer option for the d4576 1 a4576 1 transfer-source for all zones, d4579 3 a4581 3 transfer-source statement within the view or zone block in the configuration d4592 1 a4592 1
- transfer-source-v6
d4594 1 a4594 1 The same as transfer-source, d4597 1 a4597 1- alt-transfer-source
d4601 2 a4602 2 transfer-source fails and use-alt-transfer-source is a4606 1d4609 1 a4609 1 use-alt-transfer-source d4613 1 a4613 2
- alt-transfer-source-v6
d4618 2 a4619 2 transfer-source-v6 fails and use-alt-transfer-source is d4622 1 a4622 1- use-alt-transfer-source
d4625 1 a4625 1 specified this defaults to no d4627 1 a4627 1 yes (for BIND 8 d4630 1 a4630 1- notify-source
d4632 1 a4632 1notify-source d4636 3 a4638 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4641 3 a4643 3 notify-source statement within the zone or view block in the configuration d4654 1 a4654 1
- notify-source-v6
d4656 1 a4656 1 Like notify-source, d4661 1 a4661 1
- coresize
d4733 1 a4733 1- datasize
d4746 2 a4747 2 max-cache-size and recursive-clients d4750 1 a4750 1- files
d4755 1 a4755 1- stacksize
d4762 1 a4762 1d4770 2 a4771 2
- max-ixfr-log-size
d4775 1 a4775 1 max-journal-size performs a d4778 1 a4778 1- max-journal-size
d4781 1 a4781 1 (see the section called “The journal file”). When the journal file d4791 1 a4791 1- host-statistics-max
d4797 5 a4801 6- recursive-clients
The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4804 7 a4810 24 bit of memory (on the order of 20 kilobytes), the value of the recursive-clients option may have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.- tcp-clients
d4816 1 a4816 175- clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
- fetches-per-zone
The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetches-per-server
The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetch-quota-params
Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- reserved-sockets
d4821 1 a4821 1 interfaces named listens on, tcp-clients as well as d4832 1 a4832 1- max-cache-size
d4854 1 a4854 1- tcp-listen-queue
d4863 1 a4863 1 be used; on most platforms this sets the listen queue d4868 1 a4868 1d4979 2 a4980 2 (but see the rrset-order statement in the section called “RRset Ordering”). d4991 1 a4991 1 The sortlist statement (see below) d4993 1 a4993 1 an address_match_list and d4995 1 a4995 1 more specifically than the topology d4997 3 a4999 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5002 1 a5002 1 an IP prefix, an ACL name or a nested address_match_list) d5014 2 a5015 2 treated the same as the address_match_list in a topology statement. Each top d5080 1 a5080 1
- cleaning-interval
d4876 1 a4876 1 from the cache every cleaning-interval minutes. d4883 1 a4883 1- heartbeat-interval
d4886 1 a4886 1 for all zones marked as dialup whenever this d4893 1 a4893 1- interface-interval
d4896 1 a4896 1 every interface-interval d4904 1 a4904 1 listen-on configuration), and d4908 1 a4908 1- statistics-interval
d4912 1 a4912 1 every statistics-interval d4927 1 a4927 1d5087 1 a5087 1 The rrset-order statement permits d5090 2 a5091 2 See also the sortlist statement, the section called “The sortlist Statement”. d5094 1 a5094 1 An order_spec is defined as d5104 3 a5106 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5109 1 a5109 1 The legal values for ordering are: d5113 2 a5114 2d5119 1 a5119 1 fixed
d5130 1 a5130 1random
d5140 1 a5140 1cyclic
d5171 1 a5171 1 If multiple rrset-order statements d5181 1 a5181 1 rrset-order statement does not support d5188 1 a5188 1d5191 2 a5192 2
- lame-ttl
d5209 1 a5209 1- max-ncache-ttl
d5212 1 a5212 1 the server stores negative answers. max-ncache-ttl is d5216 2 a5217 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5221 1 a5221 1- max-cache-ttl
d5231 1 a5231 1- min-roots
d5246 1 a5246 1- sig-validity-interval
d5251 1 a5251 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5268 1 a5268 1 The sig-validity-interval d5274 1 a5274 1- sig-signing-nodes
d5281 1 a5281 1- sig-signing-signatures
d5288 1 a5288 1- sig-signing-type
d5301 1 a5301 1 named to track the current state of d5305 2 a5306 2 rndc signing -listzone. Once named has finished signing d5310 1 a5310 1 rndc signing -clearkeyid/algorithmzone. d5313 1 a5313 1 rndc signing -clear allzone. d5317 1 a5317 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5341 4 a5344 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5348 1 a5348 1- edns-udp-size
d5356 1 a5356 1 edns-udp-size to a non-default d5362 1 a5362 1 named will fallback to using 512 bytes d5369 1 a5369 1- max-udp-size
d5373 1 a5373 1 named will send in bytes. d5377 1 a5377 1 max-udp-size to a non-default d5382 1 a5382 1 buffer (edns-udp-size). d5389 1 a5389 1- masterfile-format
d5393 1 a5393 1 the section called “Additional File Formats”). d5399 2 a5400 2 named-compilezone tool, or dumped by named. d5404 1 a5404 1textis loaded, named d5407 1 a5407 1 check-names checks do not apply d5411 1 a5411 1 specified in the named configuration d5413 1 a5413 1 masterfile-format for all zones, d5415 3 a5417 3 by including a masterfile-format statement within the zone or view block in the configuration d5422 1 a5422 14 max-recursion-depthSets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
- max-recursion-queries d5424 56 a5479 10
Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75.
- notify-delay
d5487 1 a5487 1 zones is controlled by serial-query-rate. d5490 1 a5490 1- max-rsa-exponent-size
d5499 1 a5499 1d5506 1 a5506 1 CHAOS class. These zones are part d5508 1 a5508 1 built-in view (see the section called “view Statement Grammar”) of d5510 3 a5512 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5514 3 a5516 3 overridden: notify, recursion and allow-new-zones are d5521 1 a5521 1 below, or hide the built-in CHAOS d5523 1 a5523 1 defining an explicit view of class CHAOS d5526 2 a5527 2
- version
d5531 1 a5531 1 with type TXT, class CHAOS. d5533 1 a5533 1 Specifying version none d5536 1 a5536 1- hostname
d5540 1 a5540 1 with type TXT, class CHAOS. d5546 1 a5546 1 answering your queries. Specifying hostname none; d5549 1 a5549 1- server-id
d5554 1 a5554 1 TXT, class CHAOS. d5557 1 a5557 1 answering your queries. Specifying server-id none; d5559 1 a5559 1 Specifying server-id hostname; will cause named to d5561 1 a5561 1 The default server-id is none. d5565 1 a5565 1d5588 98 a5685 98d5969 1 a5969 1 response-policy option for the view or among the d5974 1 a5974 1 allow-query { localhost; };. d6020 2 a6021 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6029 1 a6029 1 DISABLED actions) must be chosen. d6033 2 a6034 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a5711 1d5716 3 a5718 4
- empty-server
d5724 1 a5724 1- empty-contact
d5730 1 a5730 1- empty-zones-enable
d5735 1 a5735 1- disable-empty-zone
d5742 1 a5742 1d5746 1 a5746 1 The additional section cache, also called acache, d5751 1 a5751 1 Note that acache is an internal caching d5766 3 a5768 3 additional-from-cache to no is recommended, since the current implementation of acache d5773 1 a5773 1 One obvious disadvantage of acache is d5778 3 a5780 3 acache mechanism can be disabled by setting acache-enable to no. d5783 1 a5783 1 for acache by using max-acache-size. d5788 2 a5789 2 Without acache, cyclic order is effective for the additional d5794 1 a5794 1 setting of rrset-order. d5803 1 a5803 1 acache. d5805 2 a5806 2d5843 1 a5843 1 deny-answer-addresses option. d5848 1 a5848 1 deny-answer-aliases option, where d5852 1 a5852 1 with except-from, records whose query name d5856 1 a5856 1 corresponding zone, the deny-answer-aliases d5859 1 a5859 1 deny-answer-aliases, d5867 1 a5867 1 deny-answer-addresses option, only d5888 1 a5888 1 d5922 1 a5922 1 matches the except-from element, d5956 1 a5956 1
- Choose the triggered record in the zone that appears d6037 1 a6037 1
- Prefer QNAME to IP to NSDNAME to NSIP triggers d6040 1 a6040 1
- Among NSDNAME triggers, prefer the d6043 1 a6043 1
- Among IP or NSIP triggers, prefer the trigger d6046 1 a6046 1
- Among triggers with the same prefix length, d6064 2 a6065 2
d6234 2 a6235 2 rate-limit clause in an options or view statement. d6262 1 a6262 1 the window option to any value from d6266 1 a6266 1 or more negative than window d6277 2 a6278 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6283 1 a6283 1 with responses-per-second d6288 2 a6289 2 nodata-per-second (default responses-per-second). d6293 2 a6294 2 They are limited by nxdomain-per-second (default responses-per-second). d6301 2 a6302 2 referrals-per-second (default responses-per-second). d6316 1 a6316 1 responses-per-second value, d6318 1 a6318 1 errors-per-second. d6328 1 a6328 1 Setting slip to 2 (its default) causes every d6334 1 a6334 1 slip must be between 0 and 10. d6342 1 a6342 1 leaked at the slip rate. d6353 1 a6353 1 slip to 1, causing all rate-limited d6359 6 a6364 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6367 1 a6367 1 qps-scale 250; responses-per-second 20; and d6378 2 a6379 2 rate-limit statements in view statements instead of the global option d6381 2 a6382 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6385 1 a6385 1 with the exempt-clients clause. d6389 1 a6389 1 all-per-second phrase. d6391 3 a6393 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6398 2 a6399 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6401 1 a6401 1 An all-per-second limit should be d6409 1 a6409 1 records as it considers the STMP Mail From d6413 1 a6413 1 All-per-second is similar to the d6425 1 a6425 1 rate limit responses is set with max-table-size. d6431 1 a6431 1 min-table-size (default 500) d6433 1 a6433 1 Enable rate-limit category logging to monitor d6438 1 a6438 1 Use log-only yes to test rate limiting parameters d6443 1 a6443 1 RateDropped and QryDropped d6446 1 a6446 1 RateSlipped and RespTruncated. d6450 1 a6450 1
- The NXDOMAIN response is encoded d6068 2 a6069 2
- A CNAME whose target is the wildcard top-level domain (*.) specifies the NODATA action, d6072 1 a6072 1
- The Local Data action is d6084 2 a6085 2
- The PASSTHRU policy is specified by a CNAME whose target is rpz-passthru. d6097 2 a6098 2 policy clause in the response-policy option. d6102 3 a6104 3
- GIVEN says "do not override but d6107 2 a6108 2
- DISABLED causes policy records to do d6116 2 a6117 2
- PASSTHRU causes all policy records d6122 2 a6123 2
- NXDOMAIN causes all RPZ records d6126 2 a6127 2
- NODATA overrides with the d6130 2 a6131 2
- CNAME domain causes all RPZ d6141 1 a6141 1 with a recursive-only no clause. d6153 1 a6153 1 break-dnssec yes clause. d6162 1 a6162 1 The max-policy-ttl clause changes that d6220 1 a6220 1 RPZRewrites statistics. d6223 1 a6223 1
serverip_addr[/prefixlen]{ d6463 1 a6463 1 [ keys {key_id}; ] d6478 1 a6478 1d6480 1 a6480 1 server Statement Definition and d6483 1 a6483 1 The server statement defines d6492 1 a6492 1 The server statement can occur at d6494 1 a6494 1 configuration file or inside a view d6496 2 a6497 2 If a view statement contains one or more server statements, only d6500 1 a6500 1 If a view contains no server d6502 1 a6502 1 any top-level server statements are d6510 1 a6510 1 value of bogus is no. d6513 1 a6513 1 The provide-ixfr clause determines d6518 1 a6518 1 If set to yes, incremental transfer d6520 1 a6520 1 whenever possible. If set to no, d6524 1 a6524 1 of the provide-ixfr option in the d6529 1 a6529 1 The request-ixfr clause determines d6533 1 a6533 1 value of the request-ixfr option in d6544 3 a6546 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d6553 1 a6553 1 The edns clause determines whether d6555 1 a6555 1 with the remote server. The default is yes. d6558 2 a6559 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. d6567 2 a6568 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d6572 1 a6572 1 replies from named. d6575 3 a6577 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d6581 3 a6583 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d6585 1 a6585 1 by the options statement will be d6588 1 a6588 1transfers d6591 1 a6591 1 transfers clause is specified, the d6593 1 a6593 1 transfers-per-ns option. d6596 3 a6598 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d6607 5 a6611 1 Only a single key per server is currently supported. d6614 2 a6615 2 The transfer-source and transfer-source-v6 clauses specify d6619 1 a6619 1 For an IPv4 remote server, only transfer-source can d6622 1 a6622 1 transfer-source-v6 can be d6625 3 a6627 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d6630 2 a6631 2 The notify-source and notify-source-v6 clauses specify the d6634 1 a6634 1 IPv4 remote server, only notify-source d6636 1 a6636 1 only notify-source-v6 can be specified. d6639 2 a6640 2 The query-source and query-source-v6 clauses specify the d6643 1 a6643 1 remote server, only query-source can d6645 1 a6645 1 only query-source-v6 can be specified. d6648 1 a6648 1 The request-nsid clause determines d6651 2 a6652 2 request-nsid set at the view or option level. d6655 1 a6655 1
statistics-channels { d6665 1 a6665 1d6667 1 a6667 1 statistics-channels Statement Definition and d6670 1 a6670 1 The statistics-channels statement d6680 1 a6680 1 the statistics-channels statement is d6685 4 a6688 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d6692 1 a6692 1 use an ip_addr of::. d6697 1 a6697 1 ip_port. d6701 1 a6701 1 restricted by the optional allow clause. d6703 3 a6705 3 address_match_list. If no allow clause is present, named accepts connection d6712 2 a6713 2 If no statistics-channels statement is present, named will not open any communication channels. d6718 3 a6720 3 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables d6722 1 a6722 1 BIND 9 is configured with --enable-newstats, d6731 4 a6734 4 can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. d6740 1 a6740 1trusted-keys { d6749 1 a6749 1d6751 1 a6751 1 trusted-keys Statement Definition d6754 2 a6755 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d6766 1 a6766 1 trusted-keys are deemed to exist regardless d6768 1 a6768 1 trusted-keys only those keys are d6773 1 a6773 1 The trusted-keys statement can contain d6782 1 a6782 1 trusted-keys may be set at the top level d6789 1 a6789 1managed-keys { d6798 1 a6798 1d6800 1 a6800 1 managed-keys Statement Definition d6803 2 a6804 2 The managed-keys statement, like trusted-keys, defines DNSSEC d6806 1 a6806 1 managed-keys can be kept up to date d6814 1 a6814 1 trusted-keys statement would be d6818 1 a6818 1 trusted-keys statement with the new key. d6822 1 a6822 1 managed-keys statement instead, then the d6824 2 a6825 2 named would store the stand-by key, and when the original key was revoked, named d6832 1 a6832 1 A managed-keys statement contains a list of d6837 1 a6837 1 This means the managed-keys statement must d6843 2 a6844 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d6847 1 a6847 1 keys listed in a trusted-keys continue to be d6849 2 a6850 2named.conf, an initializing key listed in a managed-keys statement is only trusted d6856 1 a6856 1 The first time named runs with a managed key d6859 1 a6859 1 using the key specified in the managed-keys d6864 2 a6865 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d6868 1 a6868 1 key specified in the managed-keys is not d6873 1 a6873 1 The next time named runs after a name d6875 1 a6875 1 managed-keys statement, the corresponding d6881 3 a6883 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d6895 1 a6895 1 seconds. So, whenever named is using d6899 1 a6899 1 named.) d6902 2 a6903 2 If the dnssec-validation option is set toauto, named d6905 1 a6905 1 root zone. Similarly, if the dnssec-lookaside d6907 1 a6907 1 named will automatically initialize d6910 2 a6911 2 maintenance process is built into named, and can be overridden from bindkeys-file. d6914 1 a6914 1viewview_named6927 1 a6927 1d7049 1 a7049 1 zone d7051 1 a7051 1zonezone_name[class] { d7061 2 d7202 1 a7202 1 [ zone-statisticsfull|terse|none; ] d7215 2 a7216 2 [ server-names { [namelist] }; ] [ zone-statisticsfull|terse|none; ] d7239 1 a7239 1The type keyword is required for the zone configuration. Its acceptable values include:
d7247 2 a7248 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7275 1 a7275 1 zone. The masters list d7390 2 a7391 2 server-addresses and server-names zone options. d7397 1 a7397 1 databases by rndc dumpdb -all. d7415 1 a7415 1 glue A or AAAA RRs d7428 4 a7431 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d7435 1 a7435 1 name. If no forwarders d7437 1 a7437 1 an empty list for forwarders is given, then no d7440 1 a7440 1 any forwarders in the options statement. Thus d7443 1 a7443 1 global forward option d7485 1 a7485 1 per view. allow-query can be d7499 1 a7499 1 that point to the desired addresses: d7507 1 a7507 1 "*.ES." instead of "*.". To redirect all d7522 1 a7522 1 rndc reload d7525 1 a7525 1 rndc reload without specifying d7553 1 a7553 1 See caveats in root-delegation-only. d7560 1 a7560 1 d7582 1 a7582 1 d8523 1 a8523 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d8530 2 a8531 2
- allow-notify
d7589 1 a7589 1 allow-notify in the section called “Access Control”. d7591 1 a7591 1- allow-query
d7594 1 a7594 1 allow-query in the section called “Access Control”. d7596 1 a7596 1- allow-query-on
d7599 1 a7599 1 allow-query-on in the section called “Access Control”. d7601 1 a7601 1- allow-transfer
d7603 2 a7604 2 See the description of allow-transfer in the section called “Access Control”. d7606 1 a7606 1- allow-update
d7608 2 a7609 2 See the description of allow-update in the section called “Access Control”. d7611 1 a7611 1- update-policy
d7614 1 a7614 1 the section called “Dynamic Update Policies”. d7616 1 a7616 1- allow-update-forwarding
d7618 2 a7619 2 See the description of allow-update-forwarding in the section called “Access Control”. d7621 1 a7621 1- also-notify
d7623 1 a7623 1 Only meaningful if notify d7632 1 a7632 1 with also-notify. A port d7634 1 a7634 1 with each also-notify d7640 1 a7640 1 also-notify is not d7644 1 a7644 1- check-names
d7650 3 a7652 8 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones.- check-mx
See the description of check-mx in the section called “Boolean Options”. d7654 1 a7654 1
- check-spf
d7657 1 a7657 1 check-spf in the section called “Boolean Options”. d7659 1 a7659 1- check-wildcard
d7662 1 a7662 1 check-wildcard in the section called “Boolean Options”. d7664 1 a7664 1- check-integrity
d7667 1 a7667 1 check-integrity in the section called “Boolean Options”. d7669 1 a7669 1- check-sibling
d7672 1 a7672 1 check-sibling in the section called “Boolean Options”. d7674 1 a7674 1- zero-no-soa-ttl
d7677 1 a7677 1 zero-no-soa-ttl in the section called “Boolean Options”. d7679 1 a7679 1- update-check-ksk
d7682 1 a7682 1 update-check-ksk in the section called “Boolean Options”. d7684 1 a7684 1- dnssec-loadkeys-interval
d7687 1 a7687 2 dnssec-loadkeys-interval in the section called “options Statement Definition and Usage”. d7689 1 a7689 1- dnssec-update-mode
d7692 2 a7693 1 dnssec-update-mode in the section called “options Statement Definition and d7696 1 a7696 1- dnssec-dnskey-kskonly
d7699 1 a7699 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d7701 1 a7701 1- try-tcp-refresh
d7704 1 a7704 1 try-tcp-refresh in the section called “Boolean Options”. d7706 1 a7706 1- database
d7710 1 a7710 1 zone data. The string following the database keyword d7732 1 a7732 1- dialup
d7735 1 a7735 1 dialup in the section called “Boolean Options”. d7737 1 a7737 1- delegation-only
d7746 1 a7746 1 See caveats in root-delegation-only. d7749 1 a7749 1- forward
d7752 1 a7752 1 list. The only value causes d7754 1 a7754 1 after trying the forwarders and getting no answer, while first would d7757 1 a7757 1- forwarders
d7760 1 a7760 1 If it is not specified in a zone of type forward, d7764 1 a7764 1- ixfr-base
d7776 1 a7776 1- ixfr-tmp-file
d7781 1 a7781 1- journal
d7785 1 a7785 1 This is applicable to master and slave zones. d7787 1 a7787 1- max-journal-size
d7790 1 a7790 1 max-journal-size in the section called “Server Resource Limits”. d7792 1 a7792 1- max-transfer-time-in
d7795 1 a7795 1 max-transfer-time-in in the section called “Zone Transfers”. d7797 1 a7797 1- max-transfer-idle-in
d7800 1 a7800 1 max-transfer-idle-in in the section called “Zone Transfers”. d7802 1 a7802 1- max-transfer-time-out
d7805 1 a7805 1 max-transfer-time-out in the section called “Zone Transfers”. d7807 1 a7807 1- max-transfer-idle-out
d7810 1 a7810 1 max-transfer-idle-out in the section called “Zone Transfers”. d7812 1 a7812 1- notify
d7815 1 a7815 1 notify in the section called “Boolean Options”. d7817 1 a7817 1- notify-delay
d7820 1 a7820 1 notify-delay in the section called “Tuning”. d7822 1 a7822 1- notify-to-soa
d7825 2 a7826 2 notify-to-soa in the section called “Boolean Options”. d7828 1 a7828 1- pubkey
d7837 1 a7837 1- zone-statistics
d7839 5 a7843 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d7845 1 a7845 1- server-addresses
d7859 1 a7859 1 in a server-addresses option, d7874 1 a7874 1- server-names
d7882 1 a7882 1 named needs to send queries to d7890 1 a7890 1 server-names option, but d7900 1 a7900 1 in a server-names option, d7917 1 a7917 1- sig-validity-interval
d7920 1 a7920 1 sig-validity-interval in the section called “Tuning”. d7922 1 a7922 1- sig-signing-nodes
d7925 1 a7925 1 sig-signing-nodes in the section called “Tuning”. d7927 1 a7927 1- sig-signing-signatures
d7930 1 a7930 1 sig-signing-signatures in the section called “Tuning”. d7932 1 a7932 1- sig-signing-type
d7935 1 a7935 1 sig-signing-type in the section called “Tuning”. d7937 1 a7937 1- transfer-source
d7940 1 a7940 1 transfer-source in the section called “Zone Transfers”. d7942 1 a7942 1- transfer-source-v6
d7945 1 a7945 1 transfer-source-v6 in the section called “Zone Transfers”. d7947 1 a7947 1- alt-transfer-source
d7950 1 a7950 1 alt-transfer-source in the section called “Zone Transfers”. d7952 1 a7952 1- alt-transfer-source-v6
d7955 1 a7955 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d7957 1 a7957 1- use-alt-transfer-source
d7960 1 a7960 1 use-alt-transfer-source in the section called “Zone Transfers”. d7962 1 a7962 1- notify-source
d7965 1 a7965 1 notify-source in the section called “Zone Transfers”. d7967 1 a7967 1- notify-source-v6
d7970 1 a7970 1 notify-source-v6 in the section called “Zone Transfers”. d7973 1 a7973 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d7976 1 a7976 1 See the description in the section called “Tuning”. d7978 1 a7978 1- ixfr-from-differences
d7981 2 a7982 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d7987 1 a7987 1- key-directory
d7990 2 a7991 1 key-directory in the section called “options Statement Definition and d7994 63 a8056 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8065 1 a8065 1- multi-master
d8067 2 a8068 2 See the description of multi-master in the section called “Boolean Options”. d8070 1 a8070 1- masterfile-format
d8072 2 a8073 2 See the description of masterfile-format in the section called “Tuning”. d8075 1 a8075 1- dnssec-secure-to-insecure
d8078 1 a8078 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8082 1 a8082 1d8088 2 a8089 2 allow-update and update-policy option, respectively. d8092 1 a8092 1 The allow-update clause works the d8098 1 a8098 1 The update-policy clause d8108 1 a8108 1 Rules are specified in the update-policy d8110 1 a8110 1 When the update-policy statement d8112 2 a8113 2 allow-update statement to be present. The update-policy statement d8118 1 a8118 1 There is a pre-defined update-policy d8120 1 a8120 1 update-policy local;. d8122 1 a8122 1 named to generate a TSIG session d8128 3 a8130 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8142 1 a8142 1 The command nsupdate -l sends update d8149 1 a8149 1 ( grant | deny )identitynametype[name] [types] d8204 2 a8205 2d8249 1 a8249 1 update-policy statement d8252 1 a8252 1 update-policy statement in d8272 1 a8272 1 is a valid expansion of the wildcard. d8338 1 a8338 1 and converts it machine.realm allowing the machine d8353 1 a8353 1 This rule takes a Windows machine principal d8372 1 a8372 1 and converts it machine.realm allowing the machine d8387 1 a8387 1 This rule takes a Kerberos machine principal d8445 1 a8445 1 This rule allows named d8499 1 a8499 1 d8609 2 a8610 2 a8682 64 ATMA ATM Address.
AVC
Application Visibility and Control record.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a8708 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a8721 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a8765 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a8790 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a8844 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a8857 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a8884 38 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NINFO
Contains zone status information.
NIMLOC
Nimrod Locator.
a8897 12 NSAP-PTR
Historical.
a8961 12 NULL
This is an opaque container.
a8980 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a9006 12 RKEY
Resource key.
a9062 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a9114 37 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9126 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d9159 2 a9160 2
d9249 1 a9249 1 d9291 3 a9293 3 d9409 3 a9411 3 d9452 1 a9452 1 d9492 5 a9496 5 d9635 1 a9635 1 d9727 2 a9728 2 d9760 1 a9760 1 The $ORIGIN lines in the examples d9768 1 a9768 1 d9780 2 a9781 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d9783 1 a9783 1 d9789 1 a9789 1 At the start of the zone file, it is the d9794 1 a9794 1 d9798 1 a9798 1 Syntax: $ORIGIN d9802 1 a9802 1 $ORIGIN d9805 2 a9806 2 is an implicit $ORIGIN <
d9827 1 a9827 1 Syntax: $INCLUDE d9835 3 a9837 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d9842 1 a9842 1 revert to the values they had prior to the $INCLUDE once d9850 1 a9850 1 an $INCLUDE, but it is silent d9859 1 a9859 1 d9863 1 a9863 1 Syntax: $TTL d9873 1 a9873 1zone_name>. d9808 2 a9809 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d9823 1 a9823 1$TTL d9878 1 a9878 1
d9882 1 a9882 1 Syntax: $GENERATE d9891 1 a9891 1$GENERATE d9894 1 a9894 1 iterator. $GENERATE can be used to d9936 2 a9937 2
d9942 1 a9942 1 range
d9956 1 a9956 1lhs
d9961 1 a9961 1 to be created. Any single $ d9963 1 a9963 1 symbols within the lhs string d9967 4 a9970 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d9975 4 a9978 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d9984 3 a9986 3 (d), octal (o), hexadecimal (x or X d9988 1 a9988 1 (n or N\ d9990 3 a9992 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d10004 1 a10004 1 $$ is still recognized as d10011 1 a10011 1ttl
d10019 2 a10020 2class and ttl can be d10027 1 a10027 1
class
d10035 2 a10036 2class and ttl can be d10043 1 a10043 1
type
d10053 1 a10053 1rhs
d10057 1 a10057 1 rhs, optionally, quoted string. d10064 1 a10064 1 The $GENERATE directive is a BIND extension d10071 1 a10071 1d10087 1 a10087 1 named-compilezone command. For a d10090 2 a10091 2 masterfile-format option) when named dumps the zone contents after d10097 1 a10097 1 named-compilezone command. All d10100 1 a10100 1 named-compilezone command again. d10114 1 a10114 1d10904 2 a10905 2d10132 2 a10133 2d10232 5 a10236 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a10238 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d10242 1 a10242 1 by the statistics-file configuration option. d10244 1 a10244 1 when the statistics-channels statement d10246 1 a10246 1 (see the section called “statistics-channels Statement Grammar”.) d10248 3 a10250 3
d10255 1 a10255 1 +++ Statistics Dump +++ (973798949) d10267 1 a10267 1 ++ Name Server Statistics ++ d10281 1 a10281 1 --- Statistics Dump --- (973798949) d10284 1 a10284 1d10308 3 a10310 3d10332 1 a10332 1 Requestv4
d10335 1 a10335 1RQ
d10346 1 a10346 1Requestv6
d10349 1 a10349 1RQ
d10360 1 a10360 1ReqEdns0
d10363 1 a10363 1d10373 1 a10373 1
ReqBadEDNSVer
d10376 1 a10376 1d10386 1 a10386 1
ReqTSIG
d10389 1 a10389 1d10399 1 a10399 1
ReqSIG0
d10402 1 a10402 1d10412 1 a10412 1
ReqBadSIG
d10415 1 a10415 1d10425 1 a10425 1
ReqTCP
d10428 1 a10428 1RTCP
d10438 1 a10438 1AuthQryRej
d10441 1 a10441 1RUQ
d10451 1 a10451 1RecQryRej
d10454 1 a10454 1RURQ
d10464 1 a10464 1XfrRej
d10467 1 a10467 1RUXFR
d10477 1 a10477 1UpdateRej
d10480 1 a10480 1RUUpd
d10490 1 a10490 1Response
d10493 1 a10493 1SAns
d10503 1 a10503 1RespTruncated
d10506 1 a10506 1d10516 1 a10516 1
RespEDNS0
d10519 1 a10519 1d10529 1 a10529 1
RespTSIG
d10532 1 a10532 1d10542 1 a10542 1
RespSIG0
d10545 1 a10545 1d10555 1 a10555 1
QrySuccess
d10558 1 a10558 1d10566 1 a10566 1 success counter d10574 1 a10574 1
QryAuthAns
d10577 1 a10577 1d10587 1 a10587 1
QryNoauthAns
d10590 1 a10590 1SNaAns
d10600 1 a10600 1QryReferral
d10603 1 a10603 1d10609 1 a10609 1 referral counter d10617 1 a10617 1
QryNxrrset
d10620 1 a10620 1d10626 1 a10626 1 nxrrset counter d10634 1 a10634 1
QrySERVFAIL
d10637 1 a10637 1SFail
d10647 1 a10647 1QryFORMERR
d10650 1 a10650 1SFErr
d10660 1 a10660 1QryNXDOMAIN
d10663 1 a10663 1SNXD
d10669 1 a10669 1 nxdomain counter d10677 1 a10677 1QryRecursion
d10680 1 a10680 1RFwdQ
d10687 1 a10687 1 recursion counter d10695 1 a10695 1QryDuplicate
d10698 1 a10698 1RDupQ
d10707 1 a10707 1 duplicate counter d10715 1 a10715 1QryDropped
d10718 1 a10718 1d10728 1 a10728 1 clients-per-query d10730 1 a10730 1 max-clients-per-query d10733 1 a10733 1 clients-per-query.) d10735 1 a10735 1 dropped counter d10743 1 a10743 1
QryFailure
d10746 1 a10746 1d10752 1 a10752 1 failure counter d10758 2 a10759 2 AuthQryRej and RecQryRej d10768 1 a10768 1
XfrReqDone
d10771 1 a10771 1d10781 1 a10781 1
UpdateReqFwd
d10784 1 a10784 1d10794 1 a10794 1
UpdateRespFwd
d10797 1 a10797 1d10807 1 a10807 1
UpdateFwdFail
d10810 1 a10810 1d10820 1 a10820 1
UpdateDone
d10823 1 a10823 1d10833 1 a10833 1
UpdateFail
d10836 1 a10836 1d10846 1 a10846 1
UpdateBadPrereq
d10849 1 a10849 1d10859 1 a10859 1
RPZRewrites
d10862 1 a10862 1d10872 1 a10872 1
RateDropped
d10875 1 a10875 1d10885 1 a10885 1
RateSlipped
d10888 1 a10888 1d10899 1 a10899 1
d10922 1 a10922 1 NotifyOutv4
d10932 1 a10932 1NotifyOutv6
d10942 1 a10942 1NotifyInv4
d10952 1 a10952 1NotifyInv6
d10962 1 a10962 1NotifyRej
d10972 1 a10972 1SOAOutv4
d10982 1 a10982 1SOAOutv6
d10992 1 a10992 1AXFRReqv4
d11002 1 a11002 1AXFRReqv6
d11012 1 a11012 1IXFRReqv4
d11022 1 a11022 1IXFRReqv6
d11032 1 a11032 1XfrSuccess
d11042 1 a11042 1XfrFail
d11053 1 a11053 1 d11058 3 a11060 3d11082 1 a11082 1 Queryv4
d11085 1 a11085 1SFwdQ
d11095 1 a11095 1Queryv6
d11098 1 a11098 1SFwdQ
d11108 1 a11108 1Responsev4
d11111 1 a11111 1RR
d11121 1 a11121 1Responsev6
d11124 1 a11124 1RR
d11134 1 a11134 1NXDOMAIN
d11137 1 a11137 1RNXD
d11147 1 a11147 1SERVFAIL
d11150 1 a11150 1RFail
d11160 1 a11160 1FORMERR
d11163 1 a11163 1RFErr
d11173 1 a11173 1OtherError
d11176 1 a11176 1RErr
d11186 1 a11186 1EDNS0Fail
d11189 1 a11189 1d11199 1 a11199 1
Mismatch
d11202 1 a11202 1RDupR
d11211 1 a11211 1 the port option.) d11219 1 a11219 1Truncated
d11222 1 a11222 1d11232 1 a11232 1
Lame
d11235 1 a11235 1RLame
d11245 1 a11245 1Retry
d11248 1 a11248 1SDupQ
d11258 1 a11258 1QueryAbort
d11261 1 a11261 1d11271 1 a11271 1
QuerySockFail
d11274 1 a11274 1d11287 1 a11287 1
QueryTimeout
d11290 1 a11290 1d11300 1 a11300 1
GlueFetchv4
d11303 1 a11303 1SSysQ
d11313 1 a11313 1GlueFetchv6
d11316 1 a11316 1SSysQ
d11326 1 a11326 1GlueFetchv4Fail
d11329 1 a11329 1d11339 1 a11339 1
GlueFetchv6Fail
d11342 1 a11342 1d11352 1 a11352 1
ValAttempt
d11355 1 a11355 1d11365 1 a11365 1
ValOk
d11368 1 a11368 1d11378 1 a11378 1
ValNegOk
d11381 1 a11381 1d11391 1 a11391 1
ValFail
d11394 1 a11394 1d11404 1 a11404 1
QryRTTnn
d11407 1 a11407 1d11413 1 a11413 1 Each nn specifies the corresponding d11416 2 a11417 2 nn_1, nn_2, d11419 2 a11420 2 nn_m, the value of nn_i is the d11422 2 a11423 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d11425 1 a11425 1 nn_0 to be 0. d11427 1 a11427 1 nn_m+, which means the d11429 1 a11429 1 nn_m milliseconds. d11436 1 a11436 1 d11442 6 a11447 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d11449 1 a11449 1 In the following table <TYPE> d11456 2 a11457 2
d11474 1 a11474 1 <TYPE>Open
d11480 1 a11480 1 FDwatch type. d11486 1 a11486 1<TYPE>OpenFail
d11492 1 a11492 1 FDwatch type. d11498 1 a11498 1<TYPE>Close
d11508 1 a11508 1<TYPE>BindFail
d11518 1 a11518 1<TYPE>ConnFail
d11528 1 a11528 1<TYPE>Conn
d11538 1 a11538 1<TYPE>AcceptFail
d11544 2 a11545 2 UDP and FDwatch types. d11551 1 a11551 1<TYPE>Accept
d11557 2 a11558 2 UDP and FDwatch types. d11564 1 a11564 1<TYPE>SendErr
d11570 2 a11571 2 to SErr counter of BIND 8. d11577 1 a11577 1<TYPE>RecvErr
d11591 1 a11591 1 d11596 2 a11597 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d11601 2 a11602 2d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase d1654 1 a1654 1
- RFwdR,SFwdR
d11605 1 a11605 1 because BIND 9 does not adopt d11607 1 a11607 1 as BIND 8 did. d11609 1 a11609 1- RAXFR
d11613 1 a11613 1- RIQ
d11617 1 a11617 1- ROpts
d11620 1 a11620 1 because BIND 9 does not care d11645 1 a11645 1BIND 9.9.9-P8 (Extended Support Version)
@ 1.1.1.10 log @Import bind 9.9.1-P1 @ text @d2 1 a2 1 - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d51 1 a51 1- Comment Syntax
d55 1 a55 1- acl Statement Grammar
d58 1 a58 1- controls Statement Grammar
d61 2 a62 2- include Statement Grammar
- include Statement Definition and d64 4 a67 4
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and d69 4 a72 4
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d74 1 a74 1
- options Statement Grammar
d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d480 1 a480 1 Syntaxclient 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SEd1657 1 a1657 7client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.) a1752 13
d1758 1 a1758 1 The query-errors Category d1986 1 a1986 1 lwres Statement Grammar d2002 1 a2002 1 lwres Statement Definition and Usage d2053 1 a2053 1 masters Statement Grammar d2061 1 a2061 1 masters Statement Definition and d2071 1 a2071 1 options Statement Grammar a2091 4 [ secroots-file RPZ
Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
path_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] d2117 1 a2117 2 [ dnssec-lookaside (auto|no| d2268 1 a2268 1 [ response-policy {zone_name[ policy given | disabled | passthru | nxdomain | nodata | cnamedomain] ; } ; ] d2526 1 a2526 2 If not specified, the default isnamed.secroots. d2552 8 a2671 5 If dnssec-lookaside is set tono, then dnssec-lookaside is not used.d3435 7 a3441 8 When
yesand the server loads a new version of a master zone from its zone file or receives a new version of a slave file via zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer. d3704 1 a3704 1 Forwarding d3748 1 a3748 1 Dual-stack Servers d3959 1 a3959 1 Interfaces d4427 1 a4427 1 UDP Port Lists d4469 1 a4469 1 Operating System Resource Limits d4631 1 a4631 1 Periodic Task Intervals d4933 2 a4934 4 appear, they are not combined — the last one applies.By default, all records are returned in random order. d5052 1 a5052 1
65534. a5057 9These records can be removed from the zone once named has completed signing the zone with the matching key using nsupdate or rndc signing -clear. rndc signing -clear is the only supported way to remove these records from inline-signing zones.
d5133 1 a5133 2d5274 4 a5277 5 these cover the reverse namespaces for addresses from RFC 1918, RFC 4193, and RFC 5737. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address. d5470 1 a5470 1 Content Filtering d5593 1 a5593 1 Response Policy Zone (RPZ) Rewriting d5597 4 a5600 4 somewhat similar to email anti-spam DNS blacklists. Responses can be changed to deny the existence of domains(NXDOMAIN), deny the existence of IP addresses for domains (NODATA), or contain other IP addresses or data. d5603 3 a5605 6 The actions encoded in a response policy zone (RPZ) are applied only to queries that ask for recursion (RD=1). Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. RPZs are ordinary DNS zones containing RRsets d5608 2 a5609 1 allow-query { localhost; };. d5612 4 a5615 5 There are four kinds of RPZ records, QNAME, IP, NSIP, and NSDNAME. QNAME records are applied to query names of requests and targets of CNAME records resolved to generate the response. The owner name of a QNAME RPZ record is the query name relativized d5617 2 d5621 16 a5636 30 The second kind of RPZ record, an IP policy record, is triggered by addresses in A and AAAA records for the ANSWER sections of responses. IP policy records have owner names that are subdomains of Specifies d5137 3 a5139 8 standard textual representation, except for slave zones, in which the default value is
raw. Files in other formats thantextare typically expected to be generated by the named-compilezone tool, or dumped by named.d5156 1 a5156 2
rpz-iprelativized to the RPZ origin name and encode an IP address or address block. IPv4 addresses are encoded asprefixlength.B4.B3.B2.B1.rpz-ip. The prefix length must be between 1 and 32. All four bytes, B4, B3, B2, and B1, must be present. B4 is the decimal value of the least significant byte of the IPv4 address as in IN-ADDR.ARPA. IPv6 addresses are encoded in a format similar to the standard IPv6 text representation,prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. Each of W8,...,W1 is a one to four digit hexadecimal number representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. All 8 words must be present except when consecutive zero words are replaced with.zz.analogous to double colons (::) in standard IPv6 text encodings. The prefix length must be between 1 and 128.NSDNAME policy records match names of authoritative servers for the query name, a parent of the query name, a CNAME, or a parent of a CNAME. They are encoded as subdomains of
rpz-nsdomainrelativized to the RPZ origin name. d5639 3 a5641 32 NSIP policy records match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. The are encoded like IP policies except as subdomains ofrpz-nsip.The query response is checked against all RPZs, so two or more policy records can apply to a single response. Because DNS responses can be rewritten according by at most a single policy record, a single policy (other than DISABLED policies) must be chosen. Policies are chosen in the following order:
- Among applicable zones, use the RPZ that appears first in the response-policy option.
- Prefer QNAME to IP to NSDNAME to NSIP policy records in a single RPZ
- Among applicable NSDNAME policy records, prefer the policy record that matches the lexically smallest name
- Among IP or NSIP policy records, prefer the record with the longest prefix.
- Among records with the same prefex length, prefer the IP or NSIP policy record that matches the smallest IP address.
d5644 4 a5647 5 When the processing of a response is restarted to resolve DNAME or CNAME records and an applicable policy record set has not been found, all RPZs are again consulted for the DNAME or CNAME names and addresses. d5650 3 a5652 4 Authority verification issues and variations in authority data can cause inconsistent results for NSIP and NSDNAME policy records. Glue NS records often differ from authoritative NS records. So they are available d5659 31 a5689 74 RPZ record sets are special CNAME records or one or more of any types of DNS record except DNAME or DNSSEC. Except when a policy record is a CNAME, there can be more more than one record and more than one type in a set of policy records. Except for three kinds of CNAME records that are illegal except in policy zones, the records in a set are used in the response as if their owner name were the query name. They are copied to the response as dictated by their types.
- A CNAME whose target is the root domain (.) specifies the NXDOMAIN policy, which generates an NXDOMAIN response.
- A CNAME whose target is the wildcard top-level domain (*.) specifies the NODATA policy, which rewrites the response to NODATA or ANCOUNT=1.
- A CNAME whose target is a wildcard hostname such as *.example.com is used normally after the astrisk (*) has been replaced with the query name. These records are usually resolved with ordinary CNAMEs outside the policy zones. They can be useful for logging.
- The PASSTHRU policy is specified by a CNAME whose target is the variable part of its own owner name. It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks.
The policies specified in individual records in an RPZ can be overridden with a policy clause in the response-policy option. An organization using an RPZ provided by another organization might use this mechanism to redirect domains to its own walled garden.
- GIVEN says "do not override."
- DISABLED causes policy records to do nothing but log what they might have done. The response to the DNS query will be written according to any matching policy records that are not disabled. Policy zones overridden with DISABLED should appear first, because they will often not be logged if a higher precedence policy is found first.
- PASSTHRU causes all policy records to act as if they were CNAME records with targets the variable part of their owner name. They protect the response from being changed.
- NXDOMAIN causes all RPZ records to specify NXDOMAIN policies.
- NODATA overrides with the NODATA policy
- CNAME domain causes all RPZ policy records to act as if they were "cname domain" records.
d5694 1 a5694 1
response-policy { zone "badlist"; };d5698 1 a5698 1zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };d5703 1 a5703 16 @@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. ; QNAME policy records. There are no periods (.) after the owner names. nxdomain.domain.com CNAME . ; NXDOMAIN policy nodata.domain.com CNAME *. ; NODATA policy bad.domain.com A 10.0.0.1 ; redirect to a walled garden AAAA 2001:2::1 ; do not rewrite (PASSTHRU) OK.DOMAIN.COM ok.domain.com CNAME ok.domain.com. bzone.domain.com CNAME garden.example.com. ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. d5705 7 d5713 3 a5715 3 ; IP policy records that rewrite all answers for 127/8 except 127.0.0.1 8.0.0.0.127.rpz-ip CNAME . 32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1 d5717 1 a5717 1 ; NSDNAME and NSIP policy records d5806 2 a5807 3 the view or global options block is used as a default. It may also be set in the zone block and, if set there, it will override the global or view setting for that zone. d5931 1 a5931 1 statistics-channels Statement Definition and d5991 1 a5991 1 trusted-keys Statement Definition d6031 1 a6031 1 managed-keys Statement Grammar d6166 1 a6166 1 view Statement Definition and Usage a6310 1 [ request-ixfryes_or_no; ] a6332 1 [ inline-signing <replacable>yes_or_no</replacable>; ] d6465 1 a6465 1 zone Statement Definition and Usage d6468 1 a6468 1 Zone Types d6748 1 a6748 1 Class d6770 1 a6770 1 Zone Options a7235 9inline-signing d7672 1 a7672 1 Zone File d7685 1 a7685 1 Resource Records d8422 1 a8422 1 Textual expression of RRs d8625 1 a8625 1 Discussion of MX Records d8881 1 a8881 1 Inverse Mapping in IPv4 d8942 1 a8942 1 Other Zone File Directives d8957 1 a8957 1 The @@ (at-sign) d8968 1 a8968 1 The $ORIGIN Directive d8997 1 a8997 1 The $INCLUDE Directive d9033 1 a9033 1 The $TTL Directive d9052 1 a9052 1 BIND Master File Extension: the $GENERATE Directive d9476 1 a9476 1 Name Server Statistics Counters d10033 1 a10033 1 Zone Maintenance Statistics Counters d10187 1 a10187 1 Resolver Statistics Counters d10570 1 a10570 1 Socket I/O Statistics Counters d10725 1 a10725 1 Compatibility with BIND 8 Counters @ 1.1.1.10.2.1 log @resync with head @ text @d51 1 a51 1 If
yes, this enables "bump in the wire" signing of a zone, where a unsigned zone is transfered in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This behaviour is disabled by default.Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d480 1 a480 1 Syntax d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar a2272 1 [ max-rsa-exponent-sizenumber; ] d2292 1 a2292 5 [ response-policy {zone_name[ policy given | disabled | passthru | nxdomain | nodata | cnamedomain] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] ; ] d3727 1 a3727 1 Forwarding d3771 1 a3771 1 Dual-stack Servers d3973 2 a3974 2 to resolve a recursive query before failing. The default and minimum is10and the maximum is d3982 1 a3982 1 Interfaces d4450 1 a4450 1 UDP Port Lists d4492 1 a4492 1 Operating System Resource Limits d4654 1 a4654 1 Periodic Task Intervals a5241 7max-rsa-exponent-size d5512 1 a5512 1 Content Filtering d5635 1 a5635 1 Response Policy Zone (RPZ) Rewriting d5637 3 a5639 3 BIND 9 includes a limited mechanism to modify DNS responses for requests analogous to email anti-spam DNS blacklists. d5645 2 d5656 1 a5656 1 Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, d5658 1 a5658 1 QNAME RPZ records triggered by query names of requests and targets d5664 7 a5670 6 The second kind of RPZ trigger is an IP address in an A and AAAA record in the ANSWER section of a response. IP address triggers are encoded in records that have owner names that are subdomains of The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
rpz-iprelativized to the RPZ origin name and encode an IP address or address block. IPv4 trigger addresses are represented as d5688 3 a5690 3 NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. d5696 3 a5698 4 NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. NSIP triggers are encoded like IP triggers except as subdomains of d5703 5 a5707 6 two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. Triggers or the records that encode them are chosen in the following order: d5710 2 a5711 2Choose the triggered record in the zone that appears first in the response-policy option. d5713 2 a5714 2 Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone. d5716 2 a5717 2 Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. d5719 1 a5719 1 Among IP or NSIP triggers, prefer the trigger d5722 2 a5723 2 Among triggers with the same prefex length, prefer the IP or NSIP trigger that matches d5731 2 a5732 2 DNAME or CNAME records and a policy record set has not been triggered, d5747 9 a5755 2 RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. d5758 3 a5760 2 The NXDOMAIN response is encoded by a CNAME whose target is the root domain (.) d5763 1 a5763 1 domain (*.) specifies the NODATA action, d5766 2 a5767 8 The Local Data action is represented by a set ordinary DNS records that are used to answer queries. Queries for record types not the set are answered with NODATA. A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) d5769 2 a5770 2 The purpose for this special form is query logging in the walled garden's authority DNS server. d5773 2 a5774 2 by a CNAME whose target is rpz_passthru. It causes the response to not be rewritten a5776 2 (A CNAME whose target is the variable part of its owner name is an obsolete specification of the PASSTHRU policy.) d5782 3 a5784 3 The actions specified in an RPZ can be overridden with a policy clause in the response-policy option. d5790 1 a5790 2 GIVEN says "do not override but perform the action specified in the zone." d5796 4 a5799 4 any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first. a5822 28 By default, the actions encoded in an RPZ are applied only to queries that ask for recursion (RD=1). That default can be changed for a single RPZ or all RPZs in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values on the externally visible name server or view. Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
d5844 1 a5844 1 ok.domain.com CNAME rpz-passthru. d5854 1 a5854 1 32.1.0.0.127.rpz-ip CNAME rpz-passthru. d6071 1 a6071 1 statistics-channels Statement Definition and d6131 1 a6131 1 trusted-keys Statement Definition d6171 1 a6171 1 managed-keys Statement Grammar d6306 1 a6306 1 view Statement Definition and Usage d6474 1 a6474 1 [ inline-signing
yes_or_no; ] d6607 1 a6607 1 zone Statement Definition and Usage d6610 1 a6610 1 Zone Types d6890 1 a6890 1 Class d6912 1 a6912 1 Zone Options d7662 1 a7662 1 is specified in theidentityd7680 1 a7680 1identityfield. d7696 1 a7696 1 is specified in theidentityd7714 1 a7714 1identityfield. d7823 1 a7823 1 Zone File d7836 1 a7836 1 Resource Records d8573 1 a8573 1 Textual expression of RRs d8776 1 a8776 1 Discussion of MX Records d9032 1 a9032 1 Inverse Mapping in IPv4 d9093 1 a9093 1 Other Zone File Directives d9108 1 a9108 1 The @@ (at-sign) d9119 1 a9119 1 The $ORIGIN Directive d9148 1 a9148 1 The $INCLUDE Directive d9184 1 a9184 1 The $TTL Directive d9203 1 a9203 1 BIND Master File Extension: the $GENERATE Directive d9627 1 a9627 1 Name Server Statistics Counters d10184 1 a10184 1 Zone Maintenance Statistics Counters d10338 1 a10338 1 Resolver Statistics Counters d10721 1 a10721 1 Socket I/O Statistics Counters d10876 1 a10876 1 Compatibility with BIND 8 Counters @ 1.1.1.10.2.2 log @Rebase to HEAD as of a few days ago. @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 ] a2238 1 [ max-zone-ttltrusted-keys Statement Definition d86 1 a86 1 ] d2210 5 a2214 4 [ transfer-source (managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a279 15ip_dscpA
numberbetween 0 and 63, used to select a differentiated services code point (DSCP) value for use with outgoing traffic on operating systems that support DSCP.d412 2 a413 16 A 64-bit unsigned integer, or the keywords
unlimitedordefault.Integers may take values 0 <= value <= 18446744073709551615, though certain parameters (such as max-journal-size) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible", depending on the context. See the expalantions of particular parameters that use
size_specfor details on how they interpret its use. d416 7 a422 2 Numeric values can optionally be followed by a scaling factor: d427 3 a429 3Gorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively. d432 5 a436 7unlimitedgenerally means "as big as possible", and is usually the best way to safely set a very large number.
defaultuses the limit that was in force when the server was started. d480 1 a480 1 Syntax d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d909 1 a909 3 interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. a920 3 When addresses are added or removed, the localnets ACL element is updated to reflect the changes. a931 54When BIND 9 is built with GeoIP support, ACLs can also be used for geographic access restrictions. This is done by specifying an ACL element of the form: geoip [db
database]fieldvalueThe
fieldindicates which field to search for a match. Available fields are "country", "region", "city", "continent", "postal" (postal code), "metro" (metro code), "area" (area code), "tz" (timezone), "isp", "org", "asnum", "domain" and "netspeed".
valueis the value to searched for within the database. A string may be quoted if it contains spaces or other special characters. If this is a "country" search and the string is two characters long, then it must be a standard ISO-3166-1 two-letter country code, and if it is three characters long then it must be an ISO-3166-1 three-letter country code; otherwise it is the full name of the country. Similarly, if this is a "region" search and the string is two characters long, then it must be a standard two-letter state or province abbreviation; otherwise it is the full name of the state or province.The
databasefield indicates which GeoIP database to search for a match. In most cases this is unnecessary, because most search fields can only be found in a single database. However, searches for country can be answered from the "city", "region", or "country" databases, and searches for region (i.e., state or province) can be answered from the "city" or "region" databases. For these search types, specifying adatabasewill force the query to be answered from that database and no other. Ifdatabaseis not specified, then these queries will be answered from the "city", database if it is installed, or the "region" database if it is installed, or the "country" database, in that order.Some example GeoIP ACLs:
geoip country US; geoip country JAP; geoip db country country Canada; geoip db region region WA; geoip city "San Francisco"; geoip region Oklahoma; geoip postal 95062; geoip tz "America/Los_Angeles"; geoip org "Internet Systems Consortium";d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1140 1 a1140 1 [ sizesize_spec] d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase a1293 3 On Windows machines syslog messages are directed to the EventViewer.d1720 2 a1721 2 delegation-only in a forward, hint or stub zone declaration. a1771 26
d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2011 2 a2012 2 [ listen-on { rate-limit
The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d2021 1 a2021 1 lwres Statement Definition and Usage d2033 2 a2034 2 IPv4 addresses (and ports) that this instance of a lightweight resolver daemon d2072 1 a2072 1 masters Statement Grammar d2074 1 a2074 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar d2120 1 a2120 1 [ zone-statisticsfull|terse|none; ] a2133 2 [ request-sityes_or_no; ] [ request-nsidyes_or_no; ] d2146 4 a2149 4 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ dual-stack-servers [portip_port] [dscpip_dscp] { (domain_name[portip_port] [dscpip_dscp] |ip_addr[portip_port] [dscpip_dscp]) ; a2159 1 [ check-spf (warn|fail|ignore); ] a2178 1 [ no-case-compress {address_match_list}; ] d2183 2 a2184 3 [ listen-on [ portip_port] [dscpip_dscp] {address_match_list}; ] [ listen-on-v6 [ portip_port] [dscpip_dscp] {address_match_list}; ] d2186 1 a2186 2 [ port (ip_port|*) ] [ dscpip_dscp] | d2188 1 a2188 2 [ port (ip_port|*) ] ) [ dscpip_dscp] ; ] d2190 1 a2190 2 [ port (ip_port|*) ] [ dscpip_dscp] | d2192 1 a2192 2 [ port (ip_port|*) ] ) [ dscpip_dscp] ;ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d2217 2 a2218 2 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d2221 2 a2222 2 [portip_port] [dscpip_dscp] [keykeyname] ; [ip_addr[portip_port] [dscpip_dscp] [keykeyname] ; ... ] };number; ] a2252 1 [ dscpip_dscp] ; a2258 1 [ filter-aaaa-on-v6 (yes_or_no|break-dnssec); ] d2260 1 a2260 1 [ dns64ipv6-prefix{ a2277 2 [ disable-ds-digestsdomain{digest_type; [digest_type; ] }; ] d2283 1 a2283 2 [ masterfile-format (text|raw|map) ; ] d2293 5 a2297 31 [ prefetchnumber[number] ; ] [ rate-limit { [ domaindomain; ] [ responses-per-second [sizenumber] [ratiofixedpoint]number; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name; [ policygiven | disabled | passthru | drop | nxdomain | nodata | cnamedomain; ] [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] ; [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] [ break-dnssecyes_or_no; ] [ min-ns-dotsnumber; ] [ qname-wait-recurseyes_or_no; ] } ; ] d2427 7 a2433 16d2666 1 a2666 2 Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views, then managed keys for the server will be tracked in a single file called
managed-keys.bind. Otherwise, managed keys will be tracked in separate files, one file per view; each file name will be the SHA256 hash of the view name, followed by the extension.mkeys.d2671 2 a2672 25 Only the best match disable-algorithms clause will be used to determine which algorithms are used.
If all supported algorithms are disabled, the zones covered by the disable-algorithms will be treated as insecure.
disable-ds-digests d2707 1 a2707 1 from https://www.isc.org/solutions/dlv/. d2845 1 a2845 1 via dynamic update; this is not yet implemented.) a2847 59 Disable the specified DS/DLV digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. Only the best match disable-ds-digests clause will be used to determine which digest types are used.
If all supported digest types are disabled, the zones covered by the disable-ds-digests will be treated as insecure.
max-zone-ttl Specifies a maximum permissible TTL value. When loading a zone file using a
masterfile-formatoftextorraw, any record encountered with a TTL higher thanmax-zone-ttlwill cause the zone to be rejected.This is useful in DNSSEC-signed zones because when rolling to a new DNSKEY, the old key needs to remain available until RRSIG records have expired from caches. The
max-zone-ttloption guarantees that the largest TTL in the zone will be no higher the set value.(NOTE: Because
map-format files load directly into memory, this option cannot be used with them.)zone-statistics a2852 14 If
full, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics terse or zone-statistics none in the zone statement). The default isterse, providing minimal statistics on zones (including name and current serial number, but not query type counters).These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions of BIND 9, the zone-statistics option can also accept
yesorno;yeshas the same meaning asfull. As of BIND 9.10,nohas the same meaning asnone; previously, it was the same asterse.automatic-interface-scan a3234 36 If
yesand supported by the OS, automatically rescan network interfaces when the interface addresses are added or removed. The default isyes.Currently the OS needs to support routing sockets for automatic-interface-scan to be supported.
request-nsid If
yes, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in the resolver category at level info. The default isno.request-sit If
yes, then a SIT (Source Identity Token) EDNS option is sent along with the query. If the resolver has previously talked to the server, the SIT returned in the previous transaction is sent. This is used by the server to determine whether the resolver has talked to it before. A resolver sending the correct SIT is assumed not to be an off-path attacker sending a spoofed-source query; the query is therefore unlikely to be part of a reflection/amplification attack, so resolvers sending a correct SIT option are not subject to response rate limiting (RRL). Resolvers which do not send a correct SIT option may be limited to receiving smaller responses via the nosit-udp-size option.sit-secret d3257 14 d3434 1 a3434 1 then AAAA records are deleted even when DNSSEC is enabled. a3458 7 If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options within a anycast cluster. If not set the system will generate a random secret at startup.
filter-aaaa-on-v6 d3594 1 a3594 2 Identical to filter-aaaa-on-v4, except it filters AAAA responses to queries from IPv6 clients instead of IPv4 clients. To filter all responses, set both options to
yes.a3623 8 d3606 1 a3606 9
Check that the two forms of Sender Policy Framework records (TXT records starting with "v=spf1" and SPF) either both exist or both don't exist. Warnings are emitted it they don't and be suppressed with check-spf.
check-spf d3691 1 a3691 1 sets the frequency of automatic repository checks, in d3732 1 a3732 1 Forwarding d3776 1 a3776 1 Dual-stack Servers a3850 6 Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it will be refused. When performing integrity checks, check that the two forms of Sender Policy Framwork records (TXT records starting with "v=spf1" and SPF) both exist or both don't exist and issue a warning if not met. The default is warn.
a3974 51
no-case-compress d3987 1 a3987 1 Interfaces d3991 1 a3991 3 an optional port and an Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisions.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circusmstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
address_match_listof IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) d4015 2 a4016 2 listen for incoming queries sent using IPv6. If not specified, the server will listen on port 53 on all IPv6 interfaces. a4038 2 IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning. d4059 7 d4455 1 a4455 1 UDP Port Lists d4497 1 a4497 1 Operating System Resource Limits d4577 2 a4578 4 will be automatically removed. The largest permitted value is 2 gigabytes. The default isunlimited, which also means 2 gigabytes. d4627 5 a4631 6 reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. The keywordunlimited, or the value 0, will place no limit on cache size; records will be purged from the cache only when their d4633 7 a4639 2 Any positive values less than 2MB will be ignored and reset to 2MB. d4642 1 a4642 1 The default isunlimited. d4646 1 a4646 1 The listen queue depth. The default and minimum is 10. d4651 3 a4653 4 some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also be used; on most platforms this sets the listen queue length to a system-defined default value. d4659 1 a4659 1 Periodic Task Intervals d5081 1 a5081 1 signing state records. The default is d5089 7 a5095 14 Signing state records are used to internally by named to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command rndc signing -listzone. Once named has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running rndc signing -clearkeyid/algorithmzone. To clear all of the completed signing state records for a zone, use rndc signing -clear allzone. d5133 2 a5134 3 Sets the initial advertised EDNS UDP buffer size in bytes, to control the size of packets received from authoritative servers in response to recursive queries. d5136 6 a5141 2 will be silently adjusted to the nearest value within it). The default value is 4096. d5144 5 a5148 37 The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP DNS packets that are greater than 512 bytes.When named first queries a remote server, it will advertise a UDP buffer size of 512, as this has the greatest chance of success on the first try.
If the initial response times out, named will try again with plain DNS, and if that is successful, it will be taken as evidence that the server does not support EDNS. After enough failures using EDNS and successes using plain DNS, named will default to plain DNS for future communications with that server. (Periodically, named will send an EDNS query to see if the situation has improved.)
However, if the initial query is successful with EDNS advertising a buffer size of 512, then named will advertise progressively larger buffer sizes on successive queries, until responses begin timing out or edns-udp-size is reached.
The default buffer sizes used by named are 512, 1232, 1432, and 4096, but never exceeding edns-udp-size. (The values 1232 and 1432 are chosen to allow for an IPv4/IPv6 encapsulated UDP message to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.) d5157 2 a5158 10 range will be silently adjusted to the nearest value within it). The default value is 4096.
This value applies to responses sent by a server; to set the advertised buffer size in queries, see edns-udp-size.
The usual reason for setting d5194 1 a5194 6 file. Also,
mapformat files are loaded directly into memory via memory mapping, with only minimal checking.This statement sets the a5253 32
prefetch d5268 6 a5273 12 default view of class IN. Most global configuration options (allow-query, etc) will apply to this view, but some are locally overridden: notify, recursion and allow-new-zones are always set to When a query is received for cached data which is to expire shortly, named can refresh the data from the authoritative server immediately, ensuring that the cache always has an answer available.
The
prefetchspecifies the "trigger" TTL value at which prefetch of the current query will take place: when a cache record with a lower TTL value is encountered during query processing, it will be refreshed. Valid trigger TTL values are 1 to 10 seconds. Values larger than 10 seconds will be silently reduced to 10. Setting a trigger TTL to zero (0) causes prefetch to be disabled. The default trigger TTL is2.An optional second argument specifies the "eligibility" TTL: the smallest original TTL value that will be accepted for a record to be eligible for prefetching. The eligibility TTL must be at least six seconds longer than the trigger TTL; if it isn't, named will silently adjust it upward. The default eligibility TTL is
9.no, and rate-limit is set to allow three responses per second.If you need to disable these zones, use the options d5328 1 a5328 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5359 64
64.100.IN-ADDR.ARPA 65.100.IN-ADDR.ARPA 66.100.IN-ADDR.ARPA 67.100.IN-ADDR.ARPA 68.100.IN-ADDR.ARPA 69.100.IN-ADDR.ARPA 70.100.IN-ADDR.ARPA 71.100.IN-ADDR.ARPA 72.100.IN-ADDR.ARPA 73.100.IN-ADDR.ARPA 74.100.IN-ADDR.ARPA 75.100.IN-ADDR.ARPA 76.100.IN-ADDR.ARPA 77.100.IN-ADDR.ARPA 78.100.IN-ADDR.ARPA 79.100.IN-ADDR.ARPA 80.100.IN-ADDR.ARPA 81.100.IN-ADDR.ARPA 82.100.IN-ADDR.ARPA 83.100.IN-ADDR.ARPA 84.100.IN-ADDR.ARPA 85.100.IN-ADDR.ARPA 86.100.IN-ADDR.ARPA 87.100.IN-ADDR.ARPA 88.100.IN-ADDR.ARPA 89.100.IN-ADDR.ARPA 90.100.IN-ADDR.ARPA 91.100.IN-ADDR.ARPA 92.100.IN-ADDR.ARPA 93.100.IN-ADDR.ARPA 94.100.IN-ADDR.ARPA 95.100.IN-ADDR.ARPA 96.100.IN-ADDR.ARPA 97.100.IN-ADDR.ARPA 98.100.IN-ADDR.ARPA 99.100.IN-ADDR.ARPA 100.100.IN-ADDR.ARPA 101.100.IN-ADDR.ARPA 102.100.IN-ADDR.ARPA 103.100.IN-ADDR.ARPA 104.100.IN-ADDR.ARPA 105.100.IN-ADDR.ARPA 106.100.IN-ADDR.ARPA 107.100.IN-ADDR.ARPA 108.100.IN-ADDR.ARPA 109.100.IN-ADDR.ARPA 110.100.IN-ADDR.ARPA 111.100.IN-ADDR.ARPA 112.100.IN-ADDR.ARPA 113.100.IN-ADDR.ARPA 114.100.IN-ADDR.ARPA 115.100.IN-ADDR.ARPA 116.100.IN-ADDR.ARPA 117.100.IN-ADDR.ARPA 118.100.IN-ADDR.ARPA 119.100.IN-ADDR.ARPA 120.100.IN-ADDR.ARPA 121.100.IN-ADDR.ARPA 122.100.IN-ADDR.ARPA 123.100.IN-ADDR.ARPA 124.100.IN-ADDR.ARPA 125.100.IN-ADDR.ARPA 126.100.IN-ADDR.ARPA 127.100.IN-ADDR.ARPA d5524 1 a5524 1 Content Filtering d5577 1 a5577 1 d5647 1 a5647 1 Response Policy Zone (RPZ) Rewriting d5660 1 a5660 1 Response policy zones are ordinary DNS zones containing RRsets d5666 49 a5714 87 A response-policy option can support multiple policy zones. To maximize performance, a radix tree is used to quickly identify response policy zones containing triggers that match the current query. This imposes an upper limit of 32 on the number of policy zones in a single response-policy option; more than that is a configuration error.Five policy triggers can be encoded in RPZ records.
- RPZ-CLIENT-IP
IP records are triggered by the IP address of the DNS client. Client IP address triggers are encoded in records that have owner names that are subdomains of rpz-client-ip relativized to the policy zone origin name and encode an address or address block. IPv4 addresses are represented as
prefixlength.B4.B3.B2.B1.rpz-ip. The IPv4 prefix length must be between 1 and 32. All four bytes, B4, B3, B2, and B1, must be present. B4 is the decimal value of the least significant byte of the IPv4 address as in IN-ADDR.ARPA.IPv6 addresses are encoded in a format similar to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. Each of W8,...,W1 is a one to four digit hexadecimal number representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. All 8 words must be present except when one set of consecutive zero words is replaced with.zz.analogous to double colons (::) in standard IPv6 text encodings. The IPv6 prefix length must be between 64 and 128.- QNAME
QNAME policy records are triggered by query names of requests and targets of CNAME records resolved to generate the response. The owner name of a QNAME policy record is the query name relativized to the policy zone.
- RPZ-IP
IP triggers are IP addresses in an A or AAAA record in the ANSWER section of a response. They are encoded like client-IP triggers except as subdomains of rpz-ip.
- RPZ-NSDNAME
NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdname relativized to the RPZ origin name. NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records.
- RPZ-NSIP
NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains.
The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses are rewritten according to at most one d5717 2 a5718 2 Triggers or the records that encode them are chosen for the rewriting in the following order: d5722 1 a5722 1 first in the response-policy option. d5724 2 a5725 2
Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP triggers in a single zone. d5744 12 a5755 2 all response policy zones are again consulted for the DNAME or CNAME names and addresses. d5758 2 a5759 8 RPZ record sets are any types of DNS record except DNAME or DNSSEC that encode actions or responses to individual queries. Any of the policies can be used with any of the triggers. For example, while the TCP-only policy is commonly used with client-IP triggers, it cn be used with any type of trigger to force the use of TCP for responses with owner names in a zone. d5761 29 a5789 53 d5793 2 a5794 3 All of the actions specified in all of the individual records in a policy zone can be overridden with a policy clause in the d5796 2 a5797 3 An organization using a policy zone provided by another organization might use this mechanism to redirect domains to its own walled garden. d5799 33 a5831 29
- PASSTHRU
The whitelist policy is specified by a CNAME whose target is rpz-passthru. It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks.
- DROP
The blacklist policy is specified by a CNAME whose target is rpz-drop. It causes the response to be discarded. Nothing is sent to the DNS client.
- TCP-Only
The "slip" policy is specified by a CNAME whose target is rpz-tcp-only. It changes UDP responses to short, truncated DNS responses that require the DNS client to try again with TCP. It is used to mitigate distributed DNS reflection attacks.
- NXDOMAIN
The domain undefined response is encoded by a CNAME whose target is the root domain (.)
- NODATA
The empty set of resource records is specified by CNAME whose target is the wildcard top-level domain (*.). It rewrites the response to NODATA or ANCOUNT=1.
- Local Data
A set of ordinary DNS records can be used to answer queries. Queries for record types not the set are answered with NODATA.
A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) has been replaced with the query name. The purpose for this special form is query logging in the walled garden's authority DNS server.
d5835 3 a5837 4 By default, the actions encoded in a response policy zone are applied only to queries that ask for recursion (RD=1). That default can be changed for a single policy zone or all response policy zones in a view d5845 9 a5853 36 Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all response policy zones in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
- GIVEN
The placeholder policy says "do not override but perform the action specified in the zone."
- DISABLED
The testing override policy causes policy zone records to do nothing but log what they would have done if the policy zone were not disabled. The response to the DNS query will be written (or not) according to any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first.
- PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA
override with the corresponding per-record policy.
- CNAME domain
causes all RPZ policy records to act as if they were "cname domain" records.
No DNS records are needed for a QNAME or Client-IP trigger. The name or IP address itself is sufficient, so in principle the query name need not be recursively resolved. However, not resolving the requested name can leak the fact that response policy rewriting is in use and that the name is listed in a policy zone to operators of servers for listed names. To prevent that information leak, by default any recursion needed for a request is done before any policy triggers are considered. Because listed domains often have slow authoritative servers, this default behavior can cost significant time. The qname-wait-recurse no option overrides that default behavior when recursion cannot change a non-error response. The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution. It also does not affect DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. Using this option can cause error responses such as SERVFAIL to appear to be rewritten, since no recursion is being done to discover problems at the authoritative server. a5878 1 *.nxdomain.domain.com CNAME . ; NXDOMAIN policy a5879 1 *.nodata.domain.com CNAME *. ; NODATA policy a5881 1 bzone.domain.com CNAME garden.example.com. d5886 2 d5892 1 a5892 2 ; IP policy records that rewrite all responses containing A records in 127/8 ; except 127.0.0.1 a5898 161 ; blacklist and whitelist some DNS clients 112.zz.2001.rpz-client-ip CNAME rpz-drop. 8.0.0.0.127.rpz-client-ip CNAME rpz-drop. ; force some DNS clients and responses in the example.com zone to TCP 16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. example.com CNAME rpz-tcp-only. *.example.com CNAME rpz-tcp-only.
RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
d6213 2 a6214 2Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified by the base responses-per-second option (that is, responses-per-second with only a single argument and no additional modifiers). The default is 0, which indicates that there should be no limit. All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default base responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomains-per-second (default base responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default base responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the default base responses-per-second value, but it can be set separately with errors-per-second.
In addition to the base responses-per-second value, up to four (4) additional responses-per-second options can be configured, with additional parameters to indicate that they apply to responses larger than a given size, or with an amplification factor larger than a given value. The size parameter sets the minimum DNS response size that will trigger the use of this responses-per-second option. The ratio parameter sets the minimum DNS response-size / request-size ratio that falls into the band, to two decimal places. These selective rate limits are applied after any other rate limits have been applied, and they only apply to positive answers. For example:
rate-limit { responses-per-second 10; responses-per-second size 1100 5; };...indicates that responses should be limited to ten per second for responses up to 1099 bytes in size, but only five per second for responses larger than that. This configuration:
rate-limit { responses-per-second 10; responses-per-second ratio 7.25 5; responses-per-second ratio 15.00 2; }; a5899 177...indicates that responses should be limited to ten per second if the amplification factor is below 7.25, five per second if above 7.25 but below 15, and two per second if above 15.
Both sizes and ratios can be used together. For example:
rate-limit { responses-per-second 10; responses-per-second size 1000 ratio 5.00 5; responses-per-second ratio 10.00 2; };This configuration will rate-limit to five per second if the ratio is over 5 or the size is over 1000, and to two per second if the ratio is over 10. In the event that two bands might be chosen (i.e., because the size is over 1000 and the ratio is over 10), the one that appears last in the configuration file is the one chosen. To eliminate any ambiguity, it is recommended that under normal circumstnaces, rate limiting bands should be configured using either size or ratio parameters, but not both.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
The optional domain clause specifies the namespace to which rate limits will apply. It is possible to use different rate limits for different names by specifying multiple rate-limit blocks with different domain clauses. The rate-limit statement's domain most closely matches the query name will be the one applied to a given query.
Rate limiters for different name spaces maintain separate counters: If, for example, there is a rate-limit statement for "com" and another for "example.com", queries matching "example.com" will not be debited against the rate limiter for "com".
If a rate-limit statement does not specify a domain, then it applies to the root domain (".") and thus affects the entire DNS namespace, except those portions covered by other rate-limit statements.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources make TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
a5908 2 [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] a5910 1 [ nosit-udp-sizenumber; ] d5915 4 a5918 4 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d5920 1 a5920 1 [ port (ip_port|*) ] [dscpip_dscp] ; ] d5922 1 a5922 1 [ port (ip_port|*) ] [dscpip_dscp] ; ] d6012 1 a6012 2 silently adjusted to the nearest value within it). This option is useful when you wish to a6025 7 The nosit-udp-size option sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. The command max-udp-size option may further limit the response size.a6097 16
The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
The request-sit clause determines whether the local server will add a SIT EDNS option to requests sent to the server. This overrides request-sit set at the view or option level. Named may determine that SIT is not supported by the remote server and not add a SIT EDNS option to requests.
d6111 1 a6111 1 statistics-channels Statement Definition and d6123 2 a6124 3 It requires that BIND 9 be compiled with libxml2 and/or json-c (also known as libjson0); the statistics-channels statement is d6132 1 a6132 2 address. An ip_addr of*(asterisk) is a6158 54The statistics are available in various formats and views depending on the URI used to access them. For example, if the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
Broken-out subsets of the statistics can be viewed at http://127.0.0.1:8888/xml/v3/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/xml/v3/server (server and resolver statistics), http://127.0.0.1:8888/xml/v3/zones (zone statistics), http://127.0.0.1:8888/xml/v3/net (network status and socket statistics), http://127.0.0.1:8888/xml/v3/mem (memory manager statistics), http://127.0.0.1:8888/xml/v3/tasks (task manager statistics).
The full set of statistics can also be read in JSON format at http://127.0.0.1:8888/json, with the broken-out subsets at http://127.0.0.1:8888/json/v1/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/json/v1/server (server and resolver statistics), http://127.0.0.1:8888/json/v1/zones (zone statistics), http://127.0.0.1:8888/json/v1/net (network status and socket statistics), http://127.0.0.1:8888/json/v1/mem (memory manager statistics), http://127.0.0.1:8888/json/v1/tasks (task manager statistics).
d6171 1 a6171 1 trusted-keys Statement Definition d6211 1 a6211 1 managed-keys Statement Grammarnameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d6322 1 a6322 1 If the dnssec-validation option is d6325 4 a6328 7 root zone. Similarly, if the dnssec-lookaside option is set toauto, named will automatically initialize a managed key for the zonedlv.isc.org. In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d6346 1 a6346 1 view Statement Definition and Usage a6473 3 [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] d6475 2 a6476 2 [ also-notify {ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] a6479 1 [ check-spf (warn|fail|ignore); ] d6483 1 a6483 1 [ masterfile-format (text|raw|map) ; ] d6487 1 a6487 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d6500 3 a6502 3 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ zone-statisticsfull|terse|none; ] a6516 1 [ max-zone-ttlnumber; ] d6526 1 a6527 1 [ update-check-kskyes_or_no; ] d6532 1 a6532 1 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addra6533 1 [dscpip_dscp] d6538 1 a6538 1 [ masterfile-format (text|raw|map) ; ] d6542 1 a6542 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d6547 1 a6547 1 [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addra6548 1 [dscpip_dscp] d6559 3 a6561 3 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d6563 1 a6563 2 [portip_port] [dscpip_dscp] ; ] d6565 3 a6567 7 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] a6572 3 [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] d6592 1 a6592 1 [ masterfile-format (text|raw|map) ; ] d6594 2 a6595 2 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addra6596 1 [dscpip_dscp] d6601 1 a6601 1 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d6603 2 a6604 2 [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d6606 1 a6606 1 [portip_port] [dscpip_dscp] ; ] d6628 1 a6628 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d6635 1 a6635 1 [ masterfile-format (text|raw|map) ; ] a6636 1 [ max-zone-ttlnumber; ] a6642 4 zonezone_name[class] { [ in-viewstring; ] }; d6647 1 a6647 1 zone Statement Definition and Usage d6650 1 a6650 1 Zone Types d6887 4 a6890 6 Redirect zones are used to provide answers to queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. a6896 36To redirect all NXDOMAIN responses to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2, one would configure a type redirect zone named ".", with the zone file containing wildcard records that point to the desired addresses:
"*. IN A 100.100.100.2"and"*. IN AAAA 2001:ffff:ffff::100.100.100.2".To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced directly by name, they are not kept in the zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use rndc reload
d6930 1 a6930 1 Class d6952 1 a6952 1 Zone Options a7026 5zonenameto reload a redirect zone. However, when using rndc reload without specifying a zone name, redirect zones will be reloaded along with other zones.check-spf d7103 3 a7105 4 The flag only applies to forward, hint and stub zones. If set to See the description of check-spf in the section called “Boolean Options”.
yes, then the zone will also be treated as if it is also a delegation-only type zone. d7422 1 a7422 1 unsigned zone is transferred in or loaded from a7436 7max-zone-ttl a7858 45 See the description of max-zone-ttl in the section called “options Statement Definition and Usage”.
d7863 1 a7863 1 Zone File d7876 1 a7876 1 Resource Records d8613 1 a8613 1 Textual expression of RRs d8816 1 a8816 1 Discussion of MX Records d9072 1 a9072 1 Inverse Mapping in IPv4 d9133 1 a9133 1 Other Zone File Directives d9148 1 a9148 1 The @@ (at-sign) d9159 1 a9159 1 The $ORIGIN Directive d9188 1 a9188 1 The $INCLUDE Directive d9224 1 a9224 1 The $TTL Directive d9243 1 a9243 1 BIND Master File Extension: the $GENERATE Directive d9311 2 a9312 3 is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. d9439 5 a9443 1 other formats. d9446 5 a9450 19 TheWhen multiple views are in use, a zone may be referenced by more than one of them. Often, the views will contain different zones with the same name, allowing different clients to receive different answers for the same queries. At times, however, it is desirable for multiple views to contain identical zones. The in-view zone option provides an efficient way to do this: it allows a view to reference a zone that was defined in a previously configured view. Example:
view internal { match-clients { 10/8; }; zone example.com { type master; file "example-external.db"; }; }; view external { match-clients { any; }; zone example.com { in-view internal; }; };An in-view option cannot refer to a view that is configured later in the configuration file.
A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control the behavior of the containing view, rather than changing the zone object itself.)
rawformat is a binary representation of zone data in a manner similar to that used in zone transfers. Since it does not require parsing text, load time is significantly reduced.An even faster alternative is the
mapformat, which is an image of a BIND 9 in-memory zone database; it is capable of being loaded directly into memory via the mmap() function; the zone can begin serving queries almost immediately.For a primary server, a zone file in
rawormapformat is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically d9465 8 a9472 15 Note that map format is extremely architecture-specific. Amapfile cannot be used on a system with different pointer size, endianness or data alignment than the system on which it was generated, and should in general be used only inside a single system. Whilerawformat uses network byte order and avoids architecture-dependent data alignment so that it is as portable as possible, it is also primarily expected to be used inside the same single system. To export a zone file in eitherrawormapformat, or make a portable backup of such a file, conversion totextformat is recommended. d9574 1 a9574 2 "NXRRSET"). If a hash mark (#) is present then the RRset is marked for garbage collection. d9667 1 a9667 1 Name Server Statistics Counters a10218 39RateDropped
Responses dropped by rate limits.
RateSlipped
Responses truncated by rate limits.
d10224 1 a10224 1 Zone Maintenance Statistics Counters d10378 1 a10378 1 Resolver Statistics Counters d10761 1 a10761 1 Socket I/O Statistics Counters d10916 1 a10916 1 Compatibility with BIND 8 Counters @ 1.1.1.11 log @Upstream changelog since 9.9.1: --- 9.9.2-P1 released --- 3407. [security] Named could die on specific queries with dns64 enabled. [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] --- 9.9.2 released --- 3383. [security] A certain combination of records in the RBT could cause named to hang while populating the additional section of a response. [RT #31090] 3373. [bug] win32: open raw files in binary mode. [RT #30944] 3364. [security] Named could die on specially crafted record. [RT #30416] --- 9.9.2rc1 released --- 3370. [bug] Address use after free while shutting down. [RT #30241] 3369. [bug] nsupdate terminated unexpectedly in interactive mode if built with readline support. [RT #29550] 3368. [bug] RPZRewrites
Response policy zone rewrites.
, and were not C++ safe. 3367. [bug] dns_dnsseckey_create() result was not being checked. [RT #30685] 3366. [bug] Fixed Read-After-Write dependency violation for IA64 atomic operations. [RT #25181] 3365. [bug] Removed spurious newlines from log messages in zone.c [RT #30675] 3363. [bug] Need to allow "forward" and "fowarders" options in static-stub zones; this had been overlooked. [RT #30482] 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730] 3361. [bug] "rndc signing -nsec3param" didn't work correctly when salt was set to '-' (no salt). [RT #30099] 3360. [bug] 'host -w' could die. [RT #18723] 3359. [bug] An improperly-formed TSIG secret could cause a memory leak. [RT #30607] 3357. [port] Add support for libxml2-2.8.x [RT #30440] 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are approaching their expiry, so they don't remain in caches after expiry. [RT #26429] 3355. [port] Use more portable awk in verify system test. 3354. [func] Improve OpenSSL error logging. [RT #29932] --- 9.9.2b1 released --- 3353. [bug] Use a single task for task exclusive operations. [RT #29872] 3352. [bug] Ensure that learned server attributes timeout of the adb cache. [RT #29856] 3351. [bug] isc_mem_put and isc_mem_putanddetach didn't report caller if either ISC_MEM_DEBUGSIZE or ISC_MEM_DEBUGCTX memory debugging flags are set. [RT #30243] 3350. [bug] Memory read overrun in isc___mem_reallocate if ISC_MEM_DEBUGCTX memory debugging flag is set. [RT #30240] 3349. [bug] Change #3345 was incomplete. [RT #30233] 3348. [bug] Prevent RRSIG data from being cached if a negative record matching the covering type exists at a higher trust level. Such data already can't be retrieved from the cache since change 3218 -- this prevents it being inserted into the cache as well. [RT #26809] 3347. [bug] dnssec-settime: Issue a warning when writing a new private key file would cause a change in the permissions of the existing file. [RT #27724] 3346. [security] Bad-cache data could be used before it was initialized, causing an assert. [RT #30025] 3345. [bug] Addressed race condition when removing the last item or inserting the first item in an ISC_QUEUE. [RT #29539] 3344. [func] New "dnssec-checkds" command checks a zone to determine which DS records should be published in the parent zone, or which DLV records should be published in a DLV zone, and queries the DNS to ensure that it exists. (Note: This tool depends on python; it will not be built or installed on systems that do not have a python interpreter.) [RT #28099] 3342. [bug] Change #3314 broke saving of stub zones to disk resulting in excessive cpu usage in some cases. [RT #29952] 3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 3339. [func] Allow the maximum supported rsa exponent size to be specified: "max-rsa-exponent-size ;" [RT #29228] 3338. [bug] Address race condition in units tests: asyncload_zone and asyncload_zt. [RT #26100] 3337. [bug] Change #3294 broke support for the multiple keys in controls. [RT #29694] 3335. [func] nslookup: return a nonzero exit code when unable to get an answer. [RT #29492] 3334. [bug] Hold a zone table reference while performing a asyncronous load of a zone. [RT #28326] 3333. [bug] Setting resolver-query-timeout too low can cause named to not recover if it loses connectivity. [RT #29623] 3332. [bug] Re-use cached DS rrsets if possible. [RT #29446] 3331. [security] dns_rdataslab_fromrdataset could produce bad rdataslabs. [RT #29644] 3330. [func] Fix missing signatures on NOERROR results despite RPZ rewriting. Also - add optional "recursive-only yes|no" to the response-policy statement - add optional "max-policy-ttl" to the response-policy statement to limit the false data that "recursive-only no" can introduce into resolvers' caches - add a RPZ performance test to bin/tests/system/rpz when queryperf is available. - the encoding of PASSTHRU action to "rpz-passthru". (The old encoding is still accepted.) [RT #26172] 3329. [bug] Handle RRSIG signer-name case consistently: We generate RRSIG records with the signer-name in lower case. We accept them with any case, but if they fail to validate, we try again in lower case. [RT #27451] 3328. [bug] Fixed inconsistent data checking in dst_parse.c. [RT #29401] 3317. [func] Add ECDSA support (RFC 6605). [RT #21918] @ text @d51 1 a51 1 Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d480 1 a480 1 Syntax d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar a2272 1 [ max-rsa-exponent-sizenumber; ] d2292 1 a2292 5 [ response-policy {zone_name[ policy given | disabled | passthru | nxdomain | nodata | cnamedomain] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] ; ] d3727 1 a3727 1 Forwarding d3771 1 a3771 1 Dual-stack Servers d3973 2 a3974 2 to resolve a recursive query before failing. The default and minimum is10and the maximum is d3982 1 a3982 1 Interfaces d4450 1 a4450 1 UDP Port Lists d4492 1 a4492 1 Operating System Resource Limits d4654 1 a4654 1 Periodic Task Intervals a5241 7max-rsa-exponent-size d5512 1 a5512 1 Content Filtering d5635 1 a5635 1 Response Policy Zone (RPZ) Rewriting d5637 3 a5639 3 BIND 9 includes a limited mechanism to modify DNS responses for requests analogous to email anti-spam DNS blacklists. d5645 2 d5656 1 a5656 1 Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, d5658 1 a5658 1 QNAME RPZ records triggered by query names of requests and targets d5664 7 a5670 6 The second kind of RPZ trigger is an IP address in an A and AAAA record in the ANSWER section of a response. IP address triggers are encoded in records that have owner names that are subdomains of The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 to 4096 bits. The default zero (0) is also accepted and is equivalent to 4096.
rpz-iprelativized to the RPZ origin name and encode an IP address or address block. IPv4 trigger addresses are represented as d5688 3 a5690 3 NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. d5696 3 a5698 4 NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records. NSIP triggers are encoded like IP triggers except as subdomains of d5703 5 a5707 6 two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. Triggers or the records that encode them are chosen in the following order: d5710 2 a5711 2Choose the triggered record in the zone that appears first in the response-policy option. d5713 2 a5714 2 Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone. d5716 2 a5717 2 Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. d5719 1 a5719 1 Among IP or NSIP triggers, prefer the trigger d5722 2 a5723 2 Among triggers with the same prefex length, prefer the IP or NSIP trigger that matches d5731 2 a5732 2 DNAME or CNAME records and a policy record set has not been triggered, d5747 9 a5755 2 RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. d5758 3 a5760 2 The NXDOMAIN response is encoded by a CNAME whose target is the root domain (.) d5763 1 a5763 1 domain (*.) specifies the NODATA action, d5766 2 a5767 8 The Local Data action is represented by a set ordinary DNS records that are used to answer queries. Queries for record types not the set are answered with NODATA. A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) d5769 2 a5770 2 The purpose for this special form is query logging in the walled garden's authority DNS server. d5773 2 a5774 2 by a CNAME whose target is rpz_passthru. It causes the response to not be rewritten a5776 2 (A CNAME whose target is the variable part of its owner name is an obsolete specification of the PASSTHRU policy.) d5782 3 a5784 3 The actions specified in an RPZ can be overridden with a policy clause in the response-policy option. d5790 1 a5790 2 GIVEN says "do not override but perform the action specified in the zone." d5796 4 a5799 4 any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first. a5822 28 By default, the actions encoded in an RPZ are applied only to queries that ask for recursion (RD=1). That default can be changed for a single RPZ or all RPZs in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values on the externally visible name server or view. Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. The max-policy-ttl clause changes that maximum from its default of 5.
d5844 1 a5844 1 ok.domain.com CNAME rpz-passthru. d5854 1 a5854 1 32.1.0.0.127.rpz-ip CNAME rpz-passthru. d6071 1 a6071 1 statistics-channels Statement Definition and d6131 1 a6131 1 trusted-keys Statement Definition d6171 1 a6171 1 managed-keys Statement Grammar d6306 1 a6306 1 view Statement Definition and Usage d6474 1 a6474 1 [ inline-signing
yes_or_no; ] d6607 1 a6607 1 zone Statement Definition and Usage d6610 1 a6610 1 Zone Types d6890 1 a6890 1 Class d6912 1 a6912 1 Zone Options d7662 1 a7662 1 is specified in theidentityd7680 1 a7680 1identityfield. d7696 1 a7696 1 is specified in theidentityd7714 1 a7714 1identityfield. d7823 1 a7823 1 Zone File d7836 1 a7836 1 Resource Records d8573 1 a8573 1 Textual expression of RRs d8776 1 a8776 1 Discussion of MX Records d9032 1 a9032 1 Inverse Mapping in IPv4 d9093 1 a9093 1 Other Zone File Directives d9108 1 a9108 1 The @@ (at-sign) d9119 1 a9119 1 The $ORIGIN Directive d9148 1 a9148 1 The $INCLUDE Directive d9184 1 a9184 1 The $TTL Directive d9203 1 a9203 1 BIND Master File Extension: the $GENERATE Directive d9627 1 a9627 1 Name Server Statistics Counters d10184 1 a10184 1 Zone Maintenance Statistics Counters d10338 1 a10338 1 Resolver Statistics Counters d10721 1 a10721 1 Socket I/O Statistics Counters d10876 1 a10876 1 Compatibility with BIND 8 Counters @ 1.1.1.12 log @Import bind 9.9.3-P2 @ text @d2 1 a2 1 - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d412 2 a413 14 A 64-bit unsigned integer, or the keywordsunlimitedordefault.Integers may take values 0 <= value <= 18446744073709551615, though certain parameters may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as psosible", depending on the context. See the expalantions of particular parameters that use
size_specfor details on how they interpret its use. d416 7 a422 2 Numeric values can optionally be followed by a scaling factor: d427 3 a429 13Gorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.] d2427 7 a2433 16
unlimitedgenerally means "as big as possible", though in certain contexts, (includingmax-cache-size), it may mean the largest possible 32-bit unsigned integer (0xffffffff); this distinction can be important when dealing with larger quantities.unlimitedis usually the best way to safely set a very large number. d432 5 a436 2defaultuses the limit that was in force when the server was started. d480 1 a480 1 Syntax d489 1 a489 1 Definition and Usage d573 1 a573 1 Comment Syntax d583 1 a583 1 Syntax d599 1 a599 1 Definition and Usage d853 1 a853 1 acl Statement Grammar d935 1 a935 1 controls Statement Grammar d1059 1 a1059 1 include Statement Grammar d1064 1 a1064 1 include Statement Definition and d1079 1 a1079 1 key Statement Grammar d1088 1 a1088 1 key Statement Definition and Usage d1135 1 a1135 1 logging Statement Grammar d1140 1 a1140 1 [ sizesize_spec] d1159 1 a1159 1 logging Statement Definition and d1193 1 a1193 1 The channel Phrase d1777 1 a1777 1 The query-errors Category d2005 1 a2005 1 lwres Statement Grammar d2021 1 a2021 1 lwres Statement Definition and Usage d2072 1 a2072 1 masters Statement Grammar d2080 1 a2080 1 masters Statement Definition and d2090 1 a2090 1 options Statement Grammar d2120 1 a2120 1 [ zone-statisticsfull|terse|none; ] a2133 1 [ request-nsidyes_or_no; ] a2159 1 [ check-spf (warn|fail|ignore); ] d2297 1 a2297 1 [ break-dnssecyes_or_no] [ min-ns-dotsnumber] ;d2707 1 a2707 1 from https://www.isc.org/solutions/dlv/. a2847 31 Specifies the directory in which to store the files that track managed DNSSEC keys. By default, this is the working directory.
If named is not configured to use views, then managed keys for the server will be tracked in a single file called
managed-keys.bind. Otherwise, managed keys will be tracked in separate files, one file per view; each file name will be the SHA256 hash of the view name, followed by the extension.mkeys.zone-statistics a3234 11 If
full, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics terse or zone-statistics none in the zone statement). The default isterse, providing minimal statistics on zones (including name and current serial number, but not query type counters).These statistics may be accessed via the statistics-channel or using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.
For backward compatibility with earlier versions of BIND 9, the zone-statistics option can also accept
yesorno, which have the same effect asfullandterse, respectively.request-nsid d3257 14 d3594 1 a3594 2 If
yes, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in the resolver category at level info. The default isno.a3623 8 d3606 1 a3606 9
Check that the two forms of Sender Policy Framework records (TXT records starting with "v=spf1" and SPF) either both exist or both don't exist. Warnings are emitted it they don't and be suppressed with check-spf.
check-spf d3732 1 a3732 1 Forwarding d3776 1 a3776 1 Dual-stack Servers a3850 6 Note that allow-query-on is only checked for queries that are permitted by allow-query. A query must be allowed by both ACLs, or it will be refused. When performing integrity checks, check that the two forms of Sender Policy Framwork records (TXT records starting with "v=spf1" and SPF) both exist or both don't exist and issue a warning if not met. The default is warn.
d3987 1 a3987 1 Interfaces d4455 1 a4455 1 UDP Port Lists d4497 1 a4497 1 Operating System Resource Limits d4577 2 a4578 4 will be automatically removed. The largest permitted value is 2 gigabytes. The default is
unlimited, which also means 2 gigabytes. d4659 1 a4659 1 Periodic Task Intervals d5268 6 a5273 10 default view of class IN. Most global configuration options (allow-query, etc) will apply to this view, but some are locally overridden: notify, recursion and allow-new-zones are always set tono.If you need to disable these zones, use the options d5328 1 a5328 1 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the a5359 64
64.100.IN-ADDR.ARPA 65.100.IN-ADDR.ARPA 66.100.IN-ADDR.ARPA 67.100.IN-ADDR.ARPA 68.100.IN-ADDR.ARPA 69.100.IN-ADDR.ARPA 70.100.IN-ADDR.ARPA 71.100.IN-ADDR.ARPA 72.100.IN-ADDR.ARPA 73.100.IN-ADDR.ARPA 74.100.IN-ADDR.ARPA 75.100.IN-ADDR.ARPA 76.100.IN-ADDR.ARPA 77.100.IN-ADDR.ARPA 78.100.IN-ADDR.ARPA 79.100.IN-ADDR.ARPA 80.100.IN-ADDR.ARPA 81.100.IN-ADDR.ARPA 82.100.IN-ADDR.ARPA 83.100.IN-ADDR.ARPA 84.100.IN-ADDR.ARPA 85.100.IN-ADDR.ARPA 86.100.IN-ADDR.ARPA 87.100.IN-ADDR.ARPA 88.100.IN-ADDR.ARPA 89.100.IN-ADDR.ARPA 90.100.IN-ADDR.ARPA 91.100.IN-ADDR.ARPA 92.100.IN-ADDR.ARPA 93.100.IN-ADDR.ARPA 94.100.IN-ADDR.ARPA 95.100.IN-ADDR.ARPA 96.100.IN-ADDR.ARPA 97.100.IN-ADDR.ARPA 98.100.IN-ADDR.ARPA 99.100.IN-ADDR.ARPA 100.100.IN-ADDR.ARPA 101.100.IN-ADDR.ARPA 102.100.IN-ADDR.ARPA 103.100.IN-ADDR.ARPA 104.100.IN-ADDR.ARPA 105.100.IN-ADDR.ARPA 106.100.IN-ADDR.ARPA 107.100.IN-ADDR.ARPA 108.100.IN-ADDR.ARPA 109.100.IN-ADDR.ARPA 110.100.IN-ADDR.ARPA 111.100.IN-ADDR.ARPA 112.100.IN-ADDR.ARPA 113.100.IN-ADDR.ARPA 114.100.IN-ADDR.ARPA 115.100.IN-ADDR.ARPA 116.100.IN-ADDR.ARPA 117.100.IN-ADDR.ARPA 118.100.IN-ADDR.ARPA 119.100.IN-ADDR.ARPA 120.100.IN-ADDR.ARPA 121.100.IN-ADDR.ARPA 122.100.IN-ADDR.ARPA 123.100.IN-ADDR.ARPA 124.100.IN-ADDR.ARPA 125.100.IN-ADDR.ARPA 126.100.IN-ADDR.ARPA 127.100.IN-ADDR.ARPA d5524 1 a5524 1 Content Filtering d5577 1 a5577 1 d5647 1 a5647 1 Response Policy Zone (RPZ) Rewriting d5703 2 a5709 4 NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains. d5748 10 d5782 1 a5782 1 by a CNAME whose target is rpz-passthru. a5899 19RPZ can affect server performance. Each configured response policy zone requires the server to perform one to four additional database lookups before a query can be answered. For example, a DNS server with four policy zones, each with all four kinds of response triggers, QNAME, IP, NSIP, and NSDNAME, requires a total of 17 times as many database lookups as a similar DNS server with no response policy zones. A BIND9 server with adequate memory and one response policy zone with QNAME and IP triggers might achieve a maximum queries-per-second rate about 20% lower. A server with four response policy zones with QNAME and IP triggers might have a maximum QPS rate about 50% lower.
Responses rewritten by RPZ are counted in the RPZRewrites statistics.
d6111 1 a6111 1 statistics-channels Statement Definition and a6158 24If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When BIND 9 is configured with --enable-newstats, a new XML schema is used (version 3) which adds additional zone statistics and uses a flatter tree for more efficient parsing. The stylesheet included uses the Google Charts API to render data into into charts and graphs when using a javascript-capable browser.
Applications that depend on a particular XML schema can request http://127.0.0.1:8888/xml/v2 for version 2 of the statistics XML schema or http://127.0.0.1:8888/xml/v3 for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error.
d6171 1 a6171 1 trusted-keys Statement Definition d6211 1 a6211 1 managed-keys Statement Grammar d6213 2 a6214 2nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d6322 1 a6322 1 If the dnssec-validation option is d6325 4 a6328 7 root zone. Similarly, if the dnssec-lookaside option is set toauto, named will automatically initialize a managed key for the zonedlv.isc.org. In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d6346 1 a6346 1 view Statement Definition and Usage a6473 3 [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] a6479 1 [ check-spf (warn|fail|ignore); ] d6502 1 a6502 1 [ zone-statisticsfull|terse|none; ] d6526 1 a6527 1 [ update-check-kskyes_or_no; ] d6567 1 a6567 5 [ zone-statisticsfull|terse|none; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] a6572 3 [ key-directorypath_name; ] [ auto-dnssecallow|maintain|off; ] [ inline-signingyes_or_no; ] d6647 1 a6647 1 zone Statement Definition and Usage d6650 1 a6650 1 Zone Types d6887 4 a6890 6 Redirect zones are used to provide answers to queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported per view. allow-query can be used to restrict which clients see these answers. a6896 36To redirect all NXDOMAIN responses to 100.100.100.2 and 2001:ffff:ffff::100.100.100.2, one would configure a type redirect zone named ".", with the zone file containing wildcard records that point to the desired addresses:
"*. IN A 100.100.100.2"and"*. IN AAAA 2001:ffff:ffff::100.100.100.2".To redirect all Spanish names (under .ES) one would use similar entries but with the names "*.ES." instead of "*.". To redirect all commercial Spanish names (under COM.ES) one would use wildcard entries called "*.COM.ES.".
Note that the redirect zone supports all possible types; it is not limited to A and AAAA records.
Because redirect zones are not referenced directly by name, they are not kept in the zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use rndc reload
d6930 1 a6930 1 Class d6952 1 a6952 1 Zone Options a7026 5zonenameto reload a redirect zone. However, when using rndc reload without specifying a zone name, redirect zones will be reloaded along with other zones.check-spf d7422 1 a7422 1 unsigned zone is transferred in or loaded from d7863 1 a7863 1 Zone File d7876 1 a7876 1 Resource Records d8613 1 a8613 1 Textual expression of RRs d8816 1 a8816 1 Discussion of MX Records d9072 1 a9072 1 Inverse Mapping in IPv4 d9133 1 a9133 1 Other Zone File Directives d9148 1 a9148 1 The @@ (at-sign) d9159 1 a9159 1 The $ORIGIN Directive d9188 1 a9188 1 The $INCLUDE Directive d9224 1 a9224 1 The $TTL Directive d9243 1 a9243 1 BIND Master File Extension: the $GENERATE Directive d9667 1 a9667 1 Name Server Statistics Counters a10218 13 See the description of check-spf in the section called “Boolean Options”.
d10224 1 a10224 1 Zone Maintenance Statistics Counters d10378 1 a10378 1 Resolver Statistics Counters d10761 1 a10761 1 Socket I/O Statistics Counters d10916 1 a10916 1 Compatibility with BIND 8 Counters @ 1.1.1.13 log @Import bind 9.9.5b1 @ text @d51 1 a51 1 RPZRewrites
Response policy zone rewrites.
Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d494 1 a494 1 Syntax d503 1 a503 1 Definition and Usage d587 1 a587 1 Comment Syntax d597 1 a597 1 Syntax d613 1 a613 1 Definition and Usage d867 1 a867 1 acl Statement Grammar d949 1 a949 1 controls Statement Grammar d1073 1 a1073 1 include Statement Grammar d1078 1 a1078 1 include Statement Definition and d1093 1 a1093 1 key Statement Grammar d1102 1 a1102 1 key Statement Definition and Usage d1149 1 a1149 1 logging Statement Grammar d1173 1 a1173 1 logging Statement Definition and d1207 1 a1207 1 The channel Phrase a1307 3 On Windows machines syslog messages are directed to the EventViewer.a1785 31
d1791 1 a1791 1 The query-errors Category d2019 1 a2019 1 lwres Statement Grammar d2035 1 a2035 1 lwres Statement Definition and Usage d2086 1 a2086 1 masters Statement Grammar d2094 1 a2094 1 masters Statement Definition and d2104 1 a2104 1 options Statement Grammar d2276 1 a2276 1 [ dns64 rate-limit
(Only available when BIND 9 is configured with the
--enable-rrloption at compile time.)The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
ipv6-prefix{ a2308 17 [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] d2870 1 a2870 1 via dynamic update; this is not yet implemented.) d3761 1 a3761 1 sets the frequency of automatic repository checks, in d3802 1 a3802 1 Forwarding d3846 1 a3846 1 Dual-stack Servers d4063 1 a4063 1 Interfaces d4531 1 a4531 1 UDP Port Lists d4573 1 a4573 1 Operating System Resource Limits d4724 1 a4724 1 The listen queue depth. The default and minimum is 10. d4729 3 a4731 4 some data before being passed to accept. Nonzero values less than 10 will be silently raised. A value of 0 may also be used; on most platforms this sets the listen queue length to a system-defined default value. d4737 1 a4737 1 Periodic Task Intervals d5670 1 a5670 1 Content Filtering d5793 1 a5793 1 Response Policy Zone (RPZ) Rewriting a6057 226d6268 1 a6268 1 statistics-channels Statement Definition and d6352 1 a6352 1 trusted-keys Statement Definition d6392 1 a6392 1 managed-keys Statement Grammar d6530 1 a6530 1 view Statement Definition and Usage d6842 1 a6842 1 zone Statement Definition and Usage d6845 1 a6845 1 Zone Types d7163 1 a7163 1 Class d7185 1 a7185 1 Zone Options d8101 1 a8101 1 Zone File d8114 1 a8114 1 Resource Records d8851 1 a8851 1 Textual expression of RRs d9054 1 a9054 1 Discussion of MX Records d9310 1 a9310 1 Inverse Mapping in IPv4 d9371 1 a9371 1 Other Zone File Directives d9386 1 a9386 1 The @@ (at-sign) d9397 1 a9397 1 The $ORIGIN Directive d9426 1 a9426 1 The $INCLUDE Directive d9462 1 a9462 1 The $TTL Directive d9481 1 a9481 1 BIND Master File Extension: the $GENERATE Directive d9905 1 a9905 1 Name Server Statistics Counters a10469 26This feature is only available when BIND 9 is compiled with the
--enable-rrloption on the "configure" command line.Excessive almost identical UDP responses can be controlled by configuring a rate-limit clause in an options or view statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide rate-limited responses to legitimate clients within a range of forged, attacked IP addresses. Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively.
This mechanism is intended for authoritative DNS servers. It can be used on recursive servers but can slow applications such as SMTP servers (mail receivers) and HTTP clients (web browsers) that repeatedly request the same domains. When possible, closing "open" recursive servers is better.
Response rate limiting uses a "credit" or "token bucket" scheme. Each combination of identical response and client has a conceptual account that earns a specified number of credits every second. A prospective response debits its account by one. Responses are dropped or truncated while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with the window option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit or more negative than window times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited.
The notions of "identical response" and "DNS client" for rate limiting are not simplistic. All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56).
All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified with responses-per-second (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by nodata-per-second (default responses-per-second). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. They are limited by nxdomain-per-second (default responses-per-second). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by referrals-per-second (default responses-per-second).
Responses generated from local wildcards are counted and limited as if they were for the parent domain name. This controls flooding using random.wild.example.com.
All requests that result in DNS errors other than NXDOMAIN, such as SERVFAIL and FORMERR, are identical regardless of requested name (qname) or record type (qtype). This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the responses-per-second value, but it can be set separately with errors-per-second.
Many attacks using DNS involve UDP requests with forged source addresses. Rate limiting prevents the use of BIND 9 to flood a network with responses to requests with forged source addresses, but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. Setting slip to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. slip must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. A value of 1 causes every response to slip; values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead leaked at the slip rate.
(NOTE: Dropped responses from an authoritative server may reduce the difficulty of a third party successfully forging a response to a recursive resolver. The best security against forged responses is for authoritative operators to sign their zones using DNSSEC and for resolver operators to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting slip to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.)
When the approximate query per second rate exceeds the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. This feature can tighten defenses during attacks. For example, with qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per second rate.
Communities of DNS clients can be given their own parameters or no rate limiting by putting rate-limit statements in view statements instead of the global option statement. A rate-limit statement in a view replaces, rather than supplementing, a rate-limit statement among the main options. DNS clients within a view can be exempted from rate limits with the exempt-clients clause.
UDP responses of all kinds can be limited with the all-per-second phrase. This rate limiting is unlike the rate limiting provided by responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests.
The maximum size of the table used to track requests and rate limit responses is set with max-table-size. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, min-table-size (default 500) can set the minimum table size. Enable rate-limit category logging to monitor expansions of the table and inform choices for the initial and maximum table size.
Use log-only yes to test rate limiting parameters without actually dropping any requests.
Responses dropped by rate limits are included in the RateDropped and QryDropped statistics. Responses that truncated by rate limits are included in RateSlipped and RespTruncated.
RateDropped
Responses dropped by rate limits.
d10475 1 a10475 1 Zone Maintenance Statistics Counters d10629 1 a10629 1 Resolver Statistics Counters d11012 1 a11012 1 Socket I/O Statistics Counters d11167 1 a11167 1 Compatibility with BIND 8 Counters @ 1.1.1.14 log @Introduction BIND 9.10.0b1 is the first beta development release of BIND 9.10, a new branch of BIND 9. This document summarizes features added or significantly changed since the previous major release, BIND 9.9. Items that were not in the previous development release, BIND 9.10.0a2, are marked with asterisks (**). Bug fixes since the previous development release are also summarized. Please see the CHANGES file in the source code release for a complete list of all changes. Download The latest versions of BIND 9 software can always be found on our web site at http://www.isc.org/downloads/. There you will find additional information about each release, source code, and pre-compiled versions for Microsoft Windows operating systems. Support Professional support is provided by Internet Systems Consortium, Inc., doing business as DNSco. Information about paid support options is available at http://www.dns-co.com/solutions/. Free support is provided by our user community via a mailing list. Information on all public email lists is available at https://www.isc.org/community/mailing-list/. New Features DNS Response-rate limiting (DNS RRL), which blunts the impact of reflection and amplification attacks, is always compiled in and no longer requires a compile-time option to enable it. An experimental "Source Identity Token" (SIT) EDNS option is now available. Similar to DNS Cookies (as invented by Donald Eastlake III and described in draft-eastlake-dnsext-cookies-04), these are designed to enable clients to detect off-path spoofed responses, and to enable servers to detect spoofed-source queries. Servers can be configured to send smaller responses to clients that have not identified themselves using a SIT option, reducing the effectiveness of amplification attacks. RRL processing has also been updated: clients proven to be legitimate via SIT are not subject to rate limiting. Use "configure --enable-sit" to enable this feature in BIND 9. [RT #35389] ** A new zone file format, "map", stores zone data in a format that can be mapped directly into memory, allowing significantly faster zone loading. [RT #25419] "delve" (domain entity lookup and validation engine) is a new tool with dig-like semantics for looking up DNS data and performing internal DNSSEC validation. This allows easy validation in environments where the resolver may not be trustworthy, and assists with troubleshooting of DNSSEC problems. (Note: not yet available on Windows.) [RT #32406] ** The new "prefetch" option can improve recursive resolver performance: when it is in use, cache records that are still being requested by clients will automatically be refreshed from the authoritative server before they expire, reducing or eliminating the time window in which no answer is available in the cache. [RT #35041] Improved EDNS processing allows better resolver performance and reliability over slow or lossy connections. [RT #30655] Substantial improvements have been made in response-policy zone (RPZ) performance. Up to 32 response-policy zones can now be configured. Performance loss due to adding additional RPZs is minimal. RPZ now allows response policies to be configured based on the IP address of the client. ACLs can now be specified based on geographic location using the MaxMind GeoIP databases. Use "configure --with-geoip" to enable this feature in BIND 9. Thanks to Ken Brownfield for the contribution. [RT #30681] The version 3 XML schema for the statistics channel, including new statistics and a flattened XML tree for faster parsing, is no longer optional. The version 2 XML schema is now deprecated. [RT #30023] Improvements have been made to the XSL stylesheet used for XML statistics: The stylesheet can now be cached by the browser; section headers are omitted when the sections have no data to display; counter readability has been improved. Also, broken-out subgroups of XML statistics (server, zones, net, tasks, mem, and status) can now be requested. Thanks to Timothe Litt for the assistance. [RT #35115] [RT #35117] The statistics channel can now provide data in JSON format as well as XML. Per-zone stats counters have been added to track TCP and UDP queries. [RT #35375] ** Server-wide stats counters have been added to track EDNS options received. [RT #35447] ** The new "in-view" zone option allows zone data to be shared between views, so that multiple views can serve the same zones authoritatively without storing multiple copies in memory. [RT #32968] A new compile-time option, "configure --enable-native-pkcs11", allows the BIND 9 cryptography functions to use the PKCS#11 API natively, so that BIND can drive a cryptographic hardware service module (HSM) directly instead of using a modified OpenSSL as an intermediary. This has been tested with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031] When re-signing a zone, the new "dnssec-signzone -Q" option drops signatures from keys that are still published but are no longer active. Thanks to Pierre Beyssac for the contribution. [RT #34990] New options have been added to "dnssec-coverage": -z and -k indicate whether to limit coverage checks to ZSK's or KSK's, and -l limits coverage checking to a specified duration. Thanks to Peter Palfrader for the contribution. [RT #35168] "named-checkconf -px" will print the contents of configuration files with the shared secrets obscured, making it easier to share configuration (e.g. when submitting a bug report) without revealing private information. [RT #34465] Added a "no-case-compress" ACL, which causes "named" to use case-insensitive compression for specified clients. This is useful when dealing with broken client implementations that use case-sensitive name comparisons, rejecting responses that fail to match the capitalization of the query that was sent. "named" now preserves the capitalization of names when responding to queries: for instance, a query for "example.com" may be answered with "example.COM" if the name was configured that way in the zone file. Some clients have a bug causing them to depend on the older behavior, in which the case of the answer always matched the case of the query, rather than the case of the name configured in the DNS. Such clients can now be specified in the new "no-case-compress" ACL; this will restore the older behavior of "named" for those clients only. [RT #35300] ** On operating systems that support routing sockets, including Mac OSX, *BSD and Linux, network interfaces are re-scanned automatically whenever they change. Use "automatic-interface-scan no;" to disable this feature. [RT #23027] ** Added "rndc scan" to trigger an interface scan manually. [RT #23027] ** A new compile-time option, "configure --with-tuning=3Dlarge", tunes various compiled-in constants and default settings to values suited to large servers with abundant memory. This can improve performance on such servers, but will consume more memory and may degrade performance on smaller systems. [RT #29538] ** The new "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405] ** Added a new "dig +subnet" option to send an EDNS CLIENT-SUBNET option (as described in draft-vandergaast-edns-client-subnet-02) containing the specified address/prefix when querying. Thanks to Wilmer van der Gaast for the contribution. [RT #35415] ** Partially implemented the EDNS EXPIRE option (as described in draft-andrews-dnsext-expire-00). "dig +expire" sends an EXPIRE option when querying. When this option is sent with an SOA query to a slave zone running on a server that supports the option, the response will report the time until the slave zone expires. EXPIRE uses an experimental option code (65002), which is subject to change when a permanent code is assigned by IANA. [RT #35416] ** Multiple DLZ databases can now be configured, and are searched in order to find one that can answer an incoming query. Individual zones can now be configured to be served from a specific DLZ database. DLZ databases can serve zones of type "master" and "redirect". "named-checkzone" and "named-compilezone" can now read journal files, allowing them to process dynamic zones without the zones needing to be frozen first. The "rndc" command now supports new key algorithms in addition to HMAC-MD5, including HMAC-SHA1, -SHA224, -SHA256, -SHA384, and -SHA512. The -A option to rndc-confgen can be used to select the algorithm for the generated key. (The default is still HMAC-MD5; this may change in a future release.) [RT #20363] The internal and export versions of the BIND libraries (libisc, libdns, etc) have been unified so that external library clients can use the same libraries as BIND itself. [RT #33131] Added a "Configure" script for Windows to simplify enabling or disabling optional features. All versions of Visual Studio up to 2013 are now supported, and support has been added for 64-bit builds. Zip files containing pre-compiled 64-bit versions of BIND 9 are now included with releases. [RT #34160] ** "rndc zonestatus" reports information about a specified zone. "named" now listens on IPv6 as well as IPv4 interfaces by default. Feature Changes The default setting for the -U option (setting the number of UDP listeners per interface) has been adjusted to improve performance. [RT #35417] ** Updated zkt and nslint in the contrib directory to the newest versions: zkt 1.1.2 and nslint-3.0a2. ** The isc_bitstring API is no longer used and has been removed from the libisc library. [RT #35284] ** The word "never" can now be used as a synonym for "none" when configuring key event dates in the dnssec tools. [RT #35277] ** The new libiscpk11 library, introduced in the previous development release to support native PKCS#11, has been merged into libisc to simplify dependencies. [RT #35205] ** Documentation of native PKCS#11 has been expanded, specifically to describe the new pkcs11: URI format used in key labels. [RT #35287] *= * The Windows installer now places files in the Program Files area rather than system services. [RT #35361] ** The timestamps included in RRSIG records can now be read as integers indicating the number of seconds since the UNIX epoch, in addition to being read as formatted dates in YYYYMMDDHHMMSS format. [RT #35185] The irs_resconf_load() function, used for reading /etc/resolv.conf, now returns ISC_R_FILENOTFOUND when the file is missing or unreadable. However, it will still initialize an irs_resconf structure as if the file had been configured with nameservers at the IPv4 and IPv6 localhost addresses. Existing code that uses irs_resconf_load() will need to be updated to treat ISC_R_FILENOTFOUND as a qualified success, or it may leak memory due to treating the result as a failure even though an irs_resconf structure was allocated; see CHANGES for sample C code that implements the correct behavior [RT #35194] Bug Fixes "dnssec-keygen" could set the publication date incorrectly when only the activation date was specified on the command line. [RT #35278] Fixed a type mismatch causing the ODBC DLZ driver to dump core on 64-bit systems. [RT #35324] Improved building with libtool. [RT #35314] When a server is specified by name in "nsupdate", all addresses for that name will be tried before giving up. Previously, if the first address for the server name was not reachable the update would fail. [RT #25784] Fixed an assertion failure caused by using "rndc retransfer" with inline-signing zones. [RT #35353] Fixed a build failure from using "./configure --enable-openssl-hash". [RT #35343] The "delegation-only" flag now works in zones of type "forward". (This had previously been documented to work, but this was actually rejected by the configuration parser.) [RT #35392] Fixed a race condition which could lead to a core dump when destroying a resolver fetch object. [RT #35385] Addressed a potential REQUIRE failure that could occur when printing out an rdataset using a format that includes comment data. The "allow-notify" ACL formerly ignored TSIG keys; this has been corrected. [RT #35425] Fixed an uninitialized pointer in log.c that could potentially have caused a core dump on some platforms. [RT #35260] Thank You Thank you to everyone who assisted us in making this release possible. If you would like to contribute to ISC to assist us in continuing to make quality open source software, please visit our donations page at http://www.isc.org/donate/. (c) 2001-2014 Internet Systems Consortium @ text @d2 1 a2 1 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1 RateSlipped
Responses truncated by rate limits.
Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a279 15ip_dscpA
numberbetween 0 and 63, used to select a differentiated services code point (DSCP) value for use with outgoing traffic on operating systems that support DSCP.d419 6 a424 8 certain parameters (such as max-journal-size) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or "as big as possible", depending on the context. See the expalantions of particular parameters that use
size_specd440 7 a446 2 "as big as possible", and is usually the best way to safely set a very large number. d494 1 a494 1 Syntax d503 1 a503 1 Definition and Usage d587 1 a587 1 Comment Syntax d597 1 a597 1 Syntax d613 1 a613 1 Definition and Usage d867 1 a867 1 acl Statement Grammar a945 54When BIND 9 is built with GeoIP support, ACLs can also be used for geographic access restrictions. This is done by specifying an ACL element of the form: geoip [db
database]fieldvalueThe
fieldindicates which field to search for a match. Available fields are "country", "region", "city", "continent", "postal" (postal code), "metro" (metro code), "area" (area code), "tz" (timezone), "isp", "org", "asnum", "domain" and "netspeed".
valueis the value to searched for within the database. A string may be quoted if it contains spaces or other special characters. If this is a "country" search and the string is two characters long, then it must be a standard ISO-3166-1 two-letter country code, and if it is three characters long then it must be an ISO-3166-1 three-letter country code; otherwise it is the full name of the country. Similarly, if this is a "region" search and the string is two characters long, then it must be a standard two-letter state or province abbreviation; otherwise it is the full name of the state or province.The
databasefield indicates which GeoIP database to search for a match. In most cases this is unnecessary, because most search fields can only be found in a single database. However, searches for country can be answered from the "city", "region", or "country" databases, and searches for region (i.e., state or province) can be answered from the "city" or "region" databases. For these search types, specifying adatabasewill force the query to be answered from that database and no other. Ifdatabaseis not specified, then these queries will be answered from the "city", database if it is installed, or the "region" database if it is installed, or the "country" database, in that order.Some example GeoIP ACLs:
geoip country US; geoip country JAP; geoip db country country Canada; geoip db region region WA; geoip city "San Francisco"; geoip region Oklahoma; geoip postal 95062; geoip tz "America/Los_Angeles"; geoip org "Internet Systems Consortium";d949 1 a949 1 controls Statement Grammar d1073 1 a1073 1 include Statement Grammar d1078 1 a1078 1 include Statement Definition and d1093 1 a1093 1 key Statement Grammar d1102 1 a1102 1 key Statement Definition and Usage d1149 1 a1149 1 logging Statement Grammar d1173 1 a1173 1 logging Statement Definition and d1207 1 a1207 1 The channel Phrase d1737 2 a1738 2 delegation-only in a forward, hint or stub zone declaration. d1795 5 d1825 1 a1825 1 The query-errors Category d2053 1 a2053 1 lwres Statement Grammar d2059 2 a2060 2 [ listen-on {ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d2069 1 a2069 1 lwres Statement Definition and Usage d2120 1 a2120 1 masters Statement Grammar d2122 1 a2122 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2128 1 a2128 1 masters Statement Definition and d2138 1 a2138 1 options Statement Grammar a2181 1 [ request-sityes_or_no; ] d2195 4 a2198 4 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ dual-stack-servers [portip_port] [dscpip_dscp] { (domain_name[portip_port] [dscpip_dscp] |ip_addr[portip_port] [dscpip_dscp]) ; a2228 1 [ no-case-compress {address_match_list}; ] d2233 2 a2234 3 [ listen-on [ portip_port] [dscpip_dscp] {address_match_list}; ] [ listen-on-v6 [ portip_port] [dscpip_dscp] {address_match_list}; ] d2236 1 a2236 2 [ port (ip_port|*) ] [ dscpip_dscp] | d2238 1 a2238 2 [ port (ip_port|*) ] ) [ dscpip_dscp] ; ] d2240 1 a2240 2 [ port (ip_port|*) ] [ dscpip_dscp] | d2242 1 a2242 2 [ port (ip_port|*) ] ) [ dscpip_dscp] ; ] d2260 5 a2264 4 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d2267 2 a2268 2 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d2271 2 a2272 2 [portip_port] [dscpip_dscp] [keykeyname] ; [ip_addr[portip_port] [dscpip_dscp] [keykeyname] ; ... ] }; ] a2288 1 [ max-zone-ttlnumber; ] a2302 1 [ dscpip_dscp] ; a2308 1 [ filter-aaaa-on-v6 (yes_or_no|break-dnssec); ] a2327 2 [ disable-ds-digestsdomain{digest_type; [digest_type; ] }; ] d2333 1 a2333 2 [ masterfile-format (text|raw|map) ; ] d2344 1 a2344 2 [ domaindomain; ] [ responses-per-second [sizenumber] [ratiofixedpoint]number; ] d2361 1 a2361 1 [ policy given | disabled | passthru | drop | nxdomain | nodata | cnamedomain] d2364 1 a2364 2 [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] d2742 1 a2742 2d2747 2 a2748 25 Only the best match disable-algorithms clause will be used to determine which algorithms are used.
If all supported algorithms are disabled, the zones covered by the disable-algorithms will be treated as insecure.
disable-ds-digests a2923 25 Disable the specified DS/DLV digest types at and below the specified name. Multiple disable-ds-digests statements are allowed. Only the best match disable-ds-digests clause will be used to determine which digest types are used.
If all supported digest types are disabled, the zones covered by the disable-ds-digests will be treated as insecure.
max-zone-ttl d2950 3 a2952 6 or Specifies a maximum permissible TTL value. When loading a zone file using a
masterfile-formatoftextorraw, any record encountered with a TTL higher thanmax-zone-ttlwill cause the zone to be rejected.This is useful in DNSSEC-signed zones because when rolling to a new DNSKEY, the old key needs to remain available until RRSIG records have expired from caches. The
max-zone-ttloption guarantees that the largest TTL in the zone will be no higher the set value.(NOTE: Because
map-format files load directly into memory, this option cannot be used with them.)no;yeshas the same meaning asfull. As of BIND 9.10,nohas the same meaning asnone; previously, it was the same asterse. a2959 14automatic-interface-scan a3352 4 If
yesand supported by the OS, automatically rescan network interfaces when the interface addresses are added or removed. The default isyes.Currently the OS needs to support routing sockets for automatic-interface-scan to be supported.
request-sit sit-secret d3538 1 a3538 1 then AAAA records are deleted even when DNSSEC is enabled. a3562 7filter-aaaa-on-v6 d3853 1 a3853 1 Forwarding d3897 1 a3897 1 Dual-stack Servers a4101 51 Identical to filter-aaaa-on-v4, except it filters AAAA responses to queries from IPv6 clients instead of IPv4 clients. To filter all responses, set both options to
yes.no-case-compress d4114 1 a4114 1 Interfaces d4142 2 a4143 2 listen for incoming queries sent using IPv6. If not specified, the server will listen on port 53 on all IPv6 interfaces. d4186 7 d4582 1 a4582 1 UDP Port Lists d4624 1 a4624 1 Operating System Resource Limits d4756 5 a4760 6 reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. The keyword Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be used when named needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names.
If left undefined, the ACL defaults to none: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that client.
This can result in slightly smaller responses: if a response contains the names "example.com" and "example.COM", case-insensitive compression would treat the second one as a duplicate. It also ensures that the case of the query name exactly matches the case of the owner names of returned records, rather than matching the case of the records entered in the zone file. This allows responses to exactly match the query, which is required by some clients due to incorrect use of case-sensitive comparisions.
Case-insensitive compression is always used in AXFR and IXFR responses, regardless of whether the client matches this ACL.
There are circusmstances in which named will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is different (e.g., "www.example.com/A" and "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that name will use the first version of the name that was used in the zone file. This limitation may be addressed in a future release. However, domain names specified in the rdata of resource records (i.e., records of type NS, MX, CNAME, etc) will always have their case preserved unless the client matches this ACL.
unlimited, or the value 0, will place no limit on cache size; records will be purged from the cache only when their d4762 7 a4768 2 Any positive values less than 2MB will be ignored and reset to 2MB. d4771 1 a4771 1 The default isunlimited. d4789 1 a4789 1 Periodic Task Intervals d5263 2 a5264 3 Sets the initial advertised EDNS UDP buffer size in bytes, to control the size of packets received from authoritative servers in response to recursive queries. d5266 6 a5271 2 will be silently adjusted to the nearest value within it). The default value is 4096. d5274 5 a5278 37 The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP DNS packets that are greater than 512 bytes.When named first queries a remote server, it will advertise a UDP buffer size of 512, as this has the greatest chance of success on the first try.
If the initial response times out, named will try again with plain DNS, and if that is successful, it will be taken as evidence that the server does not support EDNS. After enough failures using EDNS and successes using plain DNS, named will default to plain DNS for future communications with that server. (Periodically, named will send an EDNS query to see if the situation has improved.)
However, if the initial query is successful with EDNS advertising a buffer size of 512, then named will advertise progressively larger buffer sizes on successive queries, until responses begin timing out or edns-udp-size is reached.
The default buffer sizes used by named are 512, 1232, 1432, and 4096, but never exceeding edns-udp-size. (The values 1232 and 1432 are chosen to allow for an IPv4/IPv6 encapsulated UDP message to be sent without fragmentation at the minimum MTU sizes for Ethernet and IPv6 networks.) d5287 2 a5288 10 range will be silently adjusted to the nearest value within it). The default value is 4096.
This value applies to responses sent by a server; to set the advertised buffer size in queries, see edns-udp-size.
The usual reason for setting d5324 1 a5324 6 file. Also,
mapformat files are loaded directly into memory via memory mapping, with only minimal checking.This statement sets the a5383 32
prefetch d5404 1 a5404 3 always set to When a query is received for cached data which is to expire shortly, named can refresh the data from the authoritative server immediately, ensuring that the cache always has an answer available.
The
prefetchspecifies the the "trigger" TTL value at which prefetch of the current query will take place: when a cache record with a lower TTL value is encountered during query processing, it will be refreshed. Valid trigger TTL values are 1 to 10 seconds. Setting a trigger TTL to zero disables prefetch.An optional second argument can be used to set the smallest original TTL value that will be accepted for a record to be eligible for prefetching. The difference between the trigger TTL and the eligibility TTL must be at least 6 seconds.
The default trigger and eligibility TTLs are
2and9, respectively.no, and rate-limit is set to allow three responses per second. d5722 1 a5722 1 Content Filtering d5845 1 a5845 1 Response Policy Zone (RPZ) Rewriting d5858 1 a5858 1 Response policy zones are ordinary DNS zones containing RRsets d5864 51 a5914 87 A response-policy option can support multiple policy zones. To maximize performance, a radix tree is used to quickly identify response policy zones containing triggers that match the current query. This imposes an upper limit of 32 on the number of policy zones in a single response-policy option; more than that is a configuration error.Five policy triggers can be encoded in RPZ records.
- RPZ-CLIENT-IP
IP records are triggered by the IP address of the DNS client. Client IP address triggers are encoded in records that have owner names that are subdomains of rpz-client-ip relativized to the policy zone origin name and encode an address or address block. IPv4 addresses are represented as
prefixlength.B4.B3.B2.B1.rpz-ip. The IPv4 prefix length must be between 1 and 32. All four bytes, B4, B3, B2, and B1, must be present. B4 is the decimal value of the least significant byte of the IPv4 address as in IN-ADDR.ARPA.IPv6 addresses are encoded in a format similar to the standard IPv6 text representation,
prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. Each of W8,...,W1 is a one to four digit hexadecimal number representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. All 8 words must be present except when one set of consecutive zero words is replaced with.zz.analogous to double colons (::) in standard IPv6 text encodings. The IPv6 prefix length must be between 64 and 128.- QNAME
QNAME policy records are triggered by query names of requests and targets of CNAME records resolved to generate the response. The owner name of a QNAME policy record is the query name relativized to the policy zone.
- RPZ-IP
IP triggers are IP addresses in an A or AAAA record in the ANSWER section of a response. They are encoded like client-IP triggers except as subdomains of rpz-ip.
- RPZ-NSDNAME
NSDNAME triggers match names of authoritative servers for the query name, a parent of the query name, a CNAME for query name, or a parent of a CNAME. They are encoded as subdomains of rpz-nsdname relativized to the RPZ origin name. NSIP triggers match IP addresses in A and AAAA RRsets for domains that can be checked against NSDNAME policy records.
- RPZ-NSIP
NSIP triggers are encoded like IP triggers except as subdomains of rpz-nsip. NSDNAME and NSIP triggers are checked only for names with at least min-ns-dots dots. The default value of min-ns-dots is 1 to exclude top level domains.
The query response is checked against all response policy zones, so two or more policy records can be triggered by a response. Because DNS responses are rewritten according to at most one d5917 2 a5918 2 Triggers or the records that encode them are chosen for the rewriting in the following order: d5922 1 a5922 1 first in the response-policy option. d5924 2 a5925 2
Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP triggers in a single zone. d5944 2 a5945 2 all response policy zones are again consulted for the DNAME or CNAME names and addresses. d5948 2 a5949 8 RPZ record sets are any types of DNS record except DNAME or DNSSEC that encode actions or responses to individual queries. Any of the policies can be used with any of the triggers. For example, while the TCP-only policy is commonly used with client-IP triggers, it cn be used with any type of trigger to force the use of TCP for responses with owner names in a zone. d5951 29 a5979 53 d5983 2 a5984 3 All of the actions specified in all of the individual records in a policy zone can be overridden with a policy clause in the d5986 2 a5987 3 An organization using a policy zone provided by another organization might use this mechanism to redirect domains to its own walled garden. d5989 33 a6021 29
- PASSTHRU
The whitelist policy is specified by a CNAME whose target is rpz-passthru. It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks.
- DROP
The blacklist policy is specified by a CNAME whose target is rpz-drop. It causes the response to be discarded. Nothing is sent to the DNS client.
- TCP-Only
The "slip" policy is specified by a CNAME whose target is rpz-tcp-only. It changes UDP responses to short, truncated DNS responses that require the DNS client to try again with TCP. It is used to mitigate distributed DNS reflection attacks.
- NXDOMAIN
The domain undefined response is encoded by a CNAME whose target is the root domain (.)
- NODATA
The empty set of resource records is specified by CNAME whose target is the wildcard top-level domain (*.). It rewrites the response to NODATA or ANCOUNT=1.
- Local Data
A set of ordinary DNS records can be used to answer queries. Queries for record types not the set are answered with NODATA.
A special form of local data is a CNAME whose target is a wildcard such as *.example.com. It is used as if were an ordinary CNAME after the astrisk (*) has been replaced with the query name. The purpose for this special form is query logging in the walled garden's authority DNS server.
d6025 3 a6027 4 By default, the actions encoded in a response policy zone are applied only to queries that ask for recursion (RD=1). That default can be changed for a single policy zone or all response policy zones in a view d6035 9 a6043 36 Also by default, RPZ actions are applied only to DNS requests that either do not request DNSSEC metadata (DO=0) or when no DNSSEC records are available for request name in the original zone (not the response policy zone). This default can be changed for all response policy zones in a view with a break-dnssec yes clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify.
- GIVEN
The placeholder policy says "do not override but perform the action specified in the zone."
- DISABLED
The testing override policy causes policy zone records to do nothing but log what they would have done if the policy zone were not disabled. The response to the DNS query will be written (or not) according to any triggered policy records that are not disabled. Disabled policy zones should appear first, because they will often not be logged if a higher precedence trigger is found first.
- PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA
override with the corresponding per-record policy.
- CNAME domain
causes all RPZ policy records to act as if they were "cname domain" records.
No DNS records are needed for a QNAME or Client-IP trigger. The name or IP address itself is sufficient, so in principle the query name need not be recursively resolved. However, not resolving the requested name can leak the fact that response policy rewriting is in use and that the name is listed in a policy zone to operators of servers for listed names. To prevent that information leak, by default any recursion needed for a request is done before any policy triggers are considered. Because listed domains often have slow authoritative servers, this default behavior can cost significant time. The qname-wait-recurse no option overrides that default behavior when recursion cannot change a non-error response. The option does not affect QNAME or client-IP triggers in policy zones listed after other zones containing IP, NSIP and NSDNAME triggers, because those may depend on the A, AAAA, and NS records that would be found during recursive resolution. It also does not affect DNSSEC requests (DO=1) unless break-dnssec yes is in use, because the response would depend on whether or not RRSIG records were found during resolution. Using this option can cause error responses such as SERVFAIL to appear to be rewritten, since no recursion is being done to discover problems at the authoritative server. a6068 1 *.nxdomain.domain.com CNAME . ; NXDOMAIN policy a6069 1 *.nodata.domain.com CNAME *. ; NODATA policy a6071 1 bzone.domain.com CNAME garden.example.com. d6076 2 d6082 1 a6082 2 ; IP policy records that rewrite all responses containing A records in 127/8 ; except 127.0.0.1 a6088 10 ; blacklist and whitelist some DNS clients 112.zz.2001.rpz-client-ip CNAME rpz-drop. 8.0.0.0.127.rpz-client-ip CNAME rpz-drop. ; force some DNS clients and responses in the example.com zone to TCP 16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. example.com CNAME rpz-tcp-only. *.example.com CNAME rpz-tcp-only. d6112 6 a6117 1 Response Rate Limiting d6170 2 a6171 4 by the base responses-per-second option (that is, responses-per-second with only a single argument and no additional modifiers). The default is 0, which indicates that there should be no limit. d6176 1 a6176 1 (default base responses-per-second). d6181 1 a6181 1 (default base responses-per-second). d6189 1 a6189 1 (default base responses-per-second). d6203 1 a6203 1 default base responses-per-second value, a6207 65 In addition to the base responses-per-second value, up to four (4) additional responses-per-second options can be configured, with additional parameters to indicate that they apply to responses larger than a given size, or with an amplification factor larger than a given value. The size parameter sets the minimum DNS response size that will trigger the use of this responses-per-second option. The ratio parameter sets the minimum DNS response-size / request-size ratio that falls into the band, to two decimal places. These selective rate limits are applied after any other rate limits have been applied, and they only apply to positive answers. For example:
rate-limit { responses-per-second 10; responses-per-second size 1100 5; };...indicates that responses should be limited to ten per second for responses up to 1099 bytes in size, but only five per second for responses larger than that. This configuration:
rate-limit { responses-per-second 10; responses-per-second ratio 7.25 5; responses-per-second ratio 15.00 2; };...indicates that responses should be limited to ten per second if the amplification factor is below 7.25, five per second if above 7.25 but below 15, and two per second if above 15.
Both sizes and ratios can be used together. For example:
rate-limit { responses-per-second 10; responses-per-second size 1000 ratio 5.00 5; responses-per-second ratio 10.00 2; };This configuration will rate-limit to five per second if the ratio is over 5 or the size is over 1000, and to two per second if the ratio is over 10. In the event that two bands might be chosen (i.e., because the size is over 1000 and the ratio is over 10), the one that appears last in the configuration file is the one chosen. To eliminate any ambiguity, it is recommended that under normal circumstnaces, rate limiting bands should be configured using either size or ratio parameters, but not both.
a6262 24 The optional domain clause specifies the namespace to which rate limits will apply. It is possible to use different rate limits for different names by specifying multiple rate-limit blocks with different domain clauses. The rate-limit statement's domain most closely matches the query name will be the one applied to a given query.
Rate limiters for different name spaces maintain separate counters: If, for example, there is a rate-limit statement for "com" and another for "example.com", queries matching "example.com" will not be debited against the rate limiter for "com".
If a rate-limit statement does not specify a domain, then it applies to the root domain (".") and thus affects the entire DNS namespace, except those portions covered by other rate-limit statements.
d6276 2 a6277 2 all-per-second phrase. This rate limiting is unlike the rate limiting provided by d6281 28 a6308 25 which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources make TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests. a6345 1 [ nosit-udp-size
number; ] d6350 4 a6353 4 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d6355 1 a6355 1 [ port (ip_port|*) ] [dscpip_dscp] ; ] d6357 1 a6357 1 [ port (ip_port|*) ] [dscpip_dscp] ; ] d6447 1 a6447 2 silently adjusted to the nearest value within it). This option is useful when you wish to a6460 7 The nosit-udp-size option sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. The command max-udp-size option may further limit the response size.d6546 1 a6546 1 statistics-channels Statement Definition and d6558 2 a6559 3 It requires that BIND 9 be compiled with libxml2 and/or json-c (also known as libjson0); the statistics-channels statement is d6567 1 a6567 2 address. An ip_addr of
*(asterisk) is d6595 1 a6595 3 The statistics are available in various formats and views depending on the URI used to access them. For example, if the statistics channel is configured to listen on 127.0.0.1 d6600 6 a6605 2 when viewed with a stylesheet-capable browser, and into charts and graphs using the Google Charts API when using a a6617 32Broken-out subsets of the statistics can be viewed at http://127.0.0.1:8888/xml/v3/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/xml/v3/server (server and resolver statistics), http://127.0.0.1:8888/xml/v3/zones (zone statistics), http://127.0.0.1:8888/xml/v3/net (network status and socket statistics), http://127.0.0.1:8888/xml/v3/mem (memory manager statistics), http://127.0.0.1:8888/xml/v3/tasks (task manager statistics).
The full set of statistics can also be read in JSON format at http://127.0.0.1:8888/json, with the broken-out subsets at http://127.0.0.1:8888/json/v1/status (server uptime and last reconfiguration time), http://127.0.0.1:8888/json/v1/server (server and resolver statistics), http://127.0.0.1:8888/json/v1/zones (zone statistics), http://127.0.0.1:8888/json/v1/net (network status and socket statistics), http://127.0.0.1:8888/json/v1/mem (memory manager statistics), http://127.0.0.1:8888/json/v1/tasks (task manager statistics).
d6630 1 a6630 1 trusted-keys Statement Definition d6670 1 a6670 1 managed-keys Statement Grammar d6808 1 a6808 1 view Statement Definition and Usage d6940 2 a6941 2 [ also-notify {ip_addr[portip_port] [dscpip_dscp] ; [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d6949 1 a6949 1 [ masterfile-format (text|raw|map) ; ] d6953 1 a6953 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d6966 2 a6967 2 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] a6982 1 [ max-zone-ttlnumber; ] d6998 1 a6998 1 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addra6999 1 [dscpip_dscp] d7004 1 a7004 1 [ masterfile-format (text|raw|map) ; ] d7008 1 a7008 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d7013 1 a7013 1 [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addra7014 1 [dscpip_dscp] d7025 3 a7027 3 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d7029 1 a7029 2 [portip_port] [dscpip_dscp] ; ] d7031 2 a7032 2 [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] d7065 1 a7065 1 [ masterfile-format (text|raw|map) ; ] d7067 2 a7068 2 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] [ masters [portip_port] [dscpip_dscp] { (masters_list|ip_addra7069 1 [dscpip_dscp] d7074 1 a7074 1 [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d7076 2 a7077 2 [portip_port] [dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] d7079 1 a7079 1 [portip_port] [dscpip_dscp] ; ] d7101 1 a7101 1 [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] d7108 1 a7108 1 [ masterfile-format (text|raw|map) ; ] a7109 1 [ max-zone-ttlnumber; ] a7115 4 zonezone_name[class] { [ in-viewstring; ] }; d7120 1 a7120 1 zone Statement Definition and Usage d7123 1 a7123 1 Zone Types d7441 1 a7441 1 Class d7463 1 a7463 1 Zone Options d7619 3 a7621 4 The flag only applies to forward, hint and stub zones. If set toyes, then the zone will also be treated as if it is also a delegation-only type zone. a7952 7max-zone-ttl a8374 45 See the description of max-zone-ttl in the section called “options Statement Definition and Usage”.
d8379 1 a8379 1 Zone File d8392 1 a8392 1 Resource Records d9129 1 a9129 1 Textual expression of RRs d9332 1 a9332 1 Discussion of MX Records d9588 1 a9588 1 Inverse Mapping in IPv4 d9649 1 a9649 1 Other Zone File Directives d9664 1 a9664 1 The @@ (at-sign) d9675 1 a9675 1 The $ORIGIN Directive d9704 1 a9704 1 The $INCLUDE Directive d9740 1 a9740 1 The $TTL Directive d9759 1 a9759 1 BIND Master File Extension: the $GENERATE Directive d9955 5 a9959 15 other formats.When multiple views are in use, a zone may be referenced by more than one of them. Often, the views will contain different zones with the same name, allowing different clients to receive different answers for the same queries. At times, however, it is desirable for multiple views to contain identical zones. The in-view zone option provides an efficient way to do this: it allows a view to reference a zone that was defined in a previously configured view. Example:
view internal { match-clients { 10/8; }; zone example.com { type master; file "example-external.db"; }; }; view external { match-clients { any; }; zone example.com { in-view internal; }; };An in-view option cannot refer to a view that is configured later in the configuration file.
A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control the behavior of the containing view, rather than changing the zone object itself.)
The
rawformat is a binary representation of zone data in a manner similar to that used in zone transfers. Since it does not require parsing text, load time is significantly reduced.An even faster alternative is the
mapformat, which is an image of a BIND 9 in-memory zone database; it is capable of being loaded directly into memory via the mmap() function; the zone can begin serving queries almost immediately. d9962 5 a9966 5 For a primary server, a zone file inrawormapformat is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically d9981 8 a9988 15 Note that map format is extremely architecture-specific. Amapfile cannot be used on a system with different pointer size, endianness or data alignment than the system on which it was generated, and should in general be used only inside a single system. Whilerawformat uses network byte order and avoids architecture-dependent data alignment so that it is as portable as possible, it is also primarily expected to be used inside the same single system. To export a zone file in eitherrawormapformat, or make a portable backup of such a file, conversion totextformat is recommended. d10090 1 a10090 2 "NXRRSET"). If a hash mark (#) is present then the RRset is marked for garbage collection. d10183 1 a10183 1 Name Server Statistics Counters d10737 1 a10737 1RateDropped
d10744 1 a10744 1 Responses dropped by rate limits. d10750 1 a10750 1RateSlipped
d10757 1 a10757 1 Responses truncated by rate limits. d10763 1 a10763 1RPZRewrites
d10770 1 a10770 1 Response policy zone rewrites. d10779 1 a10779 1 Zone Maintenance Statistics Counters d10933 1 a10933 1 Resolver Statistics Counters d11316 1 a11316 1 Socket I/O Statistics Counters d11471 1 a11471 1 Compatibility with BIND 8 Counters @ 1.1.1.14.2.1 log @Rebase. @ text @d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar d935 1 a935 3 interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. a946 3 When addresses are added or removed, the localnets ACL element is updated to reflect the changes. d1015 1 a1015 1 controls Statement Grammar d1139 1 a1139 1 include Statement Grammar d1144 1 a1144 1 include Statement Definition and d1159 1 a1159 1 key Statement Grammar d1168 1 a1168 1 key Statement Definition and Usage d1215 1 a1215 1 logging Statement Grammar d1239 1 a1239 1 logging Statement Definition and d1273 1 a1273 1 The channel Phrase d1886 1 a1886 1 The query-errors Category d2114 1 a2114 1 lwres Statement Grammar d2130 1 a2130 1 lwres Statement Definition and Usage d2142 2 a2143 2 IPv4 addresses (and ports) that this instance of a lightweight resolver daemon d2181 1 a2181 1 masters Statement Grammar d2189 1 a2189 1 masters Statement Definition and d2199 1 a2199 1 options Statement Grammar a2415 2 [ prefetchnumber[number] ; ] d2433 7 a2439 12 } ; ] [ response-policy { zonezone_name; [ policygiven | disabled | passthru | drop | nxdomain | nodata | cnamedomain; ] [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] ; [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] [ break-dnssecyes_or_no; ] [ min-ns-dotsnumber; ] [ qname-wait-recurseyes_or_no; ] } ; ] d3495 1 a3495 17d3497 1 a3497 6 If
yes, then a SIT (Source Identity Token) EDNS option is sent along with the query. If the resolver has previously talked to the server, the SIT returned in the previous transaction is sent. This is used by the server to determine whether the resolver has talked to it before. A resolver sending the correct SIT is assumed not to be an off-path attacker sending a spoofed-source query; the query is therefore unlikely to be part of a reflection/amplification attack, so resolvers sending a correct SIT option are not subject to response rate limiting (RRL). Resolvers which do not send a correct SIT option may be limited to receiving smaller responses via the nosit-udp-size option.d4005 1 a4005 1 Forwarding d4049 1 a4049 1 Dual-stack Servers d4317 1 a4317 1 Interfaces d4321 1 a4321 3 an optional port and an If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options within a anycast cluster. If not set the system will generate a random secret at startup.
address_match_listof IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) a4368 2 IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning. d4778 1 a4778 1 UDP Port Lists d4820 1 a4820 1 Operating System Resource Limits d4981 1 a4981 1 Periodic Task Intervals d5403 1 a5403 1 signing state records. The default is d5411 7 a5417 14 Signing state records are used to internally by named to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command rndc signing -listzone. Once named has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running rndc signing -clearkeyid/algorithmzone. To clear all of the completed signing state records for a zone, use rndc signing -clear allzone. d5628 1 a5628 1 Theprefetchspecifies the d5633 2 a5634 5 10 seconds. Values larger than 10 seconds will be silently reduced to 10. Setting a trigger TTL to zero (0) causes prefetch to be disabled. The default trigger TTL is2. d5637 2 a5638 2 An optional second argument specifies the "eligibility" TTL: the smallest original d5640 8 a5647 5 eligible for prefetching. The eligibility TTL must be at least six seconds longer than the trigger TTL; if it isn't, named will silently adjust it upward. The default eligibility TTL is9. d5990 1 a5990 1 Content Filtering d6113 1 a6113 1 Response Policy Zone (RPZ) Rewriting d6484 1 a6484 1 Response Rate Limiting d6549 1 a6549 1 They are limited by nxdomains-per-second a6798 2 [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] a6996 16The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
The request-sit clause determines whether the local server will add a SIT EDNS option to requests sent to the server. This overrides request-sit set at the view or option level. Named may determine that SIT is not supported by the remote server and not add a SIT EDNS option to requests.
d7010 1 a7010 1 statistics-channels Statement Definition and d7126 1 a7126 1 trusted-keys Statement Definition d7166 1 a7166 1 managed-keys Statement Grammar d7168 2 a7169 2nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d7304 1 a7304 1 view Statement Definition and Usage d7626 1 a7626 1 zone Statement Definition and Usage d7629 1 a7629 1 Zone Types d7947 1 a7947 1 Class d7969 1 a7969 1 Zone Options d8891 1 a8891 1 Multiple views d8938 1 a8938 1 Zone File d8951 1 a8951 1 Resource Records d9688 1 a9688 1 Textual expression of RRs d9891 1 a9891 1 Discussion of MX Records d10147 1 a10147 1 Inverse Mapping in IPv4 d10208 1 a10208 1 Other Zone File Directives d10223 1 a10223 1 The @@ (at-sign) d10234 1 a10234 1 The $ORIGIN Directive d10263 1 a10263 1 The $INCLUDE Directive d10299 1 a10299 1 The $TTL Directive d10318 1 a10318 1 BIND Master File Extension: the $GENERATE Directive d10386 2 a10387 3 is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. d10760 1 a10760 1 Name Server Statistics Counters d11356 1 a11356 1 Zone Maintenance Statistics Counters d11510 1 a11510 1 Resolver Statistics Counters d11893 1 a11893 1 Socket I/O Statistics Counters d12048 1 a12048 1 Compatibility with BIND 8 Counters @ 1.1.1.15 log @Import bind-9.10.0-P2 Changes since the last import: --- 9.10.0-P2 released --- 3861. [security] Missing isc_buffer_availablelength check results in a REQUIRE assertion when printing out a packet (CVE-2014-3859). [RT #36078] 3858. [bug] Disable GCC 4.9 "delete null pointer check". [RT #35968] 3853. [cleanup] Refactor dns_rdataslab_fromrdataset to seperate out the handling of a rdataset with no records. [RT #35968] 3850. [bug] Disabling forwarding could trigger a REQUIRE assertion. [RT #35979] 3843. [bug] Use the x64 version of the Microsoft Visual C++ Redistributable when built for 64 bit Windows. [RT #35973] 3838. [protocol] EDNS EXPIRE as been assigned a code point of 9. --- 9.10.0-P1 released --- 3837. [security] A NULL pointer is passed to query_prefetch resulting a REQUIRE assertion failure when a fetch is actually initiated (CVE-2014-3214). [RT #35899] --- 9.10.0 released --- 3824. [bug] A collision between two flag values could cause problems with cache cleaning when SIT was enabled. [RT #35858] --- 9.10.0rc2 released --- 3817. [func] The "delve" command is now spelled "delv" to avoid a namespace collision with the Xapian project. [RT #35801] 3815. [doc] Clarify "nsupdate -y" usage in man page. [RT #35808] 3810. [bug] Work around broken nameservers that fail to ignore unknown EDNS options. [RT #35766] 3809. [doc] Fix SIT and NSID documentation. 3808. [doc] Clean up "prefetch" documentation. [RT #35751] 3807. [bug] Fix sign extention bug in dns_name_fromtext when lowercase is set. [RT #35743] 3806. [test] Improved system test portability. [RT #35625] 3805. [contrib] Added contrib/perftcpdns, a performance testing tool for DNS over TCP. [RT #35710] --- 9.10.0rc1 released --- 3804. [bug] Corrected a race condition in dispatch.c in which portentry could be reset leading to an assertion failure in socket_search(). (Change #3708 addressed the same issue but was incomplete.) [RT #35128] 3803. [bug] "named-checkconf -z" incorrectly rejected zones using alternate data sources for not having a "file" option. [RT #35685] 3802. [bug] Various header files were not being installed. 3801. [port] Fix probing for gssapi support on FreeBSD. [RT #35615] 3800. [bug] A pending event on the route socket could cause an assertion failure when shutting down named. [RT #35674] 3799. [bug] Improve named's command line error reporting. [RT #35603] 3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing time. [RT #35659] 3797. [port] netbsd: geoip support probing was broken. [RT #35642] 3796. [bug] Register dns and pkcs#11 error codes. [RT #35629] 3795. [bug] Make named-checkconf detect raw masterfiles for hint zones and reject them. [RT #35268] 3794. [maint] Added AAAA for C.ROOT-SERVERS.NET. 3793. [bug] zone.c:save_nsec3param() could assert when out of memory. [RT #35621] 3792. [func] Provide links to the alternate statistics views when displaying in a browser. [RT #35605] 3791. [placeholder] 3790. [bug] Handle broken nameservers that send BADVERS in response to unknown EDNS options. Maintain statistics on BADVERS responses. 3789. [bug] Null pointer dereference on rbt creation failure. 3788. [bug] dns_peer_getrequestsit was returning request_nsid by mistake. --- 9.10.0b2 released --- 3787. [bug] The code that checks whether "auto-dnssec" is allowed was ignoring "allow-update" ACLs set at the options or view level. [RT #29536] 3786. [func] Provide more detailed error codes when using native PKCS#11. "pkcs11-tokens" now fails robustly rather than asserting when run against an HSM with an incomplete PKCS#11 API implementation. [RT #35479] 3785. [bug] Debugging code dumphex didn't accept arbitrarily long input (only compiled with -DDEBUG). [RT #35544] 3784. [bug] Using "rrset-order fixed" when it had not been enabled at compile time caused inconsistent results. It now works as documented, defaulting to cyclic mode. [RT #28104] 3783. [func] "tsig-keygen" is now available as an alternate command name for "ddns-confgen". It generates a TSIG key in named.conf format without comments. [RT #35503] 3782. [func] Specifying "auto" as the salt when using "rndc signing -nsec3param" causes named to generate a 64-bit salt at random. [RT #35322] 3781. [tuning] Use adaptive mutex locks when available; this has been found to improve performance under load on many systems. "configure --with-locktype=standard" restores conventional mutex locks. [RT #32576] 3780. [bug] $GENERATE handled negative numbers incorrectly. [RT #25528] 3779. [cleanup] Clarify the error message when using an option that was not enabled at compile time. [RT #35504] 3778. [bug] Log a warning when the wrong address family is used in "listen-on" or "listen-on-v6". [RT #17848] 3777. [bug] EDNS EXPIRE code could dump core when processing DLZ queries. [RT #35493] 3776. [func] "rndc -q" suppresses output from successful rndc commands. Errors are printed on stderr. [RT #21393] 3775. [bug] dlz_dlopen driver could return the wrong error code on API version mismatch, leading to a segfault. [RT #35495] 3774. [func] When using "request-nsid", log the NSID value in printable form as well as hex. [RT #20864] 3773. [func] "host", "nslookup" and "nsupdate" now have options to print the version number and exit. [RT #26057] 3772. [contrib] Added sqlite3 dynamically-loadable DLZ module. (Based in part on a contribution from Tim Tessier.) [RT #20822] 3771. [cleanup] Adjusted log level for "using built-in key" messages. [RT #24383] 3770. [bug] "dig +trace" could fail with an assertion when it needed to fall back to TCP due to a truncated response. [RT #24660] 3769. [doc] Improved documentation of "rndc signing -list". [RT #30652] 3768. [bug] "dnssec-checkds" was missing the SHA-384 digest algorithm. [RT #34000] 3767. [func] Log explicitly when using rndc.key to configure command channel. [RT #35316] 3766. [cleanup] Fixed problems with building outside the source tree when using native PKCS#11. [RT #35459] 3765. [bug] Fixed a bug in "rndc secroots" that could crash named when dumping an empty keynode. [RT #35469] 3764. [bug] The dnssec-keygen/settime -S and -i options (to set up a successor key and set the prepublication interval) were missing from dnssec-keyfromlabel. [RT #35394] 3763. [bug] delve: Cache DNSSEC records to avoid the need to re-fetch them when restarting validation. [RT #35476] 3762. [bug] Address build problems with --pkcs11-native + --with-openssl with ECDSA support. [RT #35467] 3761. [bug] Address dangling reference bug in dns_keytable_add. [RT #35471] 3760. [bug] Improve SIT with native PKCS#11 and on Windows. [RT #35433] 3759. [port] Enable delve on Windows. [RT #35441] 3758. [port] Enable export library APIs on Windows. [RT #35382] 3757. [port] Enable Python tools (dnssec-coverage, dnssec-checkds) to run on Windows. [RT #34355] 3756. [bug] GSSAPI Kerberos realm checking was broken in check_config leading to spurious messages being logged. [RT #35443] @ text @d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar d935 1 a935 3 interfaces on the system. When addresses are added or removed, the localhost ACL element is updated to reflect the changes. a946 3 When addresses are added or removed, the localnets ACL element is updated to reflect the changes. d1015 1 a1015 1 controls Statement Grammar d1139 1 a1139 1 include Statement Grammar d1144 1 a1144 1 include Statement Definition and d1159 1 a1159 1 key Statement Grammar d1168 1 a1168 1 key Statement Definition and Usage d1215 1 a1215 1 logging Statement Grammar d1239 1 a1239 1 logging Statement Definition and d1273 1 a1273 1 The channel Phrase d1886 1 a1886 1 The query-errors Category d2114 1 a2114 1 lwres Statement Grammar d2130 1 a2130 1 lwres Statement Definition and Usage d2142 2 a2143 2 IPv4 addresses (and ports) that this instance of a lightweight resolver daemon d2181 1 a2181 1 masters Statement Grammar d2189 1 a2189 1 masters Statement Definition and d2199 1 a2199 1 options Statement Grammar a2415 2 [ prefetchnumber[number] ; ] d2433 7 a2439 12 } ; ] [ response-policy { zonezone_name; [ policygiven | disabled | passthru | drop | nxdomain | nodata | cnamedomain; ] [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] ; [ recursive-onlyyes_or_no; ] [ max-policy-ttlnumber; ] [ break-dnssecyes_or_no; ] [ min-ns-dotsnumber; ] [ qname-wait-recurseyes_or_no; ] } ; ] d3495 1 a3495 17d3497 1 a3497 6 If
yes, then a SIT (Source Identity Token) EDNS option is sent along with the query. If the resolver has previously talked to the server, the SIT returned in the previous transaction is sent. This is used by the server to determine whether the resolver has talked to it before. A resolver sending the correct SIT is assumed not to be an off-path attacker sending a spoofed-source query; the query is therefore unlikely to be part of a reflection/amplification attack, so resolvers sending a correct SIT option are not subject to response rate limiting (RRL). Resolvers which do not send a correct SIT option may be limited to receiving smaller responses via the nosit-udp-size option.d4005 1 a4005 1 Forwarding d4049 1 a4049 1 Dual-stack Servers d4317 1 a4317 1 Interfaces d4321 1 a4321 3 an optional port and an If set, this is a shared secret used for generating and verifying Source Identity Token EDNS options within a anycast cluster. If not set the system will generate a random secret at startup.
address_match_listof IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) a4368 2 IPv4 addresses specified in listen-on-v6 will be ignored, with a logged warning. d4778 1 a4778 1 UDP Port Lists d4820 1 a4820 1 Operating System Resource Limits d4981 1 a4981 1 Periodic Task Intervals d5403 1 a5403 1 signing state records. The default is d5411 7 a5417 14 Signing state records are used to internally by named to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command rndc signing -listzone. Once named has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running rndc signing -clearkeyid/algorithmzone. To clear all of the completed signing state records for a zone, use rndc signing -clear allzone. d5628 1 a5628 1 Theprefetchspecifies the d5633 2 a5634 5 10 seconds. Values larger than 10 seconds will be silently reduced to 10. Setting a trigger TTL to zero (0) causes prefetch to be disabled. The default trigger TTL is2. d5637 2 a5638 2 An optional second argument specifies the "eligibility" TTL: the smallest original d5640 8 a5647 5 eligible for prefetching. The eligibility TTL must be at least six seconds longer than the trigger TTL; if it isn't, named will silently adjust it upward. The default eligibility TTL is9. d5990 1 a5990 1 Content Filtering d6113 1 a6113 1 Response Policy Zone (RPZ) Rewriting d6484 1 a6484 1 Response Rate Limiting d6549 1 a6549 1 They are limited by nxdomains-per-second a6798 2 [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] a6996 16The request-nsid clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides request-nsid set at the view or option level.
The request-sit clause determines whether the local server will add a SIT EDNS option to requests sent to the server. This overrides request-sit set at the view or option level. Named may determine that SIT is not supported by the remote server and not add a SIT EDNS option to requests.
d7010 1 a7010 1 statistics-channels Statement Definition and d7126 1 a7126 1 trusted-keys Statement Definition d7166 1 a7166 1 managed-keys Statement Grammar d7168 2 a7169 2nameinitial-keyflagsprotocolalgorithmkey-data; [nameinitial-keyflagsprotocolalgorithmkey-data; [...]] d7304 1 a7304 1 view Statement Definition and Usage d7626 1 a7626 1 zone Statement Definition and Usage d7629 1 a7629 1 Zone Types d7947 1 a7947 1 Class d7969 1 a7969 1 Zone Options d8891 1 a8891 1 Multiple views d8938 1 a8938 1 Zone File d8951 1 a8951 1 Resource Records d9688 1 a9688 1 Textual expression of RRs d9891 1 a9891 1 Discussion of MX Records d10147 1 a10147 1 Inverse Mapping in IPv4 d10208 1 a10208 1 Other Zone File Directives d10223 1 a10223 1 The @@ (at-sign) d10234 1 a10234 1 The $ORIGIN Directive d10263 1 a10263 1 The $INCLUDE Directive d10299 1 a10299 1 The $TTL Directive d10318 1 a10318 1 BIND Master File Extension: the $GENERATE Directive d10386 2 a10387 3 is set to 1. start, stop and step must be positive integers between 0 and (2^31)-1. start must not be larger than stop. d10760 1 a10760 1 Name Server Statistics Counters d11356 1 a11356 1 Zone Maintenance Statistics Counters d11510 1 a11510 1 Resolver Statistics Counters d11893 1 a11893 1 Socket I/O Statistics Counters d12048 1 a12048 1 Compatibility with BIND 8 Counters @ 1.1.1.15.2.1 log @Pull up following revision(s) (requested by spz in ticket #349): distrib/sets/lists/base/ad.aarch64 patch distrib/sets/lists/base/ad.arm patch distrib/sets/lists/base/ad.mips patch distrib/sets/lists/base/ad.powerpc patch distrib/sets/lists/base/md.amd64 patch distrib/sets/lists/base/md.sparc64 patch distrib/sets/lists/base/shl.mi patch distrib/sets/lists/debug/ad.aarch64 patch distrib/sets/lists/debug/ad.arm patch distrib/sets/lists/debug/ad.mips patch distrib/sets/lists/debug/ad.powerpc patch distrib/sets/lists/debug/md.amd64 patch distrib/sets/lists/debug/md.sparc64 patch distrib/sets/lists/debug/shl.mi patch doc/3RDPARTY patch doc/CHANGES patch external/bsd/bind/dist/CHANGES patch external/bsd/bind/dist/FAQ patch external/bsd/bind/dist/FAQ.xml patch external/bsd/bind/dist/README patch external/bsd/bind/dist/acconfig.h patch external/bsd/bind/dist/aclocal.m4 patch external/bsd/bind/dist/config.h.in patch external/bsd/bind/dist/configure patch external/bsd/bind/dist/configure.in patch external/bsd/bind/dist/isc-config.sh.html patch external/bsd/bind/dist/srcid patch external/bsd/bind/dist/version patch external/bsd/bind/dist/bin/check/Makefile.in patch external/bsd/bind/dist/bin/check/named-checkconf.html patch external/bsd/bind/dist/bin/check/named-checkzone.8 patch external/bsd/bind/dist/bin/check/named-checkzone.docbook patch external/bsd/bind/dist/bin/check/named-checkzone.html patch external/bsd/bind/dist/bin/confgen/ddns-confgen.8 patch external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook patch external/bsd/bind/dist/bin/confgen/ddns-confgen.html patch external/bsd/bind/dist/bin/confgen/rndc-confgen.html patch external/bsd/bind/dist/bin/delv/delv.html patch external/bsd/bind/dist/bin/dig/Makefile.in patch external/bsd/bind/dist/bin/dig/dig.1 patch external/bsd/bind/dist/bin/dig/dig.c patch external/bsd/bind/dist/bin/dig/dig.docbook patch external/bsd/bind/dist/bin/dig/dig.html patch external/bsd/bind/dist/bin/dig/dighost.c patch external/bsd/bind/dist/bin/dig/host.c patch external/bsd/bind/dist/bin/dig/host.html patch external/bsd/bind/dist/bin/dig/nslookup.html patch external/bsd/bind/dist/bin/dig/include/dig/dig.h patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.c patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-settime.html patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.8 patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.c patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook patch external/bsd/bind/dist/bin/dnssec/dnssec-verify.html patch external/bsd/bind/dist/bin/dnssec/dnssectool.c patch external/bsd/bind/dist/bin/dnssec/dnssectool.h patch external/bsd/bind/dist/bin/named/client.c patch external/bsd/bind/dist/bin/named/config.c patch external/bsd/bind/dist/bin/named/control.c patch external/bsd/bind/dist/bin/named/geoip.c patch external/bsd/bind/dist/bin/named/interfacemgr.c patch external/bsd/bind/dist/bin/named/lwresd.html patch external/bsd/bind/dist/bin/named/main.c patch external/bsd/bind/dist/bin/named/named.conf.html patch external/bsd/bind/dist/bin/named/named.html patch external/bsd/bind/dist/bin/named/query.c patch external/bsd/bind/dist/bin/named/server.c patch external/bsd/bind/dist/bin/named/statschannel.c patch external/bsd/bind/dist/bin/named/update.c patch external/bsd/bind/dist/bin/named/include/named/interfacemgr.h patch external/bsd/bind/dist/bin/named/include/named/query.h patch external/bsd/bind/dist/bin/named/include/named/seccomp.h new external/bsd/bind/dist/bin/named/include/named/server.h patch external/bsd/bind/dist/bin/named/unix/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/named/win32/dlz_dlopen_driver.c patch external/bsd/bind/dist/bin/nsupdate/nsupdate.c patch external/bsd/bind/dist/bin/nsupdate/nsupdate.html patch external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8y-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0l-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0m-patch new external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1g-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1h-patch new external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook patch external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook patch external/bsd/bind/dist/bin/python/Makefile.in patch external/bsd/bind/dist/bin/python/dnssec-checkds.html patch external/bsd/bind/dist/bin/python/dnssec-coverage.8 patch external/bsd/bind/dist/bin/python/dnssec-coverage.docbook patch external/bsd/bind/dist/bin/python/dnssec-coverage.html patch external/bsd/bind/dist/bin/python/dnssec-coverage.py.in patch external/bsd/bind/dist/bin/rndc/rndc.8 patch external/bsd/bind/dist/bin/rndc/rndc.c patch external/bsd/bind/dist/bin/rndc/rndc.conf.html patch external/bsd/bind/dist/bin/rndc/rndc.docbook patch external/bsd/bind/dist/bin/rndc/rndc.html patch external/bsd/bind/dist/bin/tests/rbt_test.c patch external/bsd/bind/dist/bin/tests/rdata_test.c patch external/bsd/bind/dist/bin/tests/sock_test.c patch external/bsd/bind/dist/bin/tests/task_test.c patch external/bsd/bind/dist/bin/tests/timer_test.c patch external/bsd/bind/dist/bin/tests/dst/Makefile.in patch external/bsd/bind/dist/bin/tests/dst/gsstest.c patch external/bsd/bind/dist/bin/tests/dst/t_dst.c patch external/bsd/bind/dist/bin/tests/system/Makefile.in patch external/bsd/bind/dist/bin/tests/system/ans.pl patch external/bsd/bind/dist/bin/tests/system/cleanall.sh patch external/bsd/bind/dist/bin/tests/system/conf.sh.in patch external/bsd/bind/dist/bin/tests/system/genzone.sh patch external/bsd/bind/dist/bin/tests/system/run.sh patch external/bsd/bind/dist/bin/tests/system/runall.sh patch external/bsd/bind/dist/bin/tests/system/setup.sh patch external/bsd/bind/dist/bin/tests/system/testsock6.pl patch external/bsd/bind/dist/bin/tests/system/acl/clean.sh patch external/bsd/bind/dist/bin/tests/system/acl/setup.sh patch external/bsd/bind/dist/bin/tests/system/acl/tests.sh patch external/bsd/bind/dist/bin/tests/system/addzone/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/clean.sh patch external/bsd/bind/dist/bin/tests/system/autosign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/autosign/setup.sh patch external/bsd/bind/dist/bin/tests/system/autosign/tests.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh patch external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh patch external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in new external/bsd/bind/dist/bin/tests/system/builtin/clean.sh new external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c new external/bsd/bind/dist/bin/tests/system/builtin/tests.sh patch external/bsd/bind/dist/bin/tests/system/builtin/ns2/named.conf new external/bsd/bind/dist/bin/tests/system/builtin/ns3/named.conf new external/bsd/bind/dist/bin/tests/system/checkconf/bad-master-request-ixfr.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-dup-records.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-mx.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-names-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-names.db new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname-fail.conf new external/bsd/bind/dist/bin/tests/system/checkconf/check-srv-cname.db new external/bsd/bind/dist/bin/tests/system/checkconf/clean.sh patch external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkds/setup.sh patch external/bsd/bind/dist/bin/tests/system/checkds/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/clean.sh patch external/bsd/bind/dist/bin/tests/system/checknames/setup.sh patch external/bsd/bind/dist/bin/tests/system/checknames/tests.sh patch external/bsd/bind/dist/bin/tests/system/checknames/ns4/master-ignore.update.db.in new external/bsd/bind/dist/bin/tests/system/checknames/ns4/named.conf new external/bsd/bind/dist/bin/tests/system/checknames/ns4/root.hints new external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh patch external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3-padded.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsec3owner-padded.db new external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-nsec3-nopadhash.db new external/bsd/bind/dist/bin/tests/system/coverage/prereq.sh patch external/bsd/bind/dist/bin/tests/system/coverage/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlv/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dlvauto/setup.sh patch external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c patch external/bsd/bind/dist/bin/tests/system/dns64/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dns64/setup.sh patch external/bsd/bind/dist/bin/tests/system/dns64/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/root.db.in patch external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in new external/bsd/bind/dist/bin/tests/system/dnssec/ns2/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/dnssec/ns7/named.conf patch external/bsd/bind/dist/bin/tests/system/dnssec/ns7/sign.sh new external/bsd/bind/dist/bin/tests/system/dnssec/ns7/split-rrsig.db.in new external/bsd/bind/dist/bin/tests/system/dsdigest/prereq.sh patch external/bsd/bind/dist/bin/tests/system/dsdigest/setup.sh patch external/bsd/bind/dist/bin/tests/system/dsdigest/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/ecdsa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/setup.sh patch external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns1/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/filter-aaaa/ns4/signed.db.presigned new external/bsd/bind/dist/bin/tests/system/geoip/prereq.sh patch external/bsd/bind/dist/bin/tests/system/geoip/setup.sh patch external/bsd/bind/dist/bin/tests/system/geoip/tests.sh patch external/bsd/bind/dist/bin/tests/system/geoip/data/README patch external/bsd/bind/dist/bin/tests/system/geoip/ns2/named10.conf patch external/bsd/bind/dist/bin/tests/system/geoip/ns2/named11.conf patch external/bsd/bind/dist/bin/tests/system/geoip/ns2/named12.conf patch external/bsd/bind/dist/bin/tests/system/geoip/ns2/named13.conf new external/bsd/bind/dist/bin/tests/system/geoip/ns2/named14.conf new external/bsd/bind/dist/bin/tests/system/geoip/ns2/named15.conf new external/bsd/bind/dist/bin/tests/system/geoip/ns2/named6.conf patch external/bsd/bind/dist/bin/tests/system/gost/prereq.sh patch external/bsd/bind/dist/bin/tests/system/gost/setup.sh patch external/bsd/bind/dist/bin/tests/system/inline/prereq.sh patch external/bsd/bind/dist/bin/tests/system/inline/setup.sh patch external/bsd/bind/dist/bin/tests/system/inline/tests.sh patch external/bsd/bind/dist/bin/tests/system/inline/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/clean.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/setup.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh patch external/bsd/bind/dist/bin/tests/system/ixfr/ns3/named.conf patch external/bsd/bind/dist/bin/tests/system/logfileconfig/setup.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/prereq.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/setup.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh patch external/bsd/bind/dist/bin/tests/system/masterformat/ns1/example.db patch external/bsd/bind/dist/bin/tests/system/metadata/prereq.sh patch external/bsd/bind/dist/bin/tests/system/metadata/setup.sh patch external/bsd/bind/dist/bin/tests/system/nslookup/clean.sh new external/bsd/bind/dist/bin/tests/system/nslookup/setup.sh new external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh new external/bsd/bind/dist/bin/tests/system/nslookup/ns1/named.conf new external/bsd/bind/dist/bin/tests/system/nsupdate/prereq.sh patch external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh patch external/bsd/bind/dist/bin/tests/system/pending/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pending/setup.sh patch external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11/prereq.sh patch external/bsd/bind/dist/bin/tests/system/pkcs11ssl/prereq.sh patch external/bsd/bind/dist/bin/tests/system/redirect/prereq.sh patch external/bsd/bind/dist/bin/tests/system/redirect/setup.sh patch external/bsd/bind/dist/bin/tests/system/resolver/clean.sh patch external/bsd/bind/dist/bin/tests/system/resolver/prereq.sh patch external/bsd/bind/dist/bin/tests/system/resolver/setup.sh patch external/bsd/bind/dist/bin/tests/system/resolver/tests.sh patch external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rndc/setup.sh patch external/bsd/bind/dist/bin/tests/system/rndc/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/clean.sh patch external/bsd/bind/dist/bin/tests/system/rpz/prereq.sh patch external/bsd/bind/dist/bin/tests/system/rpz/setup.sh patch external/bsd/bind/dist/bin/tests/system/rpz/tests.sh patch external/bsd/bind/dist/bin/tests/system/rpz/ns5/empty.db.in new external/bsd/bind/dist/bin/tests/system/rpz/ns5/named.conf patch external/bsd/bind/dist/bin/tests/system/rpz/ns6/hints new external/bsd/bind/dist/bin/tests/system/rpz/ns6/named.conf new external/bsd/bind/dist/bin/tests/system/rpz/ns7/hints new external/bsd/bind/dist/bin/tests/system/rpz/ns7/named.conf new external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh patch external/bsd/bind/dist/bin/tests/system/rrchecker/typelist.good patch external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/setup.sh patch external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh patch external/bsd/bind/dist/bin/tests/system/sit/bad-sit-badhex.conf new external/bsd/bind/dist/bin/tests/system/sit/bad-sit-toolong.conf new external/bsd/bind/dist/bin/tests/system/sit/tests.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/prereq.sh patch external/bsd/bind/dist/bin/tests/system/smartsign/setup.sh patch external/bsd/bind/dist/bin/tests/system/spf/tests.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/prereq.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/setup.sh patch external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh patch external/bsd/bind/dist/bin/tests/system/statistics/prereq.sh patch external/bsd/bind/dist/bin/tests/system/stress/tests.sh patch external/bsd/bind/dist/bin/tests/system/tkey/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tkey/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/clean.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/setup.sh patch external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh patch external/bsd/bind/dist/bin/tests/system/unknown/prereq.sh patch external/bsd/bind/dist/bin/tests/system/unknown/setup.sh patch external/bsd/bind/dist/bin/tests/system/verify/prereq.sh patch external/bsd/bind/dist/bin/tests/system/verify/setup.sh patch external/bsd/bind/dist/bin/tests/system/wildcard/prereq.sh patch external/bsd/bind/dist/bin/tests/system/wildcard/setup.sh patch external/bsd/bind/dist/bin/tests/system/xfer/dig1.good patch external/bsd/bind/dist/bin/tests/system/xfer/dig2.good patch external/bsd/bind/dist/bin/tests/system/xfer/prereq.sh patch external/bsd/bind/dist/bin/tests/system/xfer/setup.sh patch external/bsd/bind/dist/bin/tests/system/xfer/tests.sh patch external/bsd/bind/dist/bin/tests/system/zero/setup.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/prereq.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh patch external/bsd/bind/dist/bin/tests/system/zonechecks/ns1/named.conf patch external/bsd/bind/dist/bin/tests/tasks/t_tasks.c patch external/bsd/bind/dist/bin/tools/arpaname.html patch external/bsd/bind/dist/bin/tools/genrandom.c patch external/bsd/bind/dist/bin/tools/genrandom.html patch external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html patch external/bsd/bind/dist/bin/tools/named-journalprint.html patch external/bsd/bind/dist/bin/tools/named-rrchecker.html patch external/bsd/bind/dist/bin/tools/nsec3hash.c patch external/bsd/bind/dist/bin/tools/nsec3hash.html patch external/bsd/bind/dist/contrib/dlz/config.dlz.in patch external/bsd/bind/dist/contrib/dlz/drivers/dlz_postgres_driver.c patch external/bsd/bind/dist/contrib/dlz/example/dlz_example.c patch external/bsd/bind/dist/contrib/sdb/bdb/bdb.c patch external/bsd/bind/dist/contrib/sdb/dir/dirdb.c patch external/bsd/bind/dist/contrib/sdb/ldap/ldapdb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/pgsqldb.c patch external/bsd/bind/dist/contrib/sdb/pgsql/zonetodb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/sqlitedb.c patch external/bsd/bind/dist/contrib/sdb/sqlite/zone2sqlite.c patch external/bsd/bind/dist/contrib/sdb/tcl/tcldb.c patch external/bsd/bind/dist/contrib/sdb/time/timedb.c patch external/bsd/bind/dist/contrib/zkt-1.1.2/Makefile.in patch external/bsd/bind/dist/contrib/zkt-1.1.2/tags new external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html patch external/bsd/bind/dist/doc/arm/Bv9ARM.html patch external/bsd/bind/dist/doc/arm/Makefile.in patch external/bsd/bind/dist/doc/arm/dlz.xml patch external/bsd/bind/dist/doc/arm/libdns.xml patch external/bsd/bind/dist/doc/arm/man.arpaname.html patch external/bsd/bind/dist/doc/arm/man.ddns-confgen.html patch external/bsd/bind/dist/doc/arm/man.delv.html patch external/bsd/bind/dist/doc/arm/man.dig.html patch external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html patch external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html patch external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html patch external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html patch external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html patch external/bsd/bind/dist/doc/arm/man.dnssec-settime.html patch external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html patch external/bsd/bind/dist/doc/arm/man.dnssec-verify.html patch external/bsd/bind/dist/doc/arm/man.genrandom.html patch external/bsd/bind/dist/doc/arm/man.host.html patch external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html patch external/bsd/bind/dist/doc/arm/man.named-checkconf.html patch external/bsd/bind/dist/doc/arm/man.named-checkzone.html patch external/bsd/bind/dist/doc/arm/man.named-journalprint.html patch external/bsd/bind/dist/doc/arm/man.named-rrchecker.html patch external/bsd/bind/dist/doc/arm/man.named.html patch external/bsd/bind/dist/doc/arm/man.nsec3hash.html patch external/bsd/bind/dist/doc/arm/man.nsupdate.html patch external/bsd/bind/dist/doc/arm/man.rndc-confgen.html patch external/bsd/bind/dist/doc/arm/man.rndc.conf.html patch external/bsd/bind/dist/doc/arm/man.rndc.html patch external/bsd/bind/dist/doc/arm/pkcs11.xml patch external/bsd/bind/dist/doc/misc/options patch external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in patch external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in patch external/bsd/bind/dist/lib/Atffile patch external/bsd/bind/dist/lib/bind9/Makefile.in patch external/bsd/bind/dist/lib/bind9/api patch external/bsd/bind/dist/lib/bind9/check.c patch external/bsd/bind/dist/lib/dns/Makefile.in patch external/bsd/bind/dist/lib/dns/acl.c patch external/bsd/bind/dist/lib/dns/adb.c patch external/bsd/bind/dist/lib/dns/api patch external/bsd/bind/dist/lib/dns/dispatch.c patch external/bsd/bind/dist/lib/dns/dnssec.c patch external/bsd/bind/dist/lib/dns/gen.c patch external/bsd/bind/dist/lib/dns/geoip.c patch external/bsd/bind/dist/lib/dns/master.c patch external/bsd/bind/dist/lib/dns/message.c patch external/bsd/bind/dist/lib/dns/name.c patch external/bsd/bind/dist/lib/dns/nsec.c patch external/bsd/bind/dist/lib/dns/nsec3.c patch external/bsd/bind/dist/lib/dns/peer.c patch external/bsd/bind/dist/lib/dns/rbt.c patch external/bsd/bind/dist/lib/dns/rbtdb.c patch external/bsd/bind/dist/lib/dns/rcode.c patch external/bsd/bind/dist/lib/dns/rdata.c patch external/bsd/bind/dist/lib/dns/resolver.c patch external/bsd/bind/dist/lib/dns/rpz.c patch external/bsd/bind/dist/lib/dns/rrl.c patch external/bsd/bind/dist/lib/dns/time.c patch external/bsd/bind/dist/lib/dns/tsig.c patch external/bsd/bind/dist/lib/dns/validator.c patch external/bsd/bind/dist/lib/dns/view.c patch external/bsd/bind/dist/lib/dns/zone.c patch external/bsd/bind/dist/lib/dns/include/dns/adb.h patch external/bsd/bind/dist/lib/dns/include/dns/dnssec.h patch external/bsd/bind/dist/lib/dns/include/dns/rbt.h patch external/bsd/bind/dist/lib/dns/include/dns/rdataset.h patch external/bsd/bind/dist/lib/dns/include/dns/resolver.h patch external/bsd/bind/dist/lib/dns/include/dns/view.h patch external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c new external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.h new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c new external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.h new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c new external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.h new external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c patch external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c patch external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c patch external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c patch external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c patch external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c patch external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c patch external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c patch external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c patch external/bsd/bind/dist/lib/dns/rdata/generic/uri_256.c patch external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c patch external/bsd/bind/dist/lib/dns/tests/Makefile.in patch external/bsd/bind/dist/lib/dns/tests/gost_test.c patch external/bsd/bind/dist/lib/dns/tests/peer_test.c new external/bsd/bind/dist/lib/dns/tests/rbt_serialize_test.c new external/bsd/bind/dist/lib/dns/tests/rbt_test.c patch external/bsd/bind/dist/lib/dns/win32/libdns.def.in patch external/bsd/bind/dist/lib/irs/Makefile.in patch external/bsd/bind/dist/lib/irs/api patch external/bsd/bind/dist/lib/irs/getaddrinfo.c patch external/bsd/bind/dist/lib/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/api patch external/bsd/bind/dist/lib/isc/base32.c patch external/bsd/bind/dist/lib/isc/counter.c new external/bsd/bind/dist/lib/isc/event.c patch external/bsd/bind/dist/lib/isc/hash.c patch external/bsd/bind/dist/lib/isc/mem.c patch external/bsd/bind/dist/lib/isc/netaddr.c patch external/bsd/bind/dist/lib/isc/print.c patch external/bsd/bind/dist/lib/isc/radix.c patch external/bsd/bind/dist/lib/isc/random.c patch external/bsd/bind/dist/lib/isc/regex.c patch external/bsd/bind/dist/lib/isc/result.c patch external/bsd/bind/dist/lib/isc/socket_api.c patch external/bsd/bind/dist/lib/isc/task.c patch external/bsd/bind/dist/lib/isc/timer.c patch external/bsd/bind/dist/lib/isc/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isc/include/isc/base32.h patch external/bsd/bind/dist/lib/isc/include/isc/counter.h new external/bsd/bind/dist/lib/isc/include/isc/event.h patch external/bsd/bind/dist/lib/isc/include/isc/file.h patch external/bsd/bind/dist/lib/isc/include/isc/hash.h patch external/bsd/bind/dist/lib/isc/include/isc/iterated_hash.h patch external/bsd/bind/dist/lib/isc/include/isc/print.h patch external/bsd/bind/dist/lib/isc/include/isc/result.h patch external/bsd/bind/dist/lib/isc/include/isc/socket.h patch external/bsd/bind/dist/lib/isc/include/isc/task.h patch external/bsd/bind/dist/lib/isc/include/isc/timer.h patch external/bsd/bind/dist/lib/isc/include/isc/types.h patch external/bsd/bind/dist/lib/isc/tests/Makefile.in patch external/bsd/bind/dist/lib/isc/tests/counter_test.c new external/bsd/bind/dist/lib/isc/tests/hash_test.c patch external/bsd/bind/dist/lib/isc/tests/print_test.c new external/bsd/bind/dist/lib/isc/unix/net.c patch external/bsd/bind/dist/lib/isc/unix/socket.c patch external/bsd/bind/dist/lib/isc/unix/include/isc/net.h patch external/bsd/bind/dist/lib/isc/win32/libisc.def.in patch external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in patch external/bsd/bind/dist/lib/isc/win32/libisc.mak.in patch external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in patch external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in patch external/bsd/bind/dist/lib/isc/win32/socket.c patch external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in patch external/bsd/bind/dist/lib/isccc/Makefile.in patch external/bsd/bind/dist/lib/isccfg/Makefile.in patch external/bsd/bind/dist/lib/isccfg/aclconf.c patch external/bsd/bind/dist/lib/isccfg/api patch external/bsd/bind/dist/lib/isccfg/namedconf.c patch external/bsd/bind/dist/lib/lwres/Atffile new external/bsd/bind/dist/lib/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/api patch external/bsd/bind/dist/lib/lwres/compat.c new external/bsd/bind/dist/lib/lwres/gai_strerror.c patch external/bsd/bind/dist/lib/lwres/getaddrinfo.c patch external/bsd/bind/dist/lib/lwres/lwconfig.c patch external/bsd/bind/dist/lib/lwres/print.c patch external/bsd/bind/dist/lib/lwres/strtoul.c delete external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in patch external/bsd/bind/dist/lib/lwres/include/lwres/lwres.h patch external/bsd/bind/dist/lib/lwres/include/lwres/netdb.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/platform.h.in patch external/bsd/bind/dist/lib/lwres/include/lwres/stdlib.h patch external/bsd/bind/dist/lib/lwres/include/lwres/string.h new external/bsd/bind/dist/lib/lwres/man/lwres.3 patch external/bsd/bind/dist/lib/lwres/man/lwres.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres.html patch external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html patch external/bsd/bind/dist/lib/lwres/man/lwres_config.html patch external/bsd/bind/dist/lib/lwres/man/lwres_context.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html patch external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html patch external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html patch external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html patch external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_noop.html patch external/bsd/bind/dist/lib/lwres/man/lwres_packet.html patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3 patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook patch external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html patch external/bsd/bind/dist/lib/lwres/tests/Atffile new external/bsd/bind/dist/lib/lwres/tests/Makefile.in new external/bsd/bind/dist/lib/lwres/tests/config_test.c new external/bsd/bind/dist/lib/lwres/tests/testdata/link-local.conf new external/bsd/bind/dist/lib/lwres/win32/liblwres.dsp.in patch external/bsd/bind/dist/lib/lwres/win32/liblwres.mak.in patch external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.filters.in patch external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.in patch external/bsd/bind/dist/lib/lwres/win32/include/lwres/platform.h patch external/bsd/bind/dist/make/rules.in patch external/bsd/bind/include/config.h patch external/bsd/bind/include/dns/code.h patch external/bsd/bind/include/dns/enumtype.h patch external/bsd/bind/include/dns/rdatastruct.h patch external/bsd/bind/include/isc/platform.h patch external/bsd/bind/include/lwres/netdb.h patch external/bsd/bind/include/lwres/platform.h patch external/bsd/bind/lib/libbind9/shlib_version patch external/bsd/bind/lib/libdns/shlib_version patch external/bsd/bind/lib/libirs/shlib_version patch external/bsd/bind/lib/libisc/Makefile patch external/bsd/bind/lib/libisc/shlib_version patch external/bsd/bind/lib/libisccc/shlib_version patch external/bsd/bind/lib/liblwres/shlib_version patch external/bsd/dhcp/dist/includes/omapip/result.h patch Update bind to 9.10.1-P1. CVE-2014-8500. @ text @d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d440 1 a440 1 See the explanations of particular parameters d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar d977 11 a987 14valueis the value to search for within the database. A string may be quoted if it contains spaces or other special characters. If this is an "asnum" search, then the leading "ASNNNN" string can be used, otherwise the full description must be used (e.g. "ASNNNN Example Company Name"). If this is a "country" search and the string is two characters long, then it must be a standard ISO-3166-1 two-letter country code, and if it is three characters long then it must be an ISO-3166-1 three-letter country code; otherwise it is the full name of the country. Similarly, if this is a "region" search and the string is two characters long, then it must be a standard two-letter state or province abbreviation; otherwise it is the full name of the state or province. d1020 1 a1020 1 controls Statement Grammar d1144 1 a1144 1 include Statement Grammar d1149 1 a1149 1 include Statement Definition and d1164 1 a1164 1 key Statement Grammar d1173 1 a1173 1 key Statement Definition and Usage d1220 1 a1220 1 logging Statement Grammar d1244 1 a1244 1 logging Statement Definition and d1278 1 a1278 1 The channel Phrase d1891 1 a1891 1 The query-errors Category d2119 1 a2119 1 lwres Statement Grammar d2135 1 a2135 1 lwres Statement Definition and Usage d2186 1 a2186 1 masters Statement Grammar d2194 1 a2194 1 masters Statement Definition and d2204 1 a2204 1 options Statement Grammar a2214 1 [ geoip-directorypath_name; ] d2276 1 a2276 1 [ check-spf (warn|ignore); ] a2409 1 [ max-recursion-depthnumber; ] d2424 2 a2425 1 [ responses-per-secondnumber; ] a2568 12geoip-directory d3529 1 a3529 4 will generate a random secret at startup. The shared secret is encoded as a hex string and needs to be 128 bits for AES128, 160 bits for SHA1 and 256 bits for SHA256. d3898 4 a3901 7 The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with d3924 5 a3928 5 If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn. d4038 1 a4038 1 Forwarding d4082 1 a4082 1 Dual-stack Servers d4315 1 a4315 1 due to incorrect use of case-sensitive comparisons. d4323 1 a4323 1 There are circumstances in which named d4328 1 a4328 1 "WWW.EXAMPLE.COM/AAAA"), then all responses for that d4350 1 a4350 1 Interfaces d4815 1 a4815 1 UDP Port Lists d4857 1 a4857 1 Operating System Resource Limits d5018 1 a5018 1 Periodic Task Intervals d5619 1 a5619 2 before dropping additional clients. named will attempt to a5643 23 Specifies the directory containing GeoIP
.datdatabase files for GeoIP initialization. By default, this option is unset and the GeoIP support will use libGeoIP's built-in directory. (For details, see the section called “acl Statement Definition and Usage” about the geoip ACL.)max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
max-recursion-queries d6034 1 a6034 1 Content Filtering d6157 1 a6157 1 Response Policy Zone (RPZ) Rewriting d6528 1 a6528 1 Response Rate Limiting d6581 4 a6584 2 with responses-per-second (default 0 or no limit). d6589 1 a6589 1 (default responses-per-second). d6602 1 a6602 1 (default responses-per-second). d6616 1 a6616 1 responses-per-second value, d6621 65 d6741 24 d6778 2 a6779 2 all-per-second phrase. This rate limiting is unlike the rate limiting provided by d6783 25 a6807 28 which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests. d7072 1 a7072 1 statistics-channels Statement Definition and d7188 1 a7188 1 trusted-keys Statement Definition d7228 1 a7228 1 managed-keys Statement Grammar d7366 1 a7366 1 view Statement Definition and Usage d7503 1 a7503 1 [ check-spf ( Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50.
warn|ignore); ] d7688 1 a7688 1 zone Statement Definition and Usage d7691 1 a7691 1 Zone Types d8009 1 a8009 1 Class d8031 1 a8031 1 Zone Options d8953 1 a8953 1 Multiple views a8994 4An in-view zone cannot be used as a response policy zone.
d9000 1 a9000 1 Zone File d9013 1 a9013 1 Resource Records d9750 1 a9750 1 Textual expression of RRs d9953 1 a9953 1 Discussion of MX Records d10195 2 a10196 1 servers can cache it. d10209 1 a10209 1 Inverse Mapping in IPv4 d10270 1 a10270 1 Other Zone File Directives d10285 1 a10285 1 The @@ (at-sign) d10296 1 a10296 1 The $ORIGIN Directive d10325 1 a10325 1 The $INCLUDE Directive d10361 1 a10361 1 The $TTL Directive d10380 1 a10380 1 BIND Master File Extension: the $GENERATE Directive d10823 1 a10823 1 Name Server Statistics Counters d11419 1 a11419 1 Zone Maintenance Statistics Counters d11573 1 a11573 1 Resolver Statistics Counters d11956 1 a11956 1 Socket I/O Statistics Counters d12111 1 a12111 1 Compatibility with BIND 8 Counters a12162 1BIND Version 9.10
@ 1.1.1.15.2.2 log @Pull up following revision(s) (requested by spz in ticket #544): external/bsd/bind/dist/doc/arm/man.named-checkzone.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.named.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.delv.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.nsupdate.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dig.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: revision 1.2 external/bsd/bind/dist/lib/dns/tests/geoip_test.c: revision 1.2 external/bsd/bind/dist/doc/arm/man.arpaname.html: revision 1.2 external/bsd/bind/dist/srcid: revision 1.8 external/bsd/bind/dist/doc/arm/man.rndc.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.host.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: revision 1.2 external/bsd/bind/dist/lib/dns/api: revision 1.2 external/bsd/bind/dist/doc/arm/man.genrandom.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: revision 1.2 external/bsd/bind/dist/README: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: revision 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: revision 1.2 external/bsd/bind/dist/version: revision 1.12 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: revision 1.2 external/bsd/bind/dist/CHANGES: revision 1.14 external/bsd/bind/dist/lib/dns/zone.c: revision 1.13 external/bsd/bind/dist/bin/tests/system/ans.pl: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: revision 1.2 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: revision 1.2 security patch for bind from ISC (to 9.10.1-P2). Only the change to lib/dns/zone.c is security relevant Upstream changelog: --- 9.10.1-P2 released --- 4053. [security] Revoking a managed trust anchor and supplying an untrusted replacement could cause named to crash with an assertion failure. (CVE-2015-1349) [RT #38344] 4027. [port] Net::DNS 0.81 compatibility. [RT #38165] @ text @d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a2414 1 [ max-recursion-queriesnumber; ] d4060 1 a4060 1 Forwarding d4104 1 a4104 1 Dual-stack Servers d4372 1 a4372 1 Interfaces d4837 1 a4837 1 UDP Port Lists d4879 1 a4879 1 Operating System Resource Limits d5040 1 a5040 1 Periodic Task Intervals d6080 1 a6080 1 Content Filtering d6203 1 a6203 1 Response Policy Zone (RPZ) Rewriting d6574 1 a6574 1 Response Rate Limiting d7030 1 a7030 1 statistics-channels Statement Definition and d7146 1 a7146 1 trusted-keys Statement Definition d7186 1 a7186 1 managed-keys Statement Grammar d7324 1 a7324 1 view Statement Definition and Usage d7646 1 a7646 1 zone Statement Definition and Usage d7649 1 a7649 1 Zone Types d7967 1 a7967 1 Class d7989 1 a7989 1 Zone Options d8911 1 a8911 1 Multiple views d8962 1 a8962 1 Zone File d8975 1 a8975 1 Resource Records d9712 1 a9712 1 Textual expression of RRs d9915 1 a9915 1 Discussion of MX Records d10170 1 a10170 1 Inverse Mapping in IPv4 d10231 1 a10231 1 Other Zone File Directives d10246 1 a10246 1 The @@ (at-sign) d10257 1 a10257 1 The $ORIGIN Directive d10286 1 a10286 1 The $INCLUDE Directive d10322 1 a10322 1 The $TTL Directive d10341 1 a10341 1 BIND Master File Extension: the $GENERATE Directive d10784 1 a10784 1 Name Server Statistics Counters d11380 1 a11380 1 Zone Maintenance Statistics Counters d11534 1 a11534 1 Resolver Statistics Counters d11917 1 a11917 1 Socket I/O Statistics Counters d12072 1 a12072 1 Compatibility with BIND 8 Counters @ 1.1.1.15.2.3 log @Pull up following revision(s) (requested by he in ticket #878): distrib/sets/lists/base/ad.aarch64: patch distrib/sets/lists/base/ad.arm: patch distrib/sets/lists/base/ad.mips: patch distrib/sets/lists/base/ad.powerpc: patch distrib/sets/lists/base/md.amd64: patch distrib/sets/lists/base/md.sparc64: patch distrib/sets/lists/base/shl.mi: patch doc/3RDPARTY: patch external/bsd/bind/dist/CHANGES: up to 1.15 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.9 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.9 external/bsd/bind/dist/README: up to 1.3 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.11 external/bsd/bind/dist/bin/delv/delv.c: up to 1.4 external/bsd/bind/dist/bin/dig/dig.1: up to 1.10 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.15 external/bsd/bind/dist/bin/dig/host.c: up to 1.11 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.11 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.c: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c: up to 1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.16 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.12 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-verify.c: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssectool.c: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssectool.h: up to 1.7 external/bsd/bind/dist/bin/named/client.c: up to 1.13 external/bsd/bind/dist/bin/named/config.c: up to 1.11 external/bsd/bind/dist/bin/named/include/named/globals.h: up to 1.9 external/bsd/bind/dist/bin/named/interfacemgr.c: up to 1.10 external/bsd/bind/dist/bin/named/main.c: up to 1.18 external/bsd/bind/dist/bin/named/query.c: up to 1.19 external/bsd/bind/dist/bin/named/server.c: up to 1.19 external/bsd/bind/dist/bin/named/update.c: up to 1.11 external/bsd/bind/dist/bin/named/win32/dlz_dlopen_driver.c: up to 1.4 external/bsd/bind/dist/bin/named/win32/os.c: up to 1.8 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.9 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.8 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.13 external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8za-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0m-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0o-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1h-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1j-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.12 external/bsd/bind/dist/bin/tests/dst/gsstest.c: up to 1.9 external/bsd/bind/dist/bin/tests/sig0_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/README: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ans.pl: up to 1.3 external/bsd/bind/dist/bin/tests/system/checkconf/altdlz.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/bad-sharedwritable1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-sharedwritable2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/checkconf/max-ttl.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad3.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad4.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/badttl.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/inherit.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/nowarn.inherited.owner.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/warn.inherit.origin.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/warn.inherited.owner.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/delv/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/delv/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/dnskey-nsec3-unknown.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/dnskey-unknown.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/future.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named.conf delete external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns5/named2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns5/sign.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/setup.sh: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/emptyzones/ns1/named2.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/forward/ns4/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/genzone.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/geoip/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/geoip/ns2/named6.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/setup.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/inline/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/inline/ns2/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/inline/setup.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/legacy/build.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns1/named1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns1/named2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns1/trusted.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns2/dropedns.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns2/named.dropedns: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns3/dropedns-notcp.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.dropedns: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns3/named.notcp: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns4/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns4/plain.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns5/named.notcp: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns5/plain-notcp.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns6/edns512.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns6/edns512.db.signed: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns6/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns6/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns6/sign.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/edns512-notcp.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/edns512-notcp.db.signed: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/named.notcp: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/ns7/sign.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/legacy/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/ns2/generic.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/notify/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/ns4/named.port: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/ns5/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/ns5/x21.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/notify/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/reclimit/README: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ans4/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ans7/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns3/hints.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named3.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/ns3/named4.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/redirect/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/resolver/ns4/tld1.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/ns4/tld2.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/resolver/ns7/all-cnames.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/rpzrecurse/README: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/db.l0: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/db.l1.l0: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip1: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip2: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.clientip.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.conf.header: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.default.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/root.hint: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/testgen.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rrchecker/typelist.good: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/upforwd/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/upforwd/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/upforwd/ns2/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/upforwd/ns3/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/views/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/views/ns2/external/inline.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/views/ns2/internal/inline.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/views/ns2/named2.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/views/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/views/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/dig1.good: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/dig2.good: up to 1.1.1.8 external/bsd/bind/dist/config.h.in: up to 1.11 external/bsd/bind/dist/config.h.win32: up to 1.1.1.11 external/bsd/bind/dist/configure: up to 1.4 external/bsd/bind/dist/configure.in: up to 1.7 external/bsd/bind/dist/contrib/dlz/example/README: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/README.md: up to 1.1.1.2 external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: up to 1.1.1.5 external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/README: up to 1.1.1.1 external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/dns-data.txt: up to 1.1.1.2 external/bsd/bind/dist/contrib/dlz/modules/bdbhpt/testing/named.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/sdb/ldap/ldapdb.c: up to 1.5 external/bsd/bind/dist/contrib/zkt-1.1.2/CHANGELOG delete external/bsd/bind/dist/contrib/zkt-1.1.2/LICENSE delete external/bsd/bind/dist/contrib/zkt-1.1.2/Makefile.in delete external/bsd/bind/dist/contrib/zkt-1.1.2/README delete external/bsd/bind/dist/contrib/zkt-1.1.2/README.logging delete external/bsd/bind/dist/contrib/zkt-1.1.2/TODO delete external/bsd/bind/dist/contrib/zkt-1.1.2/config.h.in delete external/bsd/bind/dist/contrib/zkt-1.1.2/config_zkt.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/configure delete external/bsd/bind/dist/contrib/zkt-1.1.2/configure.ac delete external/bsd/bind/dist/contrib/zkt-1.1.2/debug.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/distribute.sh delete external/bsd/bind/dist/contrib/zkt-1.1.2/dki.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/dki.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/KeyRollover.ms delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/KeyRollover.ps delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/draft-gudmundsson-life-of-dnskey-00.txt delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/draft-ietf-dnsop-rfc4641bis-01.txt delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/rfc4641.txt delete external/bsd/bind/dist/contrib/zkt-1.1.2/doc/rfc5011.txt delete external/bsd/bind/dist/contrib/zkt-1.1.2/domaincmp.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/domaincmp.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dist.sh delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+30323.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/Kdyn.example.net.+007+52935.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/zktlog-dyn.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/zone.db.dsigned delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/dyn.example.net/zone.org delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+02957.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+02957.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+21605.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+21605.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+52101.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+52101.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+56360.depreciated delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/Kexample.net.+008+56360.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/z.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/zktlog-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/example.net/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/dlvset-sub.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/dsset-dyn.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/dsset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/dsset-sub.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/keyset-dyn.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/keyset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/keysets/keyset-sub.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/named.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+005+24183.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+005+24183.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+005+44660.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+005+44660.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+00855.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+00855.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+34493.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+34493.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+55983.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+55983.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+59870.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+007+59870.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+010+07987.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+010+07987.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+010+33176.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/Ksub.example.net.+010+33176.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/dlvset-sub.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/maxhexsalt delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/maxhexsalt+1 delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/zktlog-sub.example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/sub.example.net/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt.log delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zone.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+25598.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+25598.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+37983.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+37983.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+47280.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+47280.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+60407.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/Kexample.de.+005+60407.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/dsset-example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/keyset-example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/keyset-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27647.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+27647.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+32679.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+32679.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+38331.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+38331.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+51846.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+51846.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+55550.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/Ksub.example.de.+005+55550.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/dsset-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/keyset-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+08544.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+08544.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+27861.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+27861.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+42639.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/ksub.example.de.+005+42639.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/example.de/zone.soa delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/de/keyset-example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/dnssec.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/log/zktlog-example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/log/zktlog-sub.example.de. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/named.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zone.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-extern.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-intern.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-signer-extern delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-signer-intern delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-zkt-extern delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/dnssec-zkt-intern delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+08885.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+08885.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+23553.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+23553.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+38930.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/Kexample.net.+005+38930.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/dsset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/keyset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/example.net/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/keyset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/extern/zkt-ext.log delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+00126.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+00126.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+52235.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+52235.published delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+57602.key delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/Kexample.net.+005+57602.private delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/dnskey.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/dsset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/keyset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/zone.db delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/example.net/zone.db.signed delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/keyset-example.net. delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/intern/zkt-int.log delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/named.conf delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/named.log delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/root.hint delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/views/viewtest.sh delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/zkt-ls.sh delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/zkt-signer.sh delete external/bsd/bind/dist/contrib/zkt-1.1.2/log.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/log.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/dnssec-zkt.8 delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-conf.8 delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-conf.8.html delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-conf.8.org delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-conf.8.pdf delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-keyman.8 delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-keyman.8.html delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-keyman.8.pdf delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-ls.8 delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-ls.8.html delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-ls.8.pdf delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-signer.8 delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-signer.8.html delete external/bsd/bind/dist/contrib/zkt-1.1.2/man/zkt-signer.8.pdf delete external/bsd/bind/dist/contrib/zkt-1.1.2/misc.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/misc.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/ncparse.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/ncparse.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/nscomm.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/nscomm.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/rollover.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/rollover.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/soaserial.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/soaserial.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/strlist.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/strlist.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/tcap.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/tcap.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/zconf.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zconf.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/zfparse.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zfparse.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt-conf.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt-keyman.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt-ls.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt-signer.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt-soaserial.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zkt.h delete external/bsd/bind/dist/contrib/zkt-1.1.2/zone.c delete external/bsd/bind/dist/contrib/zkt-1.1.2/zone.h delete external/bsd/bind/dist/contrib/zkt-1.1.3/CHANGELOG: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/LICENSE: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/README: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/README.logging: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/TODO: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/config.h.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/config_zkt.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/configure: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/configure.ac: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/debug.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/distribute.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/dki.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/dki.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/KeyRollover.ms: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/KeyRollover.ps: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/draft-gudmundsson-life-of-dnskey-00.txt: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/draft-ietf-dnsop-rfc4641bis-01.txt: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/rfc4641.txt: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/doc/rfc5011.txt: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/domaincmp.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/domaincmp.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dist.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dyn.example.net/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zktlog-dyn.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.db.dsigned: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/dyn.example.net/zone.org: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/dnskey.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/zktlog-example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/zone.hosts: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/example.net/zone.localhost: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/keysets/dlvset-sub.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/keysets/dsset-example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/keysets/dsset-sub.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/keysets/keyset-example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/keysets/keyset-sub.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/named.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/dlvset-sub.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/dnskey.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/maxhexsalt: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/maxhexsalt+1: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/zktlog-sub.example.net.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/sub.example.net/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/flat/zone.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/dlvset-sub.example.de.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/parent-sub.example.de.: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/sub.example.de/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/de/example.de/zone.soa: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/dnssec.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/named.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/hierarchical/zone.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-extern.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-intern.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-signer-extern: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-signer-intern: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-zkt-extern: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/dnssec-zkt-intern: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/extern/example.net/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/extern/zkt-ext.log: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/intern/example.net/zone.db.signed: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/intern/zkt-int.log: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/named.conf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/named.log: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/root.hint: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/views/viewtest.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/zkt-ls.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/examples/zkt-signer.sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/log.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/log.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/dnssec-zkt.8: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-conf.8: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-conf.8.html: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-conf.8.org: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-conf.8.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-keyman.8: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-keyman.8.html: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-keyman.8.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-ls.8: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-ls.8.html: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-ls.8.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-signer.8: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-signer.8.html: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/man/zkt-signer.8.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/misc.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/misc.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/ncparse.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/ncparse.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/nscomm.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/nscomm.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/rollover.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/rollover.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/soaserial.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/soaserial.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/strlist.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/strlist.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/tcap.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/tcap.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zconf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zconf.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zfparse.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zfparse.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt-conf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt-keyman.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt-ls.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt-signer.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt-soaserial.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zkt.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zone.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/zkt-1.1.3/zone.h: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.9 external/bsd/bind/dist/doc/arm/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/isc-logo.pdf: up to 1.4 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.3 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.3 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/xsl/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/isc-docbook-latex.xsl.in: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/isc-notes-html.xsl.in: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/isc-notes-latex.xsl.in: up to 1.1.1.1 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.16 external/bsd/bind/dist/lib/bind9/check.c: up to 1.12 external/bsd/bind/dist/lib/bind9/getaddresses.c: up to 1.6 external/bsd/bind/dist/lib/dns/acache.c: up to 1.7 external/bsd/bind/dist/lib/dns/adb.c: up to 1.11 external/bsd/bind/dist/lib/dns/api: up to 1.3 external/bsd/bind/dist/lib/dns/client.c: up to 1.10 external/bsd/bind/dist/lib/dns/diff.c: up to 1.9 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.10 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.11 external/bsd/bind/dist/lib/dns/ecdb.c: up to 1.9 external/bsd/bind/dist/lib/dns/gen.c: up to 1.7 external/bsd/bind/dist/lib/dns/geoip.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/include/dns/dispatch.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/log.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/rdataset.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/request.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/rpz.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.16 external/bsd/bind/dist/lib/dns/journal.c: up to 1.9 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.10 external/bsd/bind/dist/lib/dns/log.c: up to 1.8 external/bsd/bind/dist/lib/dns/mapapi: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/master.c: up to 1.14 external/bsd/bind/dist/lib/dns/masterdump.c: up to 1.11 external/bsd/bind/dist/lib/dns/message.c: up to 1.15 external/bsd/bind/dist/lib/dns/name.c: up to 1.11 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.9 external/bsd/bind/dist/lib/dns/nsec3.c: up to 1.11 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.8 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.8 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/private.c: up to 1.7 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.10 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.20 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdatalist.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdataslab.c: up to 1.11 external/bsd/bind/dist/lib/dns/request.c: up to 1.9 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.21 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.9 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.9 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.9 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.9 external/bsd/bind/dist/lib/dns/spnego_asn1.c: up to 1.7 external/bsd/bind/dist/lib/dns/tests/Kdh.+002+18602.key: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.7 external/bsd/bind/dist/lib/dns/tests/db_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/tests/dbversion_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/dh_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/gost_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/master_test.c: up to 1.6 external/bsd/bind/dist/lib/dns/tests/name_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/rbt_serialize_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/tests/zonemgr_test.c: up to 1.4 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.8 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.8 external/bsd/bind/dist/lib/dns/validator.c: up to 1.13 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.11 external/bsd/bind/dist/lib/dns/zone.c: up to 1.14 external/bsd/bind/dist/lib/dns/zt.c: up to 1.8 external/bsd/bind/dist/lib/irs/getnameinfo.c: up to 1.7 external/bsd/bind/dist/lib/irs/win32/libirs.def: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.18 external/bsd/bind/dist/lib/isc/hash.c: up to 1.9 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.8 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.9 external/bsd/bind/dist/lib/isc/httpd.c: up to 1.8 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/include/isc/print.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/radix.h: up to 1.10 external/bsd/bind/dist/lib/isc/include/isc/ratelimiter.h: up to 1.5 external/bsd/bind/dist/lib/isc/md5.c: up to 1.7 external/bsd/bind/dist/lib/isc/mem.c: up to 1.12 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/print.c: up to 1.5 external/bsd/bind/dist/lib/isc/pthreads/mutex.c: up to 1.6 external/bsd/bind/dist/lib/isc/radix.c: up to 1.8 external/bsd/bind/dist/lib/isc/ratelimiter.c: up to 1.6 external/bsd/bind/dist/lib/isc/result.c: up to 1.5 external/bsd/bind/dist/lib/isc/sha1.c: up to 1.8 external/bsd/bind/dist/lib/isc/sha2.c: up to 1.10 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/tests/mem_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/tests/radix_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/time_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/unix/app.c: up to 1.13 external/bsd/bind/dist/lib/isc/unix/include/isc/net.h: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/isc/time.h: up to 1.7 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.8 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.17 external/bsd/bind/dist/lib/isc/unix/stdio.c: up to 1.7 external/bsd/bind/dist/lib/isc/unix/time.c: up to 1.9 external/bsd/bind/dist/lib/isc/win32/include/isc/platform.h.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/win32/include/isc/time.h: up to 1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/win32os.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.10 external/bsd/bind/dist/lib/isc/win32/win32os.c: up to 1.6 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.16 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.11 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.9 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.13 external/bsd/bind/dist/lib/lwres/compat.c: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/gethost.c: up to 1.7 external/bsd/bind/dist/lib/lwres/win32/liblwres.def: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/nsprobe.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.5 external/bsd/bind/dist/srcid: up to 1.9 external/bsd/bind/dist/version: up to 1.13 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildSetup.bat.in: up to 1.1.1.4 external/bsd/bind/include/config.h: up to 1.16 external/bsd/bind/include/dns/code.h: up to 1.11 external/bsd/bind/include/dns/enumclass.h: up to 1.7 external/bsd/bind/include/dns/enumtype.h: up to 1.10 external/bsd/bind/include/dns/rdatastruct.h: up to 1.10 external/bsd/bind/include/isc/platform.h: up to 1.19 external/bsd/bind/lib/libbind9/shlib_version: up to 1.14 external/bsd/bind/lib/libdns/shlib_version: up to 1.16 external/bsd/bind/lib/libirs/shlib_version: up to 1.3 external/bsd/bind/lib/libisc/shlib_version: up to 1.16 external/bsd/bind/lib/libisccc/shlib_version: up to 1.14 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.14 external/bsd/bind/lib/liblwres/shlib_version: up to 1.14 Update BIND to 9.10.2-P2. @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d51 1 a51 1Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar d895 5 d1023 1 a1023 1 controls Statement Grammar d1147 1 a1147 1 include Statement Grammar d1152 1 a1152 1 include Statement Definition and d1167 1 a1167 1 key Statement Grammar d1176 1 a1176 1 key Statement Definition and Usage d1223 1 a1223 1 logging Statement Grammar d1247 1 a1247 1 logging Statement Definition and d1281 1 a1281 1 The channel Phrase a1888 11d1894 1 a1894 1 The query-errors Category d2122 1 a2122 1 lwres Statement Grammar d2138 1 a2138 1 lwres Statement Definition and Usage d2189 1 a2189 1 masters Statement Grammar d2197 1 a2197 1 masters Statement Definition and d2207 1 a2207 1 options Statement Grammar d2447 10 a2456 12 zone cname
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
zone_name[ policy(given | disabled | passthru | drop | nxdomain | nodata | cname domain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; [...] } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] a2771 7dscp d4061 1 a4061 1 Forwarding d4105 1 a4105 1 Dual-stack Servers d4373 1 a4373 1 Interfaces d4663 1 a4663 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4838 1 a4838 1 UDP Port Lists d4880 1 a4880 1 Operating System Resource Limits d5041 1 a5041 1 Periodic Task Intervals d5522 1 a5522 1 Sets the maximum advertised EDNS UDP buffer size in d5688 2 a5689 4 is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75. d6081 1 a6081 1 Content Filtering d6204 1 a6204 1 Response Policy Zone (RPZ) Rewriting d6209 1 a6209 1 Responses can be changed to deny the existence of domains (NXDOMAIN), d6315 1 a6315 1 The global Differentiated Services Code Point (DSCP) value to classify outgoing DNS traffic on operating systems that support DSCP. Valid values are 0 through 63. It is not configured by default.
d6575 1 a6575 1 Response Rate Limiting d6905 8 a6912 17 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted to the nearest value within it). This option is useful when you wish to advertise a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies. (Note: Currently, this sets a single UDP size for all packets sent to the server; named will not deviate from this value. This differs from the behavior of edns-udp-size in options or view statements, where it specifies a maximum value. The server statement behavior may be brought into conformance with the options/view behavior in future releases.) d7031 1 a7031 1 statistics-channels Statement Definition and d7147 1 a7147 1 trusted-keys Statement Definition d7187 1 a7187 1 managed-keys Statement Grammar d7325 1 a7325 1 view Statement Definition and Usage d7647 1 a7647 1 zone Statement Definition and Usage d7650 1 a7650 1 Zone Types d7968 1 a7968 1 Class d7990 1 a7990 1 Zone Options d8912 1 a8912 1 Multiple views d8963 1 a8963 1 Zone File d8976 1 a8976 1 Resource Records d9713 1 a9713 1 Textual expression of RRs d9916 1 a9916 1 Discussion of MX Records d10171 1 a10171 1 Inverse Mapping in IPv4 d10232 1 a10232 1 Other Zone File Directives d10247 1 a10247 1 The @@ (at-sign) d10258 1 a10258 1 The $ORIGIN Directive d10287 1 a10287 1 The $INCLUDE Directive d10323 1 a10323 1 The $TTL Directive d10342 1 a10342 1 BIND Master File Extension: the $GENERATE Directive d10785 1 a10785 1 Name Server Statistics Counters d11381 1 a11381 1 Zone Maintenance Statistics Counters d11535 1 a11535 1 Resolver Statistics Counters d11918 1 a11918 1 Socket I/O Statistics Counters d12073 1 a12073 1 Compatibility with BIND 8 Counters d12125 1 a12125 1d6328 1 a6328 1
- Among triggers with the same prefix length, d6332 1 a6332 1
BIND 9.10.2-P2
@ 1.1.1.15.2.4 log @Pull up following revision(s) (requested by christos in ticket #917): doc/3RDPARTY: patch external/bsd/bind/dist/CHANGES: up to 1.16 external/bsd/bind/dist/README: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.4 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.10 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.4 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.4 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/api: up to 1.4 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.9 external/bsd/bind/dist/srcid: up to 1.10 external/bsd/bind/dist/version: up to 1.14 Update BIND to 9.10.2-P3, addressing CVE-2015-5477. @ text @d17 1 a17 1 d12153 1 a12153 1BIND 9.10.2-P3
@ 1.1.1.15.2.5 log @Pull up the following, requested by snj in ticket #973: external/bsd/bind/dist/CHANGES 1.17 external/bsd/bind/dist/README 1.5 external/bsd/bind/dist/srcid 1.11 external/bsd/bind/dist/version 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html 1.1.1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html 1.1.1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html 1.1.1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html 1.1.1.3 external/bsd/bind/dist/doc/arm/Bv9ARM.html 1.5 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf 1.11 external/bsd/bind/dist/doc/arm/latex-fixup.pl 1.1.1.5 external/bsd/bind/dist/doc/arm/man.arpaname.html 1.5 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html 1.5 external/bsd/bind/dist/doc/arm/man.delv.html 1.5 external/bsd/bind/dist/doc/arm/man.dig.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html 1.5 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html 1.5 external/bsd/bind/dist/doc/arm/man.genrandom.html 1.5 external/bsd/bind/dist/doc/arm/man.host.html 1.5 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html 1.5 external/bsd/bind/dist/doc/arm/man.named-checkconf.html 1.5 external/bsd/bind/dist/doc/arm/man.named-checkzone.html 1.5 external/bsd/bind/dist/doc/arm/man.named-journalprint.html 1.5 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html 1.5 external/bsd/bind/dist/doc/arm/man.named.html 1.5 external/bsd/bind/dist/doc/arm/man.nsec3hash.html 1.5 external/bsd/bind/dist/doc/arm/man.nsupdate.html 1.5 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html 1.5 external/bsd/bind/dist/doc/arm/man.rndc.conf.html 1.5 external/bsd/bind/dist/doc/arm/man.rndc.html 1.5 external/bsd/bind/dist/doc/arm/notes.html 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.pdf 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.xml 1.1.1.3 external/bsd/bind/dist/lib/dns/api 1.5 external/bsd/bind/dist/lib/dns/hmac_link.c 1.8 external/bsd/bind/dist/lib/dns/ncache.c 1.10 external/bsd/bind/dist/lib/dns/openssldh_link.c 1.9 external/bsd/bind/dist/lib/dns/openssldsa_link.c 1.10 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c 1.9 external/bsd/bind/dist/lib/dns/opensslrsa_link.c 1.10 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c 1.1.1.5 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c 1.1.1.5 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata.c 1.12 external/bsd/bind/dist/lib/dns/resolver.c 1.22 external/bsd/bind/dist/lib/dns/include/dst/dst.h 1.10 external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.c 1.1.1.2 doc/3RDPARTY (patch) Update BIND to 9.10.2-P4. Changes: - Fix CVE-2015-5722 - Fix CVE-2015-5986 @ text @d17 1 a17 1 d12153 1 a12153 1BIND 9.10.2-P4
@ 1.1.1.15.2.6 log @Pull up following revision(s) (requested by snj in ticket #1140): distrib/sets/lists/base/ad.aarch64: patch distrib/sets/lists/base/ad.arm: patch distrib/sets/lists/base/ad.mips: patch distrib/sets/lists/base/ad.powerpc: patch distrib/sets/lists/base/md.amd64: patch distrib/sets/lists/base/md.sparc64: patch distrib/sets/lists/base/shl.mi: patch distrib/sets/lists/debug/ad.aarch64: patch distrib/sets/lists/debug/ad.arm: patch distrib/sets/lists/debug/ad.mips: patch distrib/sets/lists/debug/ad.powerpc: patch distrib/sets/lists/debug/md.amd64: patch distrib/sets/lists/debug/md.sparc64: patch distrib/sets/lists/debug/shl.mi: patch doc/3RDPARTY: patch external/bsd/bind/bind2netbsd: up to 1.3 external/bsd/bind/dist/CHANGES: up to 1.20 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.10 external/bsd/bind/dist/README: up to 1.8 external/bsd/bind/dist/bin/check/check-tool.c: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.12 external/bsd/bind/dist/bin/check/named-checkzone.c: up to 1.8 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.7 external/bsd/bind/dist/bin/confgen/util.c: up to 1.5 external/bsd/bind/dist/bin/dig/dig.1: up to 1.11 external/bsd/bind/dist/bin/dig/dig.c: up to 1.11 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.17 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.12 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.12 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c: up to 1.12 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.17 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.16 external/bsd/bind/dist/bin/named/bind9.xsl: up to 1.1.1.8 external/bsd/bind/dist/bin/named/bind9.xsl.h: up to 1.9 external/bsd/bind/dist/bin/named/client.c: up to 1.15 external/bsd/bind/dist/bin/named/config.c: up to 1.12 external/bsd/bind/dist/bin/named/control.c: up to 1.10 external/bsd/bind/dist/bin/named/controlconf.c: up to 1.11 external/bsd/bind/dist/bin/named/include/named/lwdclient.h: up to 1.5 external/bsd/bind/dist/bin/named/include/named/main.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.10 external/bsd/bind/dist/bin/named/interfacemgr.c: up to 1.11 external/bsd/bind/dist/bin/named/logconf.c: up to 1.8 external/bsd/bind/dist/bin/named/lwdclient.c: up to 1.5 external/bsd/bind/dist/bin/named/lwresd.c: up to 1.7 external/bsd/bind/dist/bin/named/main.c: up to 1.19 external/bsd/bind/dist/bin/named/named.8: up to 1.8 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.9 external/bsd/bind/dist/bin/named/query.c: up to 1.21 external/bsd/bind/dist/bin/named/server.c: up to 1.20 external/bsd/bind/dist/bin/named/statschannel.c: up to 1.11 external/bsd/bind/dist/bin/named/update.c: up to 1.12 external/bsd/bind/dist/bin/named/win32/named.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/named.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/named.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/ntservice.c: up to 1.7 external/bsd/bind/dist/bin/named/win32/os.c: up to 1.9 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.7 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.14 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.10 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8ze-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0o-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0q-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1j-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1l-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.14 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/util.c: up to 1.5 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/adb_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/backtrace_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/byaddr_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/cfg_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/compress_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/db/t_db.c: up to 1.8 external/bsd/bind/dist/bin/tests/db_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/dst/dst_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/entropy2_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/entropy_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/fromhex.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/fsaccess_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/gxba_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/gxbn_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/inter_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/keyboard_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lex_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lfsr_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/log_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lwres_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lwresconf_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/makejournal.c: up to 1.4 external/bsd/bind/dist/bin/tests/master_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/name_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/names/t_names.c: up to 1.10 external/bsd/bind/dist/bin/tests/net/driver.c: up to 1.7 external/bsd/bind/dist/bin/tests/net/netaddr_multicast.c: up to 1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/pkcs11-hmacmd5.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/pkcs11-md5sum.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/printmsg.c: delete external/bsd/bind/dist/bin/tests/printmsg.h: delete external/bsd/bind/dist/bin/tests/ratelimiter_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/rbt/t_rbt.c: up to 1.8 external/bsd/bind/dist/bin/tests/rbt_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/serial_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/sig0_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/sock_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/sym_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/README: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/checkconf/good-class.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-caa-rr.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsap-empty.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-unspec.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-gc-msdcs.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-nsap.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/cleanall.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/ditch.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c: up to 1.4 external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds-update.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/ednscompliance/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ans4/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named3.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/root.hint: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/inline/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/inline/ns3/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/zone/inheritownerafterinclude.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/masterfile/zone/inheritownerafterinclude.good: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/masterfile/zone/nameservers.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/resolver/ns4/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/test1.example.net.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/test2.example.net.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard1: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard2a: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard2b: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard3: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rrsetorder/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/staticstub/ns2/named.conf.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/named.conf.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/undelegated.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statistics/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/ns1/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/ns1/zone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/fetch.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/server-json.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/server-xml.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/stress/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/views/ns2/1.10.in-addr.arpa.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/views/ns2/named2.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/zonechecks/bigserial.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zonechecks/ns1/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/task_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/tasks/t_tasks.c: up to 1.8 external/bsd/bind/dist/bin/tests/timer_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/wire_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/zone_test.c: up to 1.9 external/bsd/bind/dist/bin/tools/arpaname.c: up to 1.5 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.8 external/bsd/bind/dist/bin/tools/named-journalprint.c: up to 1.7 external/bsd/bind/dist/bin/tools/named-rrchecker.c: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.10 external/bsd/bind/dist/bin/win32/BINDInstall/VersionInfo.cpp: up to 1.1.1.2 external/bsd/bind/dist/config.h.in: up to 1.12 external/bsd/bind/dist/config.h.win32: up to 1.1.1.12 external/bsd/bind/dist/configure: up to 1.5 external/bsd/bind/dist/configure.in: up to 1.8 external/bsd/bind/dist/contrib/README: up to 1.1.1.3 external/bsd/bind/dist/contrib/scripts/dnssec-keyset.sh: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.14 external/bsd/bind/dist/doc/arm/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/html-fixup.pl: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/latex-fixup.pl: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.8 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/misc/rfc-compliance: up to 1.1.1.4 external/bsd/bind/dist/isc-config.sh.in: up to 1.1.1.6 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.17 external/bsd/bind/dist/lib/bind9/check.c: up to 1.13 external/bsd/bind/dist/lib/dns/adb.c: up to 1.12 external/bsd/bind/dist/lib/dns/api: up to 1.8 external/bsd/bind/dist/lib/dns/cache.c: up to 1.9 external/bsd/bind/dist/lib/dns/callbacks.c: up to 1.6 external/bsd/bind/dist/lib/dns/client.c: up to 1.11 external/bsd/bind/dist/lib/dns/diff.c: up to 1.10 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.11 external/bsd/bind/dist/lib/dns/dlz.c: up to 1.8 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.12 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.12 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.8 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.9 external/bsd/bind/dist/lib/dns/geoip.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/gssapi_link.c: up to 1.9 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.9 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/adb.h: up to 1.7 external/bsd/bind/dist/lib/dns/include/dns/log.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/name.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/resolver.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.7 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.4 external/bsd/bind/dist/lib/dns/include/dns/stats.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/update.h: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.17 external/bsd/bind/dist/lib/dns/include/dst/dst.h: up to 1.11 external/bsd/bind/dist/lib/dns/journal.c: up to 1.10 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.11 external/bsd/bind/dist/lib/dns/log.c: up to 1.9 external/bsd/bind/dist/lib/dns/master.c: up to 1.15 external/bsd/bind/dist/lib/dns/message.c: up to 1.18 external/bsd/bind/dist/lib/dns/name.c: up to 1.12 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.11 external/bsd/bind/dist/lib/dns/nsec.c: up to 1.10 external/bsd/bind/dist/lib/dns/nsec3.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/order.c: up to 1.5 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/private.c: up to 1.8 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.11 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.21 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.13 external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cert_37.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/loc_29.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3param_51.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/null_10.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.c: up to 1.1.1.3 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/proforma.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/unspec_103.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/uri_256.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/hs_4/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/aaaa_28.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/apl_42.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/in_1/dhcid_49.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.7 external/bsd/bind/dist/lib/dns/request.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.25 external/bsd/bind/dist/lib/dns/result.c: up to 1.7 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.10 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.10 external/bsd/bind/dist/lib/dns/rrl.c: up to 1.5 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.10 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.9 external/bsd/bind/dist/lib/dns/tcpmsg.c: up to 1.5 external/bsd/bind/dist/lib/dns/tests/geoip_test.c: up to 1.4 external/bsd/bind/dist/lib/dns/tests/gost_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/tests/master_test.c: up to 1.7 external/bsd/bind/dist/lib/dns/tests/rbt_serialize_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rbt_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rdatasetstats_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.10 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.9 external/bsd/bind/dist/lib/dns/update.c: up to 1.5 external/bsd/bind/dist/lib/dns/view.c: up to 1.11 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.12 external/bsd/bind/dist/lib/dns/zone.c: up to 1.15 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.9 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.8 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isc/app_api.c: up to 1.8 external/bsd/bind/dist/lib/isc/assertions.c: up to 1.7 external/bsd/bind/dist/lib/isc/backtrace.c: up to 1.8 external/bsd/bind/dist/lib/isc/commandline.c: up to 1.6 external/bsd/bind/dist/lib/isc/entropy.c: up to 1.6 external/bsd/bind/dist/lib/isc/error.c: up to 1.5 external/bsd/bind/dist/lib/isc/heap.c: up to 1.8 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.9 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.10 external/bsd/bind/dist/lib/isc/httpd.c: up to 1.9 external/bsd/bind/dist/lib/isc/include/isc/app.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/isc/json.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/isc/mem.h: up to 1.14 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/include/isc/print.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/safe.h: up to 1.4 external/bsd/bind/dist/lib/isc/include/isc/util.h: up to 1.11 external/bsd/bind/dist/lib/isc/lex.c: up to 1.7 external/bsd/bind/dist/lib/isc/lib.c: up to 1.8 external/bsd/bind/dist/lib/isc/mem.c: up to 1.13 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.7 external/bsd/bind/dist/lib/isc/nothreads/include/isc/mutex.h: up to 1.5 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pool.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/print.c: up to 1.6 external/bsd/bind/dist/lib/isc/pthreads/mutex.c: up to 1.7 external/bsd/bind/dist/lib/isc/regex.c: up to 1.4 external/bsd/bind/dist/lib/isc/rwlock.c: up to 1.9 external/bsd/bind/dist/lib/isc/safe.c: up to 1.4 external/bsd/bind/dist/lib/isc/socket_api.c: up to 1.11 external/bsd/bind/dist/lib/isc/stats.c: up to 1.6 external/bsd/bind/dist/lib/isc/task.c: up to 1.12 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/tests/mem_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/tests/regex_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/tests/safe_test.c: up to 1.4 external/bsd/bind/dist/lib/isc/tests/socket_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/timer.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/app.c: up to 1.14 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.10 external/bsd/bind/dist/lib/isc/unix/ifiter_ioctl.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/ifiter_sysctl.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.9 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.18 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/libisc.def.exclude: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/net.c: up to 1.9 external/bsd/bind/dist/lib/isc/win32/win32os.c: up to 1.7 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isccc/alist.c: up to 1.5 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.11 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.10 external/bsd/bind/dist/lib/isccc/sexpr.c: up to 1.6 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.17 external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.6 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.8 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.14 external/bsd/bind/dist/lib/lwres/herror.c: up to 1.7 external/bsd/bind/dist/lib/lwres/print.c: up to 1.7 external/bsd/bind/dist/lib/lwres/win32/socket.c: up to 1.5 external/bsd/bind/dist/lib/samples/nsprobe.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-async.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-gai.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.6 external/bsd/bind/dist/srcid: up to 1.14 external/bsd/bind/dist/version: up to 1.18 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.5 external/bsd/bind/dist/win32utils/index.html: up to 1.1.1.7 external/bsd/bind/dist/win32utils/legacy/BuildSetup.bat.in: up to 1.1.1.5 external/bsd/bind/include/config.h: up to 1.18 external/bsd/bind/include/dns/enumclass.h: up to 1.8 external/bsd/bind/include/dns/enumtype.h: up to 1.11 external/bsd/bind/include/dns/rdatastruct.h: up to 1.11 external/bsd/bind/include/isc/platform.h: up to 1.21 external/bsd/bind/include/lwres/platform.h: up to 1.7 external/bsd/bind/lib/libbind9/shlib_version: up to 1.16 external/bsd/bind/lib/libdns/shlib_version: up to 1.18 external/bsd/bind/lib/libirs/shlib_version: up to 1.5 external/bsd/bind/lib/libisc/shlib_version: up to 1.18 external/bsd/bind/lib/libisccc/shlib_version: up to 1.16 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.16 external/bsd/bind/lib/liblwres/shlib_version: up to 1.16 Update BIND to 9.10.3-P4. @ text @d17 1 a17 1 d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d442 1 a442 1 for details on how they interpret its use. d461 1 a461 1defaultd790 1 a790 1 masters or d1164 2 a1165 2 algorithmalgorithm_id; secretsecret_string; d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2275 1 a2275 1ip_addr[portip_port] [dscpip_dscp]) ; d2323 1 a2323 1 [ address (ip6_addr|*) ] d2333 1 a2335 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2418 2 d2734 1 a2734 1 and dnssec-validation for details. d2987 1 a2987 1 IPv4 addresses are to be mapped in the corresponding d3120 1 a3120 1 As of BIND 9.10, d3530 1 a3530 1 NSID (Name Server Identifier) option is sent with all d3744 1 a3744 1 and if the response does not include DNSSEC signatures, d3756 2 a3757 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3829 2 a3830 5 This indicates whether DNSSEC-related resource records are to be returned by named. If set tono, named will not return DNSSEC-related resource records unless specifically queried for. d3834 1 a3834 2d4076 1 a4076 1 Forwarding d4120 1 a4120 1 Dual-stack Servers d4388 1 a4388 1 Interfaces d4547 1 a4547 1 the use-queryport-pool d4684 1 a4684 1 queries are issued at, d4855 1 a4855 1 UDP Port Lists d4897 1 a4897 1 Operating System Resource Limits d4990 4 a4993 5 d3847 1 a3847 11
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
a5007 174 The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4996 2 a4997 2 bit of memory (on the order of 20 kilobytes), the value of the d4999 3 a5001 20 have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
fetches-per-zone The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
fetches-per-server The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
fetch-quota-params d5036 1 a5036 1 Any positive values less than 2MB will be ignored d5051 1 a5051 1 be used; on most platforms this sets the listen queue d5058 1 a5058 1 Periodic Task Intervals d5652 34 d6100 1 a6100 1 Content Filtering d6223 1 a6223 1 Response Policy Zone (RPZ) Rewriting d6265 1 a6265 1 Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
prefixlength.B4.B3.B2.B1.rpz-client-ip. d6274 1 a6274 1prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip. d6276 3 a6278 5 representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IP6.ARPA. (Note that this representation of IPv6 address is different from IP6.ARPA where each hex digit occupies a label.) d6283 1 a6283 1 The IPv6 prefix length must be between 1 and 128. d6594 1 a6594 1 Response Rate Limiting d6829 1 a6829 1 [ keys {key_id}; ] d6990 5 a6994 1 Only a single key per server is currently supported. d7035 1 a7035 1 option level. d7059 1 a7059 1 statistics-channels Statement Definition and d7116 2 a7117 2 included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into d7123 1 a7123 1 can request d7125 1 a7125 1 of the statistics XML schema or d7175 1 a7175 1 trusted-keys Statement Definition d7215 1 a7215 1 managed-keys Statement Grammar d7227 1 a7227 1 The managed-keys statement, like d7273 1 a7273 1named.conf, an initializing key listed d7353 1 a7353 1 view Statement Definition and Usage d7644 1 a7644 1 [ server-names { [namelist] }; ] d7675 1 a7675 1 zone Statement Definition and Usage d7678 1 a7678 1 Zone Types d7849 1 a7849 1 glue A or AAAA RRs d7933 1 a7933 1 that point to the desired addresses: d7941 1 a7941 1 "*.ES." instead of "*.". To redirect all d7996 1 a7996 1 Class d8018 1 a8018 1 Zone Options d8451 1 a8451 1 active. d8482 1 a8482 1 When set to d8779 1 a8779 1 and converts it machine.realm allowing the machine d8794 1 a8794 1 This rule takes a Windows machine principal d8813 1 a8813 1 and converts it machine.realm allowing the machine d8828 1 a8828 1 This rule takes a Kerberos machine principal d8940 1 a8940 1 Multiple views a8982 7 Zone level acls (e.g. allow-query, allow-transfer) and other configuration details of the zone are all set in the view the referenced zone is defined in. Care need to be taken to ensure that acls are wide enough for all views referencing the zone.a8985 4
An in-view zone is not intended to reference a forward zone.
d8991 1 a8991 1 Zone File d9004 1 a9004 1 Resource Records a9172 52 ATMAATM Address.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a9211 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a9255 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a9280 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a9334 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a9347 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a9374 26 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NIMLOC
Nimrod Locator.
a9387 12 NSAP-PTR
Historical.
a9451 12 NULL
This is an opaque container.
a9470 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a9604 13 TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9616 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d1564 7 a1570 4 d9741 1 a9741 1 Textual expression of RRs d9944 1 a9944 1 Discussion of MX Records d10199 1 a10199 1 Inverse Mapping in IPv4 d10260 1 a10260 1 Other Zone File Directives d10275 1 a10275 1 The @@ (at-sign) d10279 1 a10279 1 At the start of the zone file, it is the d10286 1 a10286 1 The $ORIGIN Directive d10315 1 a10315 1 The $INCLUDE Directive d10351 1 a10351 1 The $TTL Directive d10370 1 a10370 1 BIND Master File Extension: the $GENERATE Directive d10567 1 a10567 1 other formats. d10587 1 a10587 1 file by the named-compilezone command. d10609 1 a10609 1 While
rawformat uses d10813 1 a10813 1 Name Server Statistics Counters d11409 1 a11409 1 Zone Maintenance Statistics Counters d11563 1 a11563 1 Resolver Statistics Counters d11946 1 a11946 1 Socket I/O Statistics Counters d12101 1 a12101 1 Compatibility with BIND 8 Counters d12153 1 a12153 1BIND 9.10.3-P4
@ 1.1.1.15.2.6.2.1 log @Sync with netbsd-5 @ text @d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2d519 1 a519 1 the listen-on and sortlist d523 5 a527 5
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 1
- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d97 7 a103 12- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d513 1 a513 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d324 4 a327 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d435 1 a435 1 (such as max-journal-size) may d501 1 a501 1 d607 1 a607 1 d623 1 a623 1 d697 1 a697 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d530 2 a531 2
- the name of an address match list defined with the acl statement d533 1 a533 1
- a nested address match list enclosed in braces
d557 2 a558 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d564 12 a575 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d588 1 a588 1 1.2.3/24; ! 1.2.3.13; d591 1 a591 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d597 1 a597 1d713 2 a714 2d719 1 a719 1 acl
d730 1 a730 1controls
d735 1 a735 1 by the rndc utility. d741 1 a741 1include
d751 1 a751 1key
d762 1 a762 1logging
d773 1 a773 1lwres
d777 2 a778 2 configures named to also act as a light-weight resolver daemon (lwresd). d784 1 a784 1masters
d790 2 a791 2 masters or also-notify lists. d797 1 a797 1options
d808 1 a808 1server
d819 1 a819 1statistics-channels
d824 1 a824 1 named statistics. d830 1 a830 1trusted-keys
d840 1 a840 1managed-keys
d851 1 a851 1view
d861 1 a861 1zone
d872 2 a873 2 The logging and options statements may only occur once d877 1 a877 1acl acl-name { d885 1 a885 1d887 1 a887 1 acl Statement Definition and d890 1 a890 1 The acl statement assigns a symbolic d899 2 a900 2d905 1 a905 1 any
d915 1 a915 1none
d925 1 a925 1localhost
d931 1 a931 1 added or removed, the localhost d938 1 a938 1localnets
d945 1 a945 1 the localnets d950 1 a950 1 In such a case, localnets d952 1 a952 1 IPv6 addresses, just like localhost. d962 1 a962 1 geoip [dbdatabase]fieldvalued1016 1 a1016 1controls { d1030 1 a1030 1d1032 1 a1032 1 controls Statement Definition and d1035 1 a1035 1 The controls statement declares control d1038 1 a1038 1 used by the rndc utility to send d1042 4 a1045 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d1049 2 a1050 2 use an ip_addr of::. If you will only use rndc on the local host, d1056 1 a1056 1 "*" cannot be used for ip_port. d1060 2 a1061 2 restricted by the allow and keys clauses. d1063 3 a1065 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1069 1 a1069 1 A unix control channel is a UNIX domain d1071 2 a1072 2 Access to the socket is specified by the perm, owner and group clauses. d1074 1 a1074 1 (perm) are applied to the parent directory d1079 3 a1081 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1083 2 a1084 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1087 2 a1088 2 If no controls statement is present, named will set up a default d1091 3 a1093 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1104 1 a1104 1 messages and thus did not have a keys clause. d1108 2 a1109 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1125 1 a1125 1 named is running as) can access it. d1128 1 a1128 1 rndc commands, then you need to create d1136 2 a1137 2 controls statement: controls { };. d1140 1 a1140 1included1145 1 a1145 1 d1150 3 a1152 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1160 1 a1160 1filename;keykey_id{ d1169 1 a1169 1 d1173 2 a1174 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1176 2 a1177 1 (see the section called “controls Statement Definition and d1181 1 a1181 1 The key statement can occur at the d1183 2 a1184 2 of the configuration file or inside a view statement. Keys defined in top-level key d1186 3 a1188 2 a controls statement (see the section called “controls Statement Definition and d1195 1 a1195 1 be used in a server d1216 1 a1216 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1229 3 a1231 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1233 1 a1233 1 [ categorycategory_name{ d1240 1 a1240 1 d1245 1 a1245 1 The logging statement configures a d1247 1 a1247 1 variety of logging options for the name server. Its channel phrase d1249 1 a1249 1 a name that can then be used with the category phrase d1253 1 a1253 1 Only one logging statement is used to d1255 1 a1255 1 as many channels and categories as are wanted. If there is no logging statement, d1267 1 a1267 1 established as soon as the logging d1274 1 a1274 1 d1287 2 a1288 2 info), and whether to include a named-generated time stamp, the d1293 1 a1293 1 The null destination clause d1298 1 a1298 1 The file destination clause directs d1306 1 a1306 1 If you use the versions log file d1308 1 a1308 1 named will retain that many backup d1318 1 a1318 1 You can say versions unlimited to d1321 1 a1321 1 If a size option is associated with d1329 1 a1329 1 The size option for files is used d1331 2 a1332 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1336 1 a1336 1 versions option, no more data will d1345 2 a1346 2 Example usage of the size and versions options: d1355 1 a1355 1 The syslog destination clause d1358 9 a1366 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1369 1 a1369 1 How syslog will handle messages d1371 3 a1373 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1380 1 a1380 1 The severity clause works like syslog's d1382 1 a1382 1 straight to a file rather than using syslog. d1389 1 a1389 1 If you are using syslog, then the syslog.conf priorities d1391 7 a1397 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1401 1 a1401 1 The stderr destination clause d1414 1 a1414 1 level is set either by starting the named server d1416 1 a1416 1 or by running rndc trace. d1418 1 a1418 1 can be set to zero, and debugging mode turned off, by running rndc d1431 1 a1431 1 level. Channels with dynamic d1436 1 a1436 1 If print-time has been turned on, d1438 2 a1439 2 the date and time will be logged. print-time may be specified for a syslog channel, d1441 1 a1441 1 pointless since syslog also logs d1443 1 a1443 1 time. If print-category is d1445 2 a1446 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1450 1 a1450 1 three print- options d1458 1 a1458 1 named's default logging as follows. d1460 1 a1460 1 used is described in the section called “The category Phrase”. d1490 1 a1490 1 The default_debug channel has the d1500 1 a1500 1 is created only after named has d1502 1 a1502 1 new UID, and any debug output generated while named is d1514 1 a1514 1 d1522 1 a1522 1 in that category will be sent to the default category d1543 1 a1543 1 To discard all messages in a category, specify the null channel: d1555 2 a1556 2d1561 2 a1562 2 client
Processing of client requests.
d1574 2 a1575 2cname
d1577 5 a1581 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1585 2 a1586 2config
d1588 6 a1593 4Configuration file parsing and processing.
d1597 2 a1598 2database
d1600 4 a1603 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1607 2 a1608 2default
d1610 4 a1613 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1617 2 a1618 2delegation-only
d1620 6 a1625 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1629 2 a1630 2dispatch
d1632 4 a1635 5Dispatching of incoming packets to the server modules where they are to be processed.
d1639 2 a1640 2dnssec
d1642 4 a1645 4DNSSEC and TSIG protocol processing.
d1649 2 a1650 2edns-disabled
d1652 4 a1655 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1659 2 a1660 2general
d1662 4 a1665 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1669 2 a1670 2lame-servers
d1672 9 a1680 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1684 2 a1685 2network
d1687 4 a1690 4Network operations.
d1694 2 a1695 2notify
d1697 4 a1700 4The NOTIFY protocol.
d1704 2 a1705 2queries
d1707 4 a1710 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1714 2 a1715 2query-errors
d1717 35 a1751 5Information about queries that resulted in some failure.
d1755 2 a1756 2rate-limit
d1758 5 a1762 20The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1766 2 a1767 2resolver
d1769 5 a1773 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1777 2 a1778 2rpz
d1780 4 a1783 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1787 2 a1788 2security
d1790 6 a1795 4Approval and denial of requests.
d1799 2 a1800 2spill
d1802 8 a1809 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1813 2 a1814 2unmatched
d1816 28 a1843 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1847 2 a1848 2update
d1850 7 a1856 4Dynamic updates.
d1860 2 a1861 2update-security
d1863 20 a1882 4Approval and denial of update requests.
d1886 2 a1887 2xfer-in
d1889 5 a1893 14Zone transfers the server is receiving.
xfer-out
d1898 1 a1898 1 d1902 1 a1902 1 The query-errors category is d1907 1 a1907 1 with debug levels. d1970 2 a1971 2 Zone transfers the server is sending.
d2126 1 a2126 1 d2130 1 a2130 1 This is the grammar of the lwres d2133 1 a2133 1 lwres { d2142 1 a2142 1 d2146 1 a2146 1 The lwres statement configures the d2149 2 a2150 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2154 1 a2154 1 The listen-on statement specifies a d2165 1 a2165 1 The view statement binds this d2176 1 a2176 1 The search statement is equivalent to d2178 1 a2178 1 search statement in d2184 1 a2184 1 The ndots statement is equivalent to d2186 1 a2186 1 ndots statement in d2193 1 a2193 1 d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2201 1 a2201 1d2203 1 a2203 1 masters Statement Definition and d2205 1 a2205 1d2215 1 a2215 1 This is the grammar of the options d2218 1 a2218 1masters d2207 2 a2208 2 multiple stub and slave zones in their masters or also-notify lists. d2211 1 a2211 1
options { a2258 2 [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] a2263 1 [ auto-dnssecallow|maintain|off; ] d2340 1 a2340 1 [ fetches-per-zonenumber[(drop | fail)]; ] d2357 3 a2359 2 [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr[portip_port] ) [keykeyname] ; ... }; ] d2376 1 a2376 2 [ max-zone-ttl (unlimited|number; ] [ serial-update-methodincrement|unixtime|date; ] d2404 1 a2404 1 [ suffixIPv6-address; ] a2466 1 [ automatic-interface-scanyes_or_no] d2471 1 a2471 1d2473 1 a2473 1 options Statement Definition and d2476 1 a2476 1 The options statement sets up global d2480 1 a2480 1 once in a configuration file. If there is no options d2484 2 a2485 2d4145 2 a4146 2
- attach-cache
d2497 2 a2498 2 The attach-cache option may also be specified in view d2500 1 a2500 1 global attach-cache option. d2505 1 a2505 1 When the named server configures d2516 1 a2516 1 the attach-cache as a global d2525 1 a2525 1 attach-cache option as a view A (or d2548 8 a2555 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2570 1 a2570 1- directory
d2585 1 a2585 1- geoip-directory
d2592 2 a2593 1 (For details, see the section called “acl Statement Definition and d2595 1 a2595 1 geoip ACL.) d2597 1 a2597 1- key-directory
d2608 1 a2608 1- managed-keys-directory
d2616 1 a2616 1 If named is not configured to use views, d2625 1 a2625 1- named-xfer
d2629 1 a2629 1 the pathname to the named-xfer d2631 1 a2631 1 named-xfer program is needed; d2634 1 a2634 1- tkey-gssapi-keytab
d2641 1 a2641 1- tkey-gssapi-credential
d2652 1 a2652 1 To use GSS-TSIG, tkey-domain must d2656 1 a2656 1- tkey-domain
d2659 2 a2660 2 generated with TKEY. When a client requests a TKEY exchange, d2667 1 a2667 1 In most cases, the domainname d2674 1 a2674 1- tkey-dhkey
d2679 1 a2679 1 of TKEY. The server must be d2685 1 a2685 1- cache-file
d2689 1 a2689 1- dump-file
d2693 1 a2693 1 rndc dumpdb. d2696 1 a2696 1- memstatistics-file
d2702 1 a2702 1- pid-file
d2709 1 a2709 1 name server. Specifying pid-file none disables the d2711 1 a2711 1 existing one will be removed. Note that none d2716 1 a2716 1- recursing-file
d2720 1 a2720 1 to do so with rndc recursing. d2723 1 a2723 1- statistics-file
d2726 1 a2726 1 to when instructed to do so using rndc stats. d2730 1 a2730 1 in the section called “The Statistics File”. d2732 1 a2732 1- bindkeys-file
d2735 3 a2737 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2741 1 a2741 1- secroots-file
d2745 1 a2745 1 rndc secroots. d2749 1 a2749 1- session-keyfile
d2752 2 a2753 2 session key generated by named for use by nsupdate -l. If not specified, the d2755 1 a2755 1 (See the section called “Dynamic Update Policies”, and in d2757 1 a2757 1 update-policy statement's d2761 1 a2761 1- session-keyname
d2766 1 a2766 1- session-keyalg
d2773 1 a2773 1- port
d2783 1 a2783 1- dscp
d2790 1 a2790 1- random-device
d2804 1 a2804 1 random-device option takes d2809 1 a2809 1- preferred-glue
d2814 1 a2814 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2817 1 a2817 1 root-delegation-only d2863 1 a2863 1- disable-algorithms
d2868 1 a2868 1 Multiple disable-algorithms d2870 1 a2870 1 Only the best match disable-algorithms d2875 1 a2875 1 by the disable-algorithms will be treated d2879 1 a2879 1- disable-ds-digests
d2884 1 a2884 1 Multiple disable-ds-digests d2886 1 a2886 1 Only the best match disable-ds-digests d2891 1 a2891 1 by the disable-ds-digests will be treated d2895 1 a2895 1- dnssec-lookaside
d2898 1 a2898 1 When set, dnssec-lookaside provides the d2902 1 a2902 1 dnssec-lookaside, and the normal DNSSEC d2910 1 a2910 1 If dnssec-lookaside is set to d2916 1 a2916 1 If dnssec-lookaside is set to d2923 2 a2924 2 named will load that key at startup if dnssec-lookaside is set to d2929 1 a2929 1 from https://www.isc.org/solutions/dlv/. d2934 2 a2935 2 named. Relying on this is not recommended, however, as it requires named d2939 1 a2939 1 NOTE: named only loads certain specific d2945 1 a2945 1- dnssec-must-be-secure
d2949 1 a2949 1 then named will only accept answers if d2953 3 a2955 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2957 1 a2957 1- dns64
d2960 1 a2960 1 This directive instructs named to d2964 1 a2964 1 dns64 defines one DNS64 prefix. d2975 2 a2976 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2982 2 a2983 2 Each dns64 supports an optional clients ACL that determines which d2988 2 a2989 2 Each dns64 supports an optional mapped ACL that selects which d2998 1 a2998 1 exclude ACL allows specification d3002 1 a3002 1 name owns. If not defined, exclude d3006 1 a3006 1 A optional suffix can also d3014 2 a3015 2 If recursive-only is set to yes the DNS64 synthesis will d3017 1 a3017 1 is no. d3020 2 a3021 2 If break-dnssec is set to yes the DNS64 synthesis will d3024 1 a3024 1 is set to no (the default), the DO d3039 1 a3039 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d3046 2 a3047 2 the section called “Dynamic Update Policies”), and if named has access to the d3049 1 a3049 1 named will automatically sign all new d3056 1 a3056 1 then named will sign all new or d3061 1 a3061 1 With either of these settings, named d3064 1 a3064 1 named. (A planned third option, d3070 1 a3070 1- max-zone-ttl
a3093 27The default value is
unlimited. Amax-zone-ttlof zero is treated asunlimited.- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
d3095 1 a3095 1- zone-statistics
d3101 3 a3103 3 zone-statistics terse or zone-statistics none in the zone statement). d3111 2 a3112 2 statistics-channel or using rndc stats, which d3114 2 a3115 2 in the statistics-file. See also the section called “The Statistics File”. d3119 1 a3119 1 of BIND 9, the zone-statistics d3130 1 a3130 1d3133 2 a3134 2d4104 2 a4105 2
- automatic-interface-scan
d3144 1 a3144 1 automatic-interface-scan to be d3148 1 a3148 1- allow-new-zones
d3151 2 a3152 2 added at runtime via rndc addzone or deleted via rndc delzone. d3155 1 a3155 1- auth-nxdomain
d3157 1 a3157 1 Ifyes, then the AA bit d3166 1 a3166 1- deallocate-on-exit
d3173 1 a3173 1- memstatistics
d3176 1 a3176 1 memstatistics-file at exit. d3181 1 a3181 1- dialup
d3193 1 a3193 1 happens in a short interval, once every heartbeat-interval and d3199 4 a3202 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3215 1 a3215 1 notify and also-notify. d3223 1 a3223 1 heartbeat-interval expires in d3236 1 a3236 1 when the heartbeat-interval d3244 4 a3247 4d3274 1 a3274 1 no (default)
d3294 1 a3294 1yes
d3314 1 a3314 1notify
d3334 1 a3334 1refresh
d3354 1 a3354 1passive
d3374 1 a3374 1notify-passive
d3396 1 a3396 1 dialup. d3399 1 a3399 1- fake-iquery
d3406 1 a3406 1- fetch-glue
d3417 1 a3417 1- flush-zones-on-shutdown
d3422 1 a3422 1 flush-zones-on-shutdownno. d3424 1 a3424 1- has-old-clients
d3430 3 a3432 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3434 1 a3434 1- host-statistics
d3441 1 a3441 1- maintain-ixfr-base
d3449 1 a3449 1 transfers, use provide-ixfrno. d3451 1 a3451 1- minimal-responses
d3460 1 a3460 1- multiple-cnames
d3468 1 a3468 1- notify
d3474 1 a3474 1 changes, see the section called “Notify”. The messages are d3479 1 a3479 1 also-notify option. d3487 1 a3487 1 servers explicitly listed using also-notify. d3491 2 a3492 2 The notify option may also be specified in the zone d3494 1 a3494 1 in which case it overrides the options notify statement. d3500 1 a3500 1- notify-to-soa
d3511 1 a3511 1- recursion
d3522 1 a3522 1 Note that setting recursion no does not prevent d3528 1 d3530 1 a3530 1- request-nsid
d3537 2 a3538 2 the resolver category at level info. d3541 1 a3541 1- request-sit
d3557 1 a3557 1 the nosit-udp-size option. d3559 1 a3559 10- nosit-udp-size
Sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. A value below 128 will be silently raised to 128. The default value is 4096, but the max-udp-size option may further limit the response size.
- sit-secret
d3569 1 a3569 1- rfc2308-type1
d3585 1 a3585 1- use-id-pool
d3591 1 a3591 1- use-ixfr
d3596 3 a3598 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3601 1 a3601 1 the section called “Incremental Zone Transfers (IXFR)”. d3603 1 a3603 1- provide-ixfr
d3606 3 a3608 2 provide-ixfr in the section called “server Statement Definition and d3611 1 a3611 1- request-ixfr
d3614 3 a3616 2 request-ixfr in the section called “server Statement Definition and d3619 1 a3619 1- treat-cr-as-space
d3623 1 a3623 1 the server treat carriage return ("\r") characters the same way d3627 2 a3628 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3633 1 a3633 1 additional-from-auth, additional-from-cache d3668 1 a3668 1 Setting these options to no d3676 1 a3676 1 them to no without also d3678 1 a3678 1 recursion no will cause the d3683 1 a3683 1 Specifying additional-from-cache no actually d3703 1 a3703 1 referrals when additional-from-cache no d3711 1 a3711 1- match-mapped-addresses
d3724 1 a3724 1 named now solves this problem d3728 1 a3728 1- filter-aaaa-on-v4
d3739 3 a3741 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3746 1 a3746 1 the DNS client is at an IPv4 address, in filter-aaaa, d3779 1 a3779 1- filter-aaaa-on-v6
d3781 1 a3781 1 Identical to filter-aaaa-on-v4, d3786 1 a3786 1- ixfr-from-differences
d3810 3 a3812 3ixfr-from-differences also accepts master and slave at the view and options d3814 3 a3816 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3820 1 a3820 1
- multi-master
d3824 1 a3824 1 addresses refer to different machines. Ifyes, named will d3826 1 a3826 1 when the serial number on the master is less than what named d3830 1 a3830 41- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
d3833 1 a3833 1 records are to be returned by named. d3835 1 a3835 1 named will not return DNSSEC-related d3839 1 a3839 1- dnssec-validation
d3842 2 a3843 2 Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3851 2 a3852 2 a trusted-keys or managed-keys statement. The default d3861 1 a3861 1 dnssec-validation is off. d3865 1 a3865 1- dnssec-accept-expired
d3870 1 a3870 1 leaves named vulnerable to d3873 1 a3873 1- querylog
d3875 1 a3875 1 Specify whether query logging should be started when named d3877 1 a3877 1 If querylog is not specified, d3879 1 a3879 1 is determined by the presence of the logging category queries. d3881 1 a3881 1- check-names
d3890 5 a3894 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3900 1 a3900 1check-names d3909 1 a3909 1
- check-dup-records
d3913 3 a3915 3 default is to warn. Other possible values are fail and ignore. d3917 1 a3917 1- check-mx
d3920 3 a3922 3 The default is to warn. Other possible values are fail and ignore. d3924 1 a3924 1- check-wildcard
d3931 1 a3931 1 affects master zones. The default (yes) is to check d3934 1 a3934 1- check-integrity
d3943 1 a3943 1 named-checkzone). d3946 2 a3947 2 checks use named-checkzone). The default is yes. d3957 1 a3957 1 check-spf. d3960 1 a3960 1- check-mx-cname
d3962 1 a3962 1 If check-integrity is set then d3964 1 a3964 1 to CNAMES. The default is to warn. d3966 1 a3966 1- check-srv-cname
d3968 1 a3968 1 If check-integrity is set then d3970 1 a3970 1 to CNAMES. The default is to warn. d3972 1 a3972 1- check-sibling
d3975 1 a3975 1 sibling glue exists. The default is yes. d3977 1 a3977 1- check-spf
d3979 1 a3979 1 If check-integrity is set then d3983 1 a3983 1 warn. d3985 1 a3985 1- zero-no-soa-ttl
d3990 1 a3990 1 The default is yes. d3992 1 a3992 1- zero-no-soa-ttl-cache
d3996 1 a3996 1 The default is no. d3998 1 a3998 1- update-check-ksk
d4013 1 a4013 1 similar to the dnssec-signzone -z d4025 1 a4025 1- dnssec-dnskey-kskonly
d4028 1 a4028 1 When this option and update-check-ksk d4035 1 a4035 1 dnssec-signzone -x command line option. d4038 2 a4039 2 The default is no. If update-check-ksk is set to d4043 16 a4058 1- try-tcp-refresh
d4062 1 a4062 1 yes. d4064 1 a4064 1- dnssec-secure-to-insecure
d4069 2 a4070 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d4083 1 a4083 1 auto-dnssec maintain and the d4086 1 a4086 1 next time named is started. d4091 1 a4091 1
- forward
d4117 1 a4117 1- forwarders
d4129 3 a4131 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d4135 1 a4135 1d4918 2 a4919 2 example, 1G can be used instead of 1073741824 to specify a limit of d4921 1 a4921 1 gigabyte. unlimited requests d4923 1 a4923 1 maximum available amount. default d4926 1 a4926 1 of size_spec in the section called “Configuration File Elements”. d4936 2 a4937 2
- dual-stack-servers
d4153 1 a4153 1 stacked, then the dual-stack-servers have no effect unless d4155 1 a4155 1 (e.g. named -4). d4159 1 a4159 1d4164 1 a4164 1 of the requesting system. See the section called “Address Match Lists” for d4167 2 a4168 2d4408 1 a4408 1 from may be specified using the listen-on option. listen-on takes d4416 1 a4416 1 Multiple listen-on statements are d4429 1 a4429 1 If no listen-on is specified, the d4433 1 a4433 1 The listen-on-v6 option is used to d4444 1 a4444 1 listen-on-v6 option, d4459 1 a4459 1 IPv4 addresses specified in listen-on-v6 d4463 1 a4463 1 Multiple listen-on-v6 options can d4482 1 a4482 1
- allow-notify
d4173 1 a4173 1 allow-notify may also be d4175 1 a4175 1 zone statement, in which case d4177 1 a4177 1 options allow-notify d4183 1 a4183 1- allow-query
d4187 2 a4188 2 DNS questions. allow-query may also be specified in the zone d4190 1 a4190 1 options allow-query statement. d4197 1 a4197 1 allow-query-cache is now d4202 1 a4202 1- allow-query-on
d4212 1 a4212 1 Note that allow-query-on is only d4214 1 a4214 1 allow-query. A query must be d4218 2 a4219 2 allow-query-on may also be specified in the zone d4221 1 a4221 1 options allow-query-on statement. d4230 1 a4230 1 allow-query-cache is d4235 1 a4235 1- allow-query-cache
d4238 7 a4244 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4246 1 a4246 1- allow-query-cache-on
d4251 2 a4252 2 localnets and localhost. d4254 1 a4254 1- allow-recursion
d4258 3 a4260 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4262 2 a4263 2 (localnets; localhost;) is used. d4265 1 a4265 1- allow-recursion-on
d4271 1 a4271 1- allow-update
d4278 1 a4278 1 the section called “Dynamic Update Security” for details. d4280 1 a4280 1- allow-update-forwarding
d4304 1 a4304 1 access control to attacks; see the section called “Dynamic Update Security” d4308 1 a4308 1- allow-v6-synthesis
d4318 1 a4318 1- allow-transfer
d4321 2 a4322 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4324 1 a4324 1 case it overrides the options allow-transfer statement. d4328 1 a4328 1- blackhole
d4336 1 a4336 1- filter-aaaa
d4339 1 a4339 1 filter-aaaa-on-v4 d4342 1 a4342 1- no-case-compress
d4347 1 a4347 1 used when named needs to work with d4354 1 a4354 1 none: case-insensitive compression d4378 1 a4378 1 There are circumstances in which named d4393 1 a4393 1- resolver-query-timeout
d4403 1 a4403 1d4487 1 a4487 1 query other name servers. query-source specifies d4489 3 a4491 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4495 1 a4495 1 If port is * or is omitted, d4499 2 a4500 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4502 2 a4503 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4506 2 a4507 2 The defaults of the query-source and query-source-v6 options d4514 3 a4516 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4520 1 a4520 1 named will use the corresponding system d4533 2 a4534 2 changed while named is running; the new range will automatically be applied when named d4537 2 a4538 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4544 1 a4544 1 where named runs may prohibit the use d4546 1 a4546 1 named running without a root privilege d4555 2 a4556 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4564 1 a4564 1 the use-queryport-pool d4570 2 a4571 2 query-source or query-source-v6 options; d4574 2 a4575 2d4874 4 a4877 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4880 1 a4880 1 See the section called “Query Address” about how the d4890 1 a4890 1 from named will be in one d4895 3 a4897 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4905 3 a4907 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4912 1 a4912 1
- use-queryport-pool
d4579 1 a4579 1- queryport-pool-ports
d4583 1 a4583 1- queryport-pool-updateinterval
d4591 1 a4591 1 The address specified in the query-source option d4607 2 a4608 2 See also transfer-source and notify-source. d4612 1 a4612 1d4621 2 a4622 2d4824 1 a4824 1
- also-notify
d4633 1 a4633 1 also-notify address to send d4640 1 a4640 1 masters lists can be used. d4643 2 a4644 2 If an also-notify list is given in a zone statement, d4646 2 a4647 2 the options also-notify statement. When a zone notify d4649 2 a4650 2 is set to no, the IP addresses in the global also-notify list will d4656 1 a4656 1- max-transfer-time-in
d4663 1 a4663 1- max-transfer-idle-in
d4670 1 a4670 1- max-transfer-time-out
d4677 1 a4677 1- max-transfer-idle-out
d4684 1 a4684 1- serial-query-rate
d4693 1 a4693 1 serial-query-rate option, an d4702 1 a4702 1 serial-query-rate also controls d4707 1 a4707 1- serial-queries
d4709 1 a4709 1 In BIND 8, the serial-queries d4714 1 a4714 1 serial queries and ignores the serial-queries option. d4716 1 a4716 1 as defined using the serial-query-rate option. d4718 1 a4718 1- transfer-format
d4721 3 a4723 3 one-answer and many-answers. The transfer-format option is used d4725 1 a4725 1 one-answer uses one DNS message per d4727 1 a4727 1 many-answers packs as many resource d4729 1 a4729 1 many-answers is more efficient, but is d4733 1 a4733 1 The many-answers format is also supported by d4735 3 a4737 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4740 1 a4740 1- transfers-in
d4744 1 a4744 1 Increasing transfers-in may d4749 1 a4749 1- transfers-out
d4756 1 a4756 1- transfers-per-ns
d4762 1 a4762 1 Increasing transfers-per-ns d4766 3 a4768 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4770 1 a4770 1- transfer-source
d4772 1 a4772 1transfer-source d4782 1 a4782 1 allow-transfer option for the d4785 1 a4785 1 transfer-source for all zones, d4788 3 a4790 3 transfer-source statement within the view or zone block in the configuration d4801 1 a4801 1
- transfer-source-v6
d4803 1 a4803 1 The same as transfer-source, d4806 1 a4806 1- alt-transfer-source
d4810 2 a4811 2 transfer-source fails and use-alt-transfer-source is a4815 1d4818 1 a4818 1 use-alt-transfer-source d4822 1 a4822 2
- alt-transfer-source-v6
d4827 2 a4828 2 transfer-source-v6 fails and use-alt-transfer-source is d4831 1 a4831 1- use-alt-transfer-source
d4834 1 a4834 1 specified this defaults to no d4836 1 a4836 1 yes (for BIND 8 d4839 1 a4839 1- notify-source
d4841 1 a4841 1notify-source d4845 3 a4847 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4850 3 a4852 3 notify-source statement within the zone or view block in the configuration d4863 1 a4863 1
- notify-source-v6
d4865 1 a4865 1 Like notify-source, d4870 1 a4870 1d7528 1 a7528 1 The view statement is a powerful d7537 1 a7537 1 Each view statement defines a view d7543 1 a7543 1 match-clients clause and its d7547 1 a7547 1 match-destinations clause. If not d7549 1 a7549 1 match-clients and match-destinations d7552 2 a7553 2 match-clients and match-destinations can also take keys which provide an d7556 1 a7556 1 as match-recursive-only, which d7559 1 a7559 1 The order of the view statements is d7562 1 a7562 1 view that it matches. d7565 1 a7565 1 Zones defined within a view d7567 1 a7567 1 only be accessible to clients that match the view. d7574 2 a7575 2 Many of the options given in the options statement can also be used within a view d7579 1 a7579 1 value is given, the value in the options statement d7582 1 a7582 1 in the view statement; these d7584 1 a7584 1 take precedence over those in the options statement. d7592 1 a7592 1 If there are no view statements in d7596 1 a7596 1 in class IN. Any zone statements d7600 1 a7600 1 this default view, and the options d7602 2 a7603 2 apply to the default view. If any explicit view statements are present, all zone d7605 1 a7605 1 occur inside view statements. d7609 1 a7609 1 using view statements: d7644 1 a7644 1
- coresize
d4942 1 a4942 1- datasize
d4955 2 a4956 2 max-cache-size and recursive-clients d4959 1 a4959 1- files
d4964 1 a4964 1- stacksize
d4971 1 a4971 1d4979 2 a4980 2
- max-ixfr-log-size
d4984 1 a4984 1 max-journal-size performs a d4987 1 a4987 1- max-journal-size
d4990 1 a4990 1 (see the section called “The journal file”). When the journal file d5000 1 a5000 1- host-statistics-max
d5006 1 a5006 1- recursive-clients
d5016 1 a5016 1 recursive-clients option may d5037 1 a5037 1- tcp-clients
d5044 1 a5044 1 clients-per-query, max-clients-per-query d5051 1 a5051 1 before dropping additional clients. named will attempt to d5058 1 a5058 1 If the number of queries exceed this value, named will d5066 1 a5066 1 If clients-per-query is set to zero, d5071 1 a5071 1 If max-clients-per-query is set to zero, d5073 1 a5073 1 recursive-clients. d5077 1 a5077 1 fetches-per-zone d5111 1 a5111 1 If fetches-per-zone is set to zero, d5117 1 a5117 1 running rndc recursing. The list d5130 1 a5130 1 built with configure --enable-fetchlimit.) d5134 1 a5134 1 fetches-per-server d5157 1 a5157 1 If fetches-per-server is set to zero, d5162 1 a5162 1 The fetches-per-server quota is d5169 1 a5169 1 threshold, then fetches-per-server d5172 2 a5173 2 fetches-per-server is increased. The fetch-quota-params options d5179 1 a5179 1 built with configure --enable-fetchlimit.) d5182 1 a5182 1- fetch-quota-params
d5214 1 a5214 1 built with configure --enable-fetchlimit.) d5217 1 a5217 1- reserved-sockets
d5222 1 a5222 1 interfaces named listens on, tcp-clients as well as d5233 1 a5233 1- max-cache-size
d5251 1 a5251 1- tcp-listen-queue
d5265 1 a5265 1d5376 2 a5377 2 (but see the rrset-order statement in the section called “RRset Ordering”). d5388 1 a5388 1 The sortlist statement (see below) d5390 1 a5390 1 an address_match_list and d5392 1 a5392 1 more specifically than the topology d5394 3 a5396 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5399 1 a5399 1 an IP prefix, an ACL name or a nested address_match_list) d5411 2 a5412 2 treated the same as the address_match_list in a topology statement. Each top d5477 1 a5477 1
- cleaning-interval
d5273 1 a5273 1 from the cache every cleaning-interval minutes. d5280 1 a5280 1- heartbeat-interval
d5283 1 a5283 1 for all zones marked as dialup whenever this d5290 1 a5290 1- interface-interval
d5293 1 a5293 1 every interface-interval d5301 1 a5301 1 listen-on configuration), and d5305 1 a5305 1- statistics-interval
d5309 1 a5309 1 every statistics-interval d5324 1 a5324 1d5484 1 a5484 1 The rrset-order statement permits d5487 2 a5488 2 See also the sortlist statement, the section called “The sortlist Statement”. d5491 1 a5491 1 An order_spec is defined as d5501 3 a5503 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5506 1 a5506 1 The legal values for ordering are: d5510 2 a5511 2d5516 1 a5516 1 fixed
d5527 1 a5527 1random
d5537 1 a5537 1cyclic
d5568 1 a5568 1 If multiple rrset-order statements d5578 1 a5578 1 rrset-order statement does not support d5585 1 a5585 1d5588 2 a5589 2
- lame-ttl
d5606 1 a5606 1- max-ncache-ttl
d5609 1 a5609 1 the server stores negative answers. max-ncache-ttl is d5613 2 a5614 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5618 1 a5618 1- max-cache-ttl
d5628 1 a5628 1- min-roots
d5643 1 a5643 1- sig-validity-interval
d5648 1 a5648 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5665 1 a5665 1 The sig-validity-interval d5671 1 a5671 1- sig-signing-nodes
d5678 1 a5678 1- sig-signing-signatures
d5685 1 a5685 1- sig-signing-type
d5698 1 a5698 1 named to track the current state of d5702 2 a5703 2 rndc signing -listzone. Once named has finished signing d5707 1 a5707 1 rndc signing -clearkeyid/algorithmzone. d5710 1 a5710 1 rndc signing -clear allzone. d5714 1 a5714 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5738 4 a5741 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5745 1 a5745 1- edns-udp-size
d5757 1 a5757 1 edns-udp-size to a non-default value d5763 1 a5763 1 When named first queries a remote d5768 1 a5768 1 If the initial response times out, named d5772 1 a5772 1 successes using plain DNS, named d5774 1 a5774 1 with that server. (Periodically, named d5781 1 a5781 1 named will advertise progressively d5784 1 a5784 1 edns-udp-size is reached. d5787 1 a5787 1 The default buffer sizes used by named d5789 1 a5789 1 edns-udp-size. (The values 1232 and d5795 1 a5795 1- max-udp-size
d5799 1 a5799 1 named will send in bytes. d5807 1 a5807 1 edns-udp-size. d5811 1 a5811 1 max-udp-size to a non-default d5816 1 a5816 1 buffer (edns-udp-size). d5823 1 a5823 1- masterfile-format
d5827 1 a5827 1 the section called “Additional File Formats”). d5833 2 a5834 2 named-compilezone tool, or dumped by named. d5838 1 a5838 1textis loaded, named d5841 1 a5841 1 check-names checks do not apply d5845 1 a5845 1 specified in the named configuration d5852 1 a5852 1 masterfile-format for all zones, d5854 3 a5856 3 by including a masterfile-format statement within the zone or view block in the configuration d5861 1 a5861 1 max-recursion-depth d5874 1 a5874 1 max-recursion-queries d5885 1 a5885 1- notify-delay
d5893 1 a5893 1 zones is controlled by serial-query-rate. d5896 1 a5896 1- max-rsa-exponent-size
d5903 1 a5903 1- prefetch
d5907 1 a5907 1 is to expire shortly, named can d5930 1 a5930 1 if it isn't, named will silently d5937 1 a5937 1d5944 1 a5944 1 CHAOS class. These zones are part d5946 1 a5946 1 built-in view (see the section called “view Statement Grammar”) of d5948 3 a5950 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5952 3 a5954 3 overridden: notify, recursion and allow-new-zones are d5956 1 a5956 1 rate-limit is set to allow d5961 1 a5961 1 below, or hide the built-in CHAOS d5963 1 a5963 1 defining an explicit view of class CHAOS d5966 2 a5967 2
- version
d5971 1 a5971 1 with type TXT, class CHAOS. d5973 1 a5973 1 Specifying version none d5976 1 a5976 1- hostname
d5980 1 a5980 1 with type TXT, class CHAOS. d5986 1 a5986 1 answering your queries. Specifying hostname none; d5989 1 a5989 1- server-id
d5994 1 a5994 1 TXT, class CHAOS. d5997 1 a5997 1 answering your queries. Specifying server-id none; d5999 1 a5999 1 Specifying server-id hostname; will cause named to d6001 1 a6001 1 The default server-id is none. d6005 1 a6005 1d6028 98 a6125 98d6409 1 a6409 1 response-policy option for the view or among the d6414 1 a6414 3 allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones. d6417 1 a6417 1 A response-policy option can support d6422 1 a6422 1 in a single response-policy option; more d6428 2 a6429 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a6151 1d6156 3 a6158 4
- empty-server
d6164 1 a6164 1- empty-contact
d6170 1 a6170 1- empty-zones-enable
d6175 1 a6175 1- disable-empty-zone
d6182 1 a6182 1d6186 1 a6186 1 The additional section cache, also called acache, d6191 1 a6191 1 Note that acache is an internal caching d6206 3 a6208 3 additional-from-cache to no is recommended, since the current implementation of acache d6213 1 a6213 1 One obvious disadvantage of acache is d6218 3 a6220 3 acache mechanism can be disabled by setting acache-enable to no. d6223 1 a6223 1 for acache by using max-acache-size. d6228 2 a6229 2 Without acache, cyclic order is effective for the additional d6234 1 a6234 1 setting of rrset-order. d6243 1 a6243 1 acache. d6245 2 a6246 2d6283 1 a6283 1 deny-answer-addresses option. d6288 1 a6288 1 deny-answer-aliases option, where d6292 1 a6292 1 with except-from, records whose query name d6296 1 a6296 1 corresponding zone, the deny-answer-aliases d6299 1 a6299 1 deny-answer-aliases, d6307 1 a6307 1 deny-answer-addresses option, only d6328 1 a6328 1 d6362 1 a6362 1 matches the except-from element, d6396 1 a6396 1
- RPZ-CLIENT-IP
d6436 1 a6436 1 rpz-client-ip relativized to the d6463 1 a6463 1- QNAME
d6471 1 a6471 1- RPZ-IP
d6476 1 a6476 1 subdomains of rpz-ip. d6478 1 a6478 1- RPZ-NSDNAME
d6484 1 a6484 1 rpz-nsdname relativized d6490 1 a6490 1- RPZ-NSIP
d6493 1 a6493 1 subdomains of rpz-nsip. d6495 2 a6496 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6507 1 a6507 1 DISABLED actions) must be chosen. d6511 3 a6513 3
- Choose the triggered record in the zone that appears first in the response-policy option. d6515 1 a6515 1
- Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP d6518 1 a6518 1
- Among NSDNAME triggers, prefer the d6521 1 a6521 1
- Among IP or NSIP triggers, prefer the trigger d6524 1 a6524 1
- Among triggers with the same prefix length, d6543 2 a6544 2 For example, while the TCP-only policy is commonly used with client-IP triggers, d6548 2 a6549 2
d6775 2 a6776 2 rate-limit clause in an options or view statement. d6803 1 a6803 1 the window option to any value from d6807 1 a6807 1 or more negative than window d6818 2 a6819 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6824 1 a6824 1 with responses-per-second d6829 2 a6830 2 nodata-per-second (default responses-per-second). d6834 2 a6835 2 They are limited by nxdomains-per-second (default base responses-per-second). d6842 2 a6843 2 referrals-per-second (default responses-per-second). d6857 1 a6857 1 responses-per-second value, d6859 1 a6859 1 errors-per-second. d6869 1 a6869 1 Setting slip to 2 (its default) causes every d6875 1 a6875 1 slip must be between 0 and 10. d6883 1 a6883 1 leaked at the slip rate. d6894 1 a6894 1 slip to 1, causing all rate-limited d6900 6 a6905 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6908 1 a6908 1 qps-scale 250; responses-per-second 20; and d6919 2 a6920 2 rate-limit statements in view statements instead of the global option d6922 2 a6923 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6926 1 a6926 1 with the exempt-clients clause. d6930 1 a6930 1 all-per-second phrase. d6932 3 a6934 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6939 2 a6940 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6942 1 a6942 1 An all-per-second limit should be d6950 1 a6950 1 records as it considers the STMP Mail From d6954 1 a6954 1 All-per-second is similar to the d6966 1 a6966 1 rate limit responses is set with max-table-size. d6972 1 a6972 1 min-table-size (default 500) d6974 1 a6974 1 Enable rate-limit category logging to monitor d6979 1 a6979 1 Use log-only yes to test rate limiting parameters d6984 1 a6984 1 RateDropped and QryDropped d6987 1 a6987 1 RateSlipped and RespTruncated. d6991 1 a6991 1
- PASSTHRU
d6552 1 a6552 1 by a CNAME whose target is rpz-passthru. d6557 1 a6557 1- DROP
d6560 1 a6560 1 by a CNAME whose target is rpz-drop. d6564 1 a6564 1- TCP-Only
d6567 1 a6567 1 by a CNAME whose target is rpz-tcp-only. d6572 1 a6572 1- NXDOMAIN
d6577 1 a6577 1- NODATA
d6584 1 a6584 1- Local Data
d6606 2 a6607 2 can be overridden with a policy clause in the response-policy option. d6612 2 a6613 2
- GIVEN
d6617 1 a6617 1- DISABLED
d6630 1 a6630 1 PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA d6635 1 a6635 1- CNAME domain
d6648 1 a6648 1 with a recursive-only no clause. d6660 1 a6660 1 break-dnssec yes clause. In that case, RPZ d6677 1 a6677 1 The qname-wait-recurse no option d6685 1 a6685 1 DNSSEC requests (DO=1) unless break-dnssec yes d6696 1 a6696 1 The max-policy-ttl clause changes that d6766 1 a6766 1 RPZRewrites statistics. d6769 1 a6769 1serverip_addr[/prefixlen]{ d7002 1 d7021 1 a7021 1d7023 1 a7023 1 server Statement Definition and d7026 1 a7026 1 The server statement defines d7035 1 a7035 1 The server statement can occur at d7037 1 a7037 1 configuration file or inside a view d7039 2 a7040 2 If a view statement contains one or more server statements, only d7043 1 a7043 1 If a view contains no server d7045 1 a7045 1 any top-level server statements are d7053 1 a7053 1 value of bogus is no. d7056 1 a7056 1 The provide-ixfr clause determines d7061 1 a7061 1 If set to yes, incremental transfer d7063 1 a7063 1 whenever possible. If set to no, d7067 1 a7067 1 of the provide-ixfr option in the d7072 1 a7072 1 The request-ixfr clause determines d7076 1 a7076 1 value of the request-ixfr option in d7087 3 a7089 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d7096 1 a7096 1 The edns clause determines whether d7098 1 a7098 1 with the remote server. The default is yes. d7101 2 a7102 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named d7111 1 a7111 1 server; named will not deviate from d7113 3 a7115 3 edns-udp-size in options or view statements, where it specifies a maximum value. The server statement d7117 1 a7117 1 options/view behavior in future releases.) d7120 2 a7121 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d7125 8 a7132 1 replies from named. d7135 3 a7137 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d7141 3 a7143 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d7145 1 a7145 1 by the options statement will be d7148 1 a7148 1transfers d7151 1 a7151 1 transfers clause is specified, the d7153 1 a7153 1 transfers-per-ns option. d7156 3 a7158 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d7170 2 a7171 2 The transfer-source and transfer-source-v6 clauses specify d7175 1 a7175 1 For an IPv4 remote server, only transfer-source can d7178 1 a7178 1 transfer-source-v6 can be d7181 3 a7183 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d7186 2 a7187 2 The notify-source and notify-source-v6 clauses specify the d7190 1 a7190 1 IPv4 remote server, only notify-source d7192 1 a7192 1 only notify-source-v6 can be specified. d7195 2 a7196 2 The query-source and query-source-v6 clauses specify the d7199 1 a7199 1 remote server, only query-source can d7201 1 a7201 1 only query-source-v6 can be specified. d7204 1 a7204 1 The request-nsid clause determines d7207 1 a7207 1 request-nsid set at the view or d7211 1 a7211 1 The request-sit clause determines d7214 1 a7214 1 request-sit set at the view or d7220 1 a7220 1
statistics-channels { d7230 1 a7230 1d7232 1 a7232 1 statistics-channels Statement Definition and d7235 1 a7235 1 The statistics-channels statement d7246 1 a7246 1 statistics-channels statement is d7251 4 a7254 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*d7259 1 a7259 1 use an ip_addr of::. d7264 1 a7264 1 ip_port. d7268 1 a7268 1 restricted by the optional allow clause. d7270 3 a7272 3 address_match_list. If no allow clause is present, named accepts connection d7279 2 a7280 2 If no statistics-channels statement is present, named will not open any communication channels. d7287 2 a7288 2 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is d7297 1 a7297 1 http://127.0.0.1:8888/xml/v2 for version 2 d7299 1 a7299 1 http://127.0.0.1:8888/xml/v3 for version 3. d7306 1 a7306 1 http://127.0.0.1:8888/xml/v3/status d7308 1 a7308 1 http://127.0.0.1:8888/xml/v3/server d7310 1 a7310 1 http://127.0.0.1:8888/xml/v3/zones d7312 1 a7312 1 http://127.0.0.1:8888/xml/v3/net d7314 1 a7314 1 http://127.0.0.1:8888/xml/v3/mem d7316 1 a7316 1 http://127.0.0.1:8888/xml/v3/tasks d7321 1 a7321 1 http://127.0.0.1:8888/json, d7323 1 a7323 1 http://127.0.0.1:8888/json/v1/status d7325 1 a7325 1 http://127.0.0.1:8888/json/v1/server d7327 1 a7327 1 http://127.0.0.1:8888/json/v1/zones d7329 1 a7329 1 http://127.0.0.1:8888/json/v1/net d7331 1 a7331 1 http://127.0.0.1:8888/json/v1/mem d7333 1 a7333 1 http://127.0.0.1:8888/json/v1/tasks d7337 1 a7337 1trusted-keys { d7346 1 a7346 1d7348 1 a7348 1 trusted-keys Statement Definition d7351 2 a7352 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d7363 1 a7363 1 trusted-keys are deemed to exist regardless d7365 1 a7365 1 trusted-keys only those keys are d7370 1 a7370 1 The trusted-keys statement can contain d7379 1 a7379 1 trusted-keys may be set at the top level d7386 1 a7386 1managed-keys { d7395 1 a7395 1d7397 1 a7397 1 managed-keys Statement Definition d7400 2 a7401 2 The managed-keys statement, like trusted-keys, defines DNSSEC d7403 1 a7403 1 managed-keys can be kept up to date d7411 1 a7411 1 trusted-keys statement would be d7415 1 a7415 1 trusted-keys statement with the new key. d7419 1 a7419 1 managed-keys statement instead, then the d7421 2 a7422 2 named would store the stand-by key, and when the original key was revoked, named d7429 1 a7429 1 A managed-keys statement contains a list of d7434 1 a7434 1 This means the managed-keys statement must d7440 2 a7441 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d7444 1 a7444 1 keys listed in a trusted-keys continue to be d7447 1 a7447 1 in a managed-keys statement is only trusted d7453 1 a7453 1 The first time named runs with a managed key d7456 1 a7456 1 using the key specified in the managed-keys d7461 2 a7462 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d7465 1 a7465 1 key specified in the managed-keys is not d7470 1 a7470 1 The next time named runs after a name d7472 1 a7472 1 managed-keys statement, the corresponding d7478 3 a7480 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d7492 1 a7492 1 seconds. So, whenever named is using d7496 1 a7496 1 named.) d7499 2 a7500 2 If the dnssec-validation option is set toauto, named d7502 1 a7502 1 root zone. Similarly, if the dnssec-lookaside d7504 1 a7504 1 named will automatically initialize d7507 2 a7508 2 maintenance process is built into named, and can be overridden from bindkeys-file. d7511 1 a7511 1viewview_named7524 1 a7524 1d7646 1 a7646 1 zone d7648 1 a7648 1zonezone_name[class] { d7658 2 a7659 3 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7719 1 d7804 1 a7804 1 [ zone-statisticsfull|terse|none; ] d7818 1 a7818 1 [ zone-statisticsfull|terse|none; ] d7846 1 a7846 1The type keyword is required for the zone configuration unless it is an in-view configuration. Its acceptable values include:
d7854 2 a7855 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7882 1 a7882 1 zone. The masters list d7997 2 a7998 2 server-addresses and server-names zone options. d8004 1 a8004 1 databases by rndc dumpdb -all. d8035 4 a8038 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d8042 1 a8042 1 name. If no forwarders d8044 1 a8044 1 an empty list for forwarders is given, then no d8047 1 a8047 1 any forwarders in the options statement. Thus d8050 1 a8050 1 global forward option d8092 1 a8092 1 per view. allow-query can be d8129 1 a8129 1 rndc reload d8132 1 a8132 1 rndc reload without specifying d8160 1 a8160 1 See caveats in root-delegation-only. d8167 1 a8167 1 d8189 1 a8189 1 d9121 1 a9121 1 in-view zone option provides an efficient d9144 1 a9144 1 An in-view option cannot refer to a view d9148 4 a9151 4 A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control d9163 1 a9163 1 An in-view zone cannot be used as a d9167 2 a9168 2 An in-view zone is not intended to reference a forward zone. d9173 1 a9173 1 d9197 1 a9197 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d9204 2 a9205 2
- allow-notify
d8196 1 a8196 1 allow-notify in the section called “Access Control”. d8198 1 a8198 1- allow-query
d8201 1 a8201 1 allow-query in the section called “Access Control”. d8203 1 a8203 1- allow-query-on
d8206 1 a8206 1 allow-query-on in the section called “Access Control”. d8208 1 a8208 1- allow-transfer
d8210 2 a8211 2 See the description of allow-transfer in the section called “Access Control”. d8213 1 a8213 1- allow-update
d8215 2 a8216 2 See the description of allow-update in the section called “Access Control”. d8218 1 a8218 1- update-policy
d8221 1 a8221 1 the section called “Dynamic Update Policies”. d8223 1 a8223 1- allow-update-forwarding
d8225 2 a8226 2 See the description of allow-update-forwarding in the section called “Access Control”. d8228 1 a8228 1- also-notify
d8230 1 a8230 1 Only meaningful if notify d8239 1 a8239 1 with also-notify. A port d8241 1 a8241 1 with each also-notify d8247 1 a8247 1 also-notify is not d8251 1 a8251 1- check-names
d8257 3 a8259 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d8261 1 a8261 1- check-mx
d8264 1 a8264 1 check-mx in the section called “Boolean Options”. d8266 1 a8266 1- check-spf
d8269 1 a8269 1 check-spf in the section called “Boolean Options”. d8271 1 a8271 1- check-wildcard
d8274 1 a8274 1 check-wildcard in the section called “Boolean Options”. d8276 1 a8276 1- check-integrity
d8279 1 a8279 1 check-integrity in the section called “Boolean Options”. d8281 1 a8281 1- check-sibling
d8284 1 a8284 1 check-sibling in the section called “Boolean Options”. d8286 1 a8286 1- zero-no-soa-ttl
d8289 1 a8289 1 zero-no-soa-ttl in the section called “Boolean Options”. d8291 1 a8291 1- update-check-ksk
d8294 1 a8294 1 update-check-ksk in the section called “Boolean Options”. d8296 1 a8296 1- dnssec-loadkeys-interval
d8299 2 a8300 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d8303 1 a8303 1- dnssec-update-mode
d8306 1 a8306 2 dnssec-update-mode in the section called “options Statement Definition and Usage”. d8308 1 a8308 1- dnssec-dnskey-kskonly
d8311 1 a8311 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d8313 1 a8313 6- try-tcp-refresh
See the description of try-tcp-refresh in the section called “Boolean Options”.
- database
d8317 1 a8317 1 zone data. The string following the database keyword d8339 1 a8339 1- dialup
d8342 1 a8342 1 dialup in the section called “Boolean Options”. d8344 1 a8344 1- delegation-only
d8353 1 a8353 1 See caveats in root-delegation-only. d8356 1 a8356 1- forward
d8359 1 a8359 1 list. The only value causes d8361 1 a8361 1 after trying the forwarders and getting no answer, while first would d8364 1 a8364 1- forwarders
d8367 1 a8367 1 If it is not specified in a zone of type forward, d8371 1 a8371 1- ixfr-base
d8383 1 a8383 1- ixfr-tmp-file
d8388 1 a8388 1- journal
d8392 1 a8392 1 This is applicable to master and slave zones. d8394 1 a8394 1- max-journal-size
d8397 1 a8397 1 max-journal-size in the section called “Server Resource Limits”. d8399 1 a8399 1- max-transfer-time-in
d8402 1 a8402 1 max-transfer-time-in in the section called “Zone Transfers”. d8404 1 a8404 1- max-transfer-idle-in
d8407 1 a8407 1 max-transfer-idle-in in the section called “Zone Transfers”. d8409 1 a8409 1- max-transfer-time-out
d8412 1 a8412 1 max-transfer-time-out in the section called “Zone Transfers”. d8414 1 a8414 1- max-transfer-idle-out
d8417 1 a8417 1 max-transfer-idle-out in the section called “Zone Transfers”. d8419 1 a8419 1- notify
d8422 1 a8422 1 notify in the section called “Boolean Options”. d8424 1 a8424 1- notify-delay
d8427 1 a8427 1 notify-delay in the section called “Tuning”. d8429 1 a8429 1- notify-to-soa
d8432 2 a8433 2 notify-to-soa in the section called “Boolean Options”. d8435 1 a8435 1- pubkey
d8444 1 a8444 1- zone-statistics
d8446 5 a8450 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d8452 1 a8452 1- server-addresses
d8466 1 a8466 1 in a server-addresses option, d8481 1 a8481 1- server-names
d8489 1 a8489 1 named needs to send queries to d8497 1 a8497 1 server-names option, but d8507 1 a8507 1 in a server-names option, d8524 1 a8524 1- sig-validity-interval
d8527 1 a8527 1 sig-validity-interval in the section called “Tuning”. d8529 1 a8529 1- sig-signing-nodes
d8532 1 a8532 1 sig-signing-nodes in the section called “Tuning”. d8534 1 a8534 1- sig-signing-signatures
d8537 1 a8537 1 sig-signing-signatures in the section called “Tuning”. d8539 1 a8539 1- sig-signing-type
d8542 1 a8542 1 sig-signing-type in the section called “Tuning”. d8544 1 a8544 1- transfer-source
d8547 1 a8547 1 transfer-source in the section called “Zone Transfers”. d8549 1 a8549 1- transfer-source-v6
d8552 1 a8552 1 transfer-source-v6 in the section called “Zone Transfers”. d8554 1 a8554 1- alt-transfer-source
d8557 1 a8557 1 alt-transfer-source in the section called “Zone Transfers”. d8559 1 a8559 1- alt-transfer-source-v6
d8562 1 a8562 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d8564 1 a8564 1- use-alt-transfer-source
d8567 1 a8567 1 use-alt-transfer-source in the section called “Zone Transfers”. d8569 1 a8569 1- notify-source
d8572 1 a8572 1 notify-source in the section called “Zone Transfers”. d8574 1 a8574 1- notify-source-v6
d8577 1 a8577 1 notify-source-v6 in the section called “Zone Transfers”. d8580 1 a8580 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d8583 1 a8583 1 See the description in the section called “Tuning”. d8585 1 a8585 1- ixfr-from-differences
d8588 2 a8589 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d8594 1 a8594 1- key-directory
d8597 2 a8598 1 key-directory in the section called “options Statement Definition and d8601 63 a8663 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8672 1 a8672 1- multi-master
d8674 2 a8675 2 See the description of multi-master in the section called “Boolean Options”. d8677 1 a8677 1- masterfile-format
d8679 2 a8680 2 See the description of masterfile-format in the section called “Tuning”. d8682 1 a8682 1- max-zone-ttl
d8684 3 a8686 2 See the description of max-zone-ttl in the section called “options Statement Definition and d8689 1 a8689 1- dnssec-secure-to-insecure
d8692 1 a8692 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8696 1 a8696 1d8702 2 a8703 2 allow-update and update-policy option, respectively. d8706 1 a8706 1 The allow-update clause works the d8712 1 a8712 1 The update-policy clause d8722 1 a8722 1 Rules are specified in the update-policy d8724 1 a8724 1 When the update-policy statement d8726 2 a8727 2 allow-update statement to be present. The update-policy statement d8732 1 a8732 1 There is a pre-defined update-policy d8734 1 a8734 1 update-policy local;. d8736 1 a8736 1 named to generate a TSIG session d8742 3 a8744 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8756 1 a8756 1 The command nsupdate -l sends update d8763 1 a8763 1 ( grant | deny )identitynametype[name] [types] d8818 2 a8819 2d8863 1 a8863 1 update-policy statement d8866 1 a8866 1 update-policy statement in d8886 1 a8886 1 is a valid expansion of the wildcard. d9059 1 a9059 1 This rule allows named d9111 1 a9111 1 d9283 2 a9284 2 a9368 12 AVC Application Visibility and Control record.
a9434 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a9812 12 NINFO
Contains zone status information.
a9982 12 RKEY
Resource key.
a10038 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a10090 24 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
d1564 7 a1570 4 d10196 2 a10197 2
d10286 1 a10286 1 d10328 3 a10330 3 d10446 3 a10448 3 d10489 1 a10489 1 d10529 5 a10533 5 d10672 1 a10672 1 d10764 2 a10765 2 d10797 1 a10797 1 The $ORIGIN lines in the examples d10805 1 a10805 1 d10817 2 a10818 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d10820 1 a10820 1 d10831 1 a10831 1 d10835 1 a10835 1 Syntax: $ORIGIN d10839 1 a10839 1 $ORIGIN d10842 2 a10843 2 is an implicit $ORIGIN <
d10864 1 a10864 1 Syntax: $INCLUDE d10872 3 a10874 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d10879 1 a10879 1 revert to the values they had prior to the $INCLUDE once d10887 1 a10887 1 an $INCLUDE, but it is silent d10896 1 a10896 1 d10900 1 a10900 1 Syntax: $TTL d10910 1 a10910 1zone_name>. d10845 2 a10846 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d10860 1 a10860 1$TTL d10915 1 a10915 1
d10919 1 a10919 1 Syntax: $GENERATE d10928 1 a10928 1$GENERATE d10931 1 a10931 1 iterator. $GENERATE can be used to d10973 2 a10974 2
d10979 1 a10979 1 range
d10993 1 a10993 1lhs
d10998 1 a10998 1 to be created. Any single $ d11000 1 a11000 1 symbols within the lhs string d11004 4 a11007 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d11012 4 a11015 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d11021 3 a11023 3 (d), octal (o), hexadecimal (x or X d11025 1 a11025 1 (n or N\ d11027 3 a11029 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d11041 1 a11041 1 $$ is still recognized as d11048 1 a11048 1ttl
d11056 2 a11057 2class and ttl can be d11064 1 a11064 1
class
d11072 2 a11073 2class and ttl can be d11080 1 a11080 1
type
d11090 1 a11090 1rhs
d11094 1 a11094 1 rhs, optionally, quoted string. d11101 1 a11101 1 The $GENERATE directive is a BIND extension d11108 1 a11108 1d11126 1 a11126 1 directly into memory via the mmap() d11134 1 a11134 1 file by the named-compilezone command. d11137 2 a11138 2 masterfile-format option) when named dumps the zone contents after d11144 1 a11144 1 named-compilezone command. All d11147 1 a11147 1 named-compilezone command again. d11150 1 a11150 1 Note that map format is extremely d11168 1 a11168 1d11959 2 a11960 2d11186 2 a11187 2d11287 5 a11291 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a11293 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d11297 1 a11297 1 by the statistics-file configuration option. d11299 1 a11299 1 when the statistics-channels statement d11301 1 a11301 1 (see the section called “statistics-channels Statement Grammar”.) d11303 3 a11305 3
d11310 1 a11310 1 +++ Statistics Dump +++ (973798949) d11322 1 a11322 1 ++ Name Server Statistics ++ d11336 1 a11336 1 --- Statistics Dump --- (973798949) d11339 1 a11339 1d11363 3 a11365 3d11387 1 a11387 1 Requestv4
d11390 1 a11390 1RQ
d11401 1 a11401 1Requestv6
d11404 1 a11404 1RQ
d11415 1 a11415 1ReqEdns0
d11418 1 a11418 1d11428 1 a11428 1
ReqBadEDNSVer
d11431 1 a11431 1d11441 1 a11441 1
ReqTSIG
d11444 1 a11444 1d11454 1 a11454 1
ReqSIG0
d11457 1 a11457 1d11467 1 a11467 1
ReqBadSIG
d11470 1 a11470 1d11480 1 a11480 1
ReqTCP
d11483 1 a11483 1RTCP
d11493 1 a11493 1AuthQryRej
d11496 1 a11496 1RUQ
d11506 1 a11506 1RecQryRej
d11509 1 a11509 1RURQ
d11519 1 a11519 1XfrRej
d11522 1 a11522 1RUXFR
d11532 1 a11532 1UpdateRej
d11535 1 a11535 1RUUpd
d11545 1 a11545 1Response
d11548 1 a11548 1SAns
d11558 1 a11558 1RespTruncated
d11561 1 a11561 1d11571 1 a11571 1
RespEDNS0
d11574 1 a11574 1d11584 1 a11584 1
RespTSIG
d11587 1 a11587 1d11597 1 a11597 1
RespSIG0
d11600 1 a11600 1d11610 1 a11610 1
QrySuccess
d11613 1 a11613 1d11621 1 a11621 1 success counter d11629 1 a11629 1
QryAuthAns
d11632 1 a11632 1d11642 1 a11642 1
QryNoauthAns
d11645 1 a11645 1SNaAns
d11655 1 a11655 1QryReferral
d11658 1 a11658 1d11664 1 a11664 1 referral counter d11672 1 a11672 1
QryNxrrset
d11675 1 a11675 1d11681 1 a11681 1 nxrrset counter d11689 1 a11689 1
QrySERVFAIL
d11692 1 a11692 1SFail
d11702 1 a11702 1QryFORMERR
d11705 1 a11705 1SFErr
d11715 1 a11715 1QryNXDOMAIN
d11718 1 a11718 1SNXD
d11724 1 a11724 1 nxdomain counter d11732 1 a11732 1QryRecursion
d11735 1 a11735 1RFwdQ
d11742 1 a11742 1 recursion counter d11750 1 a11750 1QryDuplicate
d11753 1 a11753 1RDupQ
d11762 1 a11762 1 duplicate counter d11770 1 a11770 1QryDropped
d11773 1 a11773 1d11783 1 a11783 1 clients-per-query d11785 1 a11785 1 max-clients-per-query d11788 1 a11788 1 clients-per-query.) d11790 1 a11790 1 dropped counter d11798 1 a11798 1
QryFailure
d11801 1 a11801 1d11807 1 a11807 1 failure counter d11813 2 a11814 2 AuthQryRej and RecQryRej d11823 1 a11823 1
XfrReqDone
d11826 1 a11826 1d11836 1 a11836 1
UpdateReqFwd
d11839 1 a11839 1d11849 1 a11849 1
UpdateRespFwd
d11852 1 a11852 1d11862 1 a11862 1
UpdateFwdFail
d11865 1 a11865 1d11875 1 a11875 1
UpdateDone
d11878 1 a11878 1d11888 1 a11888 1
UpdateFail
d11891 1 a11891 1d11901 1 a11901 1
UpdateBadPrereq
d11904 1 a11904 1d11914 1 a11914 1
RateDropped
d11917 1 a11917 1d11927 1 a11927 1
RateSlipped
d11930 1 a11930 1d11940 1 a11940 1
RPZRewrites
d11943 1 a11943 1d11954 1 a11954 1
d11977 1 a11977 1 NotifyOutv4
d11987 1 a11987 1NotifyOutv6
d11997 1 a11997 1NotifyInv4
d12007 1 a12007 1NotifyInv6
d12017 1 a12017 1NotifyRej
d12027 1 a12027 1SOAOutv4
d12037 1 a12037 1SOAOutv6
d12047 1 a12047 1AXFRReqv4
d12057 1 a12057 1AXFRReqv6
d12067 1 a12067 1IXFRReqv4
d12077 1 a12077 1IXFRReqv6
d12087 1 a12087 1XfrSuccess
d12097 1 a12097 1XfrFail
d12108 1 a12108 1 d12113 3 a12115 3d12137 1 a12137 1 Queryv4
d12140 1 a12140 1SFwdQ
d12150 1 a12150 1Queryv6
d12153 1 a12153 1SFwdQ
d12163 1 a12163 1Responsev4
d12166 1 a12166 1RR
d12176 1 a12176 1Responsev6
d12179 1 a12179 1RR
d12189 1 a12189 1NXDOMAIN
d12192 1 a12192 1RNXD
d12202 1 a12202 1SERVFAIL
d12205 1 a12205 1RFail
d12215 1 a12215 1FORMERR
d12218 1 a12218 1RFErr
d12228 1 a12228 1OtherError
d12231 1 a12231 1RErr
d12241 1 a12241 1EDNS0Fail
d12244 1 a12244 1d12254 1 a12254 1
Mismatch
d12257 1 a12257 1RDupR
d12266 1 a12266 1 the port option.) d12274 1 a12274 1Truncated
d12277 1 a12277 1d12287 1 a12287 1
Lame
d12290 1 a12290 1RLame
d12300 1 a12300 1Retry
d12303 1 a12303 1SDupQ
d12313 1 a12313 1QueryAbort
d12316 1 a12316 1d12326 1 a12326 1
QuerySockFail
d12329 1 a12329 1d12342 1 a12342 1
QueryTimeout
d12345 1 a12345 1d12355 1 a12355 1
GlueFetchv4
d12358 1 a12358 1SSysQ
d12368 1 a12368 1GlueFetchv6
d12371 1 a12371 1SSysQ
d12381 1 a12381 1GlueFetchv4Fail
d12384 1 a12384 1d12394 1 a12394 1
GlueFetchv6Fail
d12397 1 a12397 1d12407 1 a12407 1
ValAttempt
d12410 1 a12410 1d12420 1 a12420 1
ValOk
d12423 1 a12423 1d12433 1 a12433 1
ValNegOk
d12436 1 a12436 1d12446 1 a12446 1
ValFail
d12449 1 a12449 1d12459 1 a12459 1
QryRTTnn
d12462 1 a12462 1d12468 1 a12468 1 Each nn specifies the corresponding d12471 2 a12472 2 nn_1, nn_2, d12474 2 a12475 2 nn_m, the value of nn_i is the d12477 2 a12478 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d12480 1 a12480 1 nn_0 to be 0. d12482 1 a12482 1 nn_m+, which means the d12484 1 a12484 1 nn_m milliseconds. d12491 1 a12491 1 d12497 6 a12502 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d12504 1 a12504 1 In the following table <TYPE> d12511 2 a12512 2
d12529 1 a12529 1 <TYPE>Open
d12535 1 a12535 1 FDwatch type. d12541 1 a12541 1<TYPE>OpenFail
d12547 1 a12547 1 FDwatch type. d12553 1 a12553 1<TYPE>Close
d12563 1 a12563 1<TYPE>BindFail
d12573 1 a12573 1<TYPE>ConnFail
d12583 1 a12583 1<TYPE>Conn
d12593 1 a12593 1<TYPE>AcceptFail
d12599 2 a12600 2 UDP and FDwatch types. d12606 1 a12606 1<TYPE>Accept
d12612 2 a12613 2 UDP and FDwatch types. d12619 1 a12619 1<TYPE>SendErr
d12625 2 a12626 2 to SErr counter of BIND 8. d12632 1 a12632 1<TYPE>RecvErr
d12646 1 a12646 1 d12651 2 a12652 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d12656 2 a12657 2d519 1 a519 1 the listen-on and sortlist d523 5 a527 5
- RFwdR,SFwdR
d12660 1 a12660 1 because BIND 9 does not adopt d12662 1 a12662 1 as BIND 8 did. d12664 1 a12664 1- RAXFR
d12668 1 a12668 1- RIQ
d12672 1 a12672 1- ROpts
d12675 1 a12675 1 because BIND 9 does not care d12700 1 a12700 1BIND 9.10.4-P5
@ 1.1.1.15.2.6.2.2 log @Sync with netbsd-7-1-RELEASE @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.1.1.15.2.7 log @Pull up following revision(s) (requested by snj in ticket #1264): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.23 via patch external/bsd/bind/bind2netbsd: up to 1.4 external/bsd/bind/dist/CHANGES: up to 1.22 external/bsd/bind/dist/FAQ: up to 1.1.1.8 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.11 external/bsd/bind/dist/Makefile.in: up to 1.3 external/bsd/bind/dist/README: up to 1.10 external/bsd/bind/dist/acconfig.h: up to 1.9 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.7 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.13 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkzone.c: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.6 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/win32/confgentool.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/delv.c: up to 1.5 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/dig/dig.1: up to 1.12 external/bsd/bind/dist/bin/dig/dig.c: up to 1.12 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.18 external/bsd/bind/dist/bin/dig/host.1: up to 1.6 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/nslookup.1: up to 1.8 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.5 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.14 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.17 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/bin/named/bind9.xsl: up to 1.1.1.9 external/bsd/bind/dist/bin/named/bind9.xsl.h: up to 1.10 external/bsd/bind/dist/bin/named/client.c: up to 1.16 external/bsd/bind/dist/bin/named/config.c: up to 1.13 external/bsd/bind/dist/bin/named/control.c: up to 1.11 external/bsd/bind/dist/bin/named/controlconf.c: up to 1.12 external/bsd/bind/dist/bin/named/include/named/log.h: up to 1.5 external/bsd/bind/dist/bin/named/include/named/query.h: up to 1.7 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.11 external/bsd/bind/dist/bin/named/lwdgrbn.c: up to 1.8 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.6 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/bin/named/main.c: up to 1.20 external/bsd/bind/dist/bin/named/named.8: up to 1.9 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.13 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.14 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.10 external/bsd/bind/dist/bin/named/query.c: up to 1.22 external/bsd/bind/dist/bin/named/server.c: up to 1.21 external/bsd/bind/dist/bin/named/statschannel.c: up to 1.12 external/bsd/bind/dist/bin/named/unix/include/named/os.h: up to 1.5 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.9 external/bsd/bind/dist/bin/named/win32/include/named/os.h: up to 1.5 external/bsd/bind/dist/bin/named/win32/named.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/named.mak.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/named.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/bin/named/win32/named.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/os.c: up to 1.10 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.12 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.9 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.8 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.15 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8ze-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zh-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0q-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1l-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.2 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11list.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.7 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.4 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.9 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/win32/rndc.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/rndc/win32/rndcutil.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.6 external/bsd/bind/dist/bin/tests/atomic/win32/t_atomic.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/dst/win32/t_dst.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/mem/win32/t_mem.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/names/win32/t_names.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/nsecify.c: up to 1.7 external/bsd/bind/dist/bin/tests/rbt/win32/t_rbt.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/rbt_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/sockaddr/win32/t_sockaddr.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/acl/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/addzone/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/addzone/ns2/named2.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/allow_query/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/autosign/clean.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/cacheclean/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/case/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/checkconf/in-view-good.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/portrange-good.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/shared.example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-any1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-any2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-in1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-in2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checknames/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/checkzone/zones/.gitattributes: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-badclass.raw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/delv/clean.sh delete external/bsd/bind/dist/bin/tests/system/delv/ns1/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/ns1/root.db delete external/bsd/bind/dist/bin/tests/system/delv/ns2/example.db delete external/bsd/bind/dist/bin/tests/system/delv/ns2/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/ns3/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/tests.sh delete external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/DNAME=10=example.net.=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/NS=10=example.com.=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dns64/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/generic.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/keyless.example.db.in delete external/bsd/bind/dist/bin/tests/system/dnssec/ns3/managed-future.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/signer/remove.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/signer/remove2.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dscp/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/ednscompliance/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/forward/rfc1918-inherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/rfc1918-notinherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/forward/ula-inherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/ula-notinherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/genzone.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/geoip/options.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/glue/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ixfr/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/limits/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/lwresd/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nslookup/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/delegation.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad1.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad2.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad3.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/resolver/ns1/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns6/delegation-only.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rndc/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/ns4/named.conf.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrchecker/typelist.good: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/runall.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/sit/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/sortlist/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/stub/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/tkey/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/tsiggss/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/unknown/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/views/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/xfer/dig1.good: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/dig2.good: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/knowngood.mapped: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns2/mapped.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/ns3/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/xferquota/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns2/tld.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns4/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns4/one.tld.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/tasks/win32/t_tasks.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/backtrace_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/inter_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/rwlock_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/shutdown_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/sock_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/task_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/timer_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/wire_test.c: up to 1.8 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.6 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.7 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.6 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-rrchecker.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.6 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/win32/arpaname.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/genrandom.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/journalprint.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/rrchecker.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.11 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.h: up to 1.5 external/bsd/bind/dist/config.h.in: up to 1.13 external/bsd/bind/dist/config.h.win32: up to 1.1.1.13 external/bsd/bind/dist/configure: up to 1.6 external/bsd/bind/dist/configure.in: up to 1.9 external/bsd/bind/dist/contrib/README: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/bin/dlzbdb/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/contrib/dlz/config.dlz.in: up to 1.1.1.8 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/modules/perl/dlz_perl_driver.c: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c: up to 1.4 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/README: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/RELEASE_NOTES: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/aclocal.m4: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/acx_pthread.m4: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.guess: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.sub: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/INSTALL: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/USAGE: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/datafile.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/datafile.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dns.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dns.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dnsperf.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dnsperf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/caching-dns-performance.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/dnsperf.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/resperf.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/install-sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/log.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/log.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/net.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/net.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/opt.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/opt.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/os.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/os.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf-report: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/util.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/version.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c: up to 1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/config.h.in: up to 1.1.1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/query-loc-0.4.0/configure.in: up to 1.1.1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c: up to 1.6 external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.h: up to 1.5 external/bsd/bind/dist/contrib/sdb/ldap/README.zone2ldap: up to 1.1.1.2 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.5 external/bsd/bind/dist/doc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.conf: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.16 external/bsd/bind/dist/doc/arm/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/README-SGML: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/html-fixup.pl delete external/bsd/bind/dist/doc/arm/latex-fixup.pl delete external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.10 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/notes.conf: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/noteversion.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/pkgversion.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/releaseinfo.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/doxygen/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/doc/misc/options: up to 1.8 external/bsd/bind/dist/doc/misc/rfc-compliance: up to 1.1.1.5 external/bsd/bind/dist/doc/tex/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/doc/tex/armstyle.sty.in: up to 1.1.1.1 external/bsd/bind/dist/doc/tex/notestyle.sty: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/arm-param.xsl: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/graphics/caution.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/caution.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/important.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/important.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/note.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/note.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/tip.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/tip.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/warning.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/warning.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-latex-mappings.xml delete external/bsd/bind/dist/doc/xsl/isc-docbook-latex.xsl.in delete external/bsd/bind/dist/doc/xsl/isc-docbook-text.xsl: up to 1.1.1.4 external/bsd/bind/dist/doc/xsl/isc-manpage.xsl.in: up to 1.1.1.4 external/bsd/bind/dist/doc/xsl/isc-notes-html.xsl.in: up to 1.1.1.2 external/bsd/bind/dist/doc/xsl/isc-notes-latex.xsl.in delete external/bsd/bind/dist/doc/xsl/notes-param.xsl: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/pre-latex.xsl: up to 1.1.1.4 external/bsd/bind/dist/isc-config.sh.1: up to 1.6 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.6 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.8 external/bsd/bind/dist/isc-config.sh.in: up to 1.1.1.7 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.18 external/bsd/bind/dist/lib/bind9/check.c: up to 1.14 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/bind9/win32/libbind9.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/win32/libbind9.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/bind9/win32/libbind9.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/lib/dns/acache.c: up to 1.8 external/bsd/bind/dist/lib/dns/api: up to 1.10 external/bsd/bind/dist/lib/dns/cache.c: up to 1.10 external/bsd/bind/dist/lib/dns/client.c: up to 1.12 external/bsd/bind/dist/lib/dns/db.c: up to 1.8 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.9 external/bsd/bind/dist/lib/dns/forward.c: up to 1.6 external/bsd/bind/dist/lib/dns/gen.c: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/dbiterator.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/forward.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/name.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/journal.c: up to 1.11 external/bsd/bind/dist/lib/dns/master.c: up to 1.16 external/bsd/bind/dist/lib/dns/message.c: up to 1.20 external/bsd/bind/dist/lib/dns/name.c: up to 1.13 external/bsd/bind/dist/lib/dns/nsec3.c: up to 1.13 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.12 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.23 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.14 external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/avc_258.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/avc_258.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/csync_62.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/csync_62.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c: up to 1.1.1.8 external/bsd/bind/dist/lib/dns/rdata/generic/ninfo_56.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ninfo_56.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/rkey_57.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/rkey_57.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/sink_40.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/sink_40.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/smimea_53.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/smimea_53.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/ta_32768.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ta_32768.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/talink_58.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/talink_58.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c: up to 1.6 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.26 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.10 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.8 external/bsd/bind/dist/lib/dns/tests/dbiterator_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/dbversion_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/dnstest.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/tests/dnstest.h: up to 1.4 external/bsd/bind/dist/lib/dns/tests/name_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rbt_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rdata_test.c: up to 1.6 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.11 external/bsd/bind/dist/lib/dns/update.c: up to 1.6 external/bsd/bind/dist/lib/dns/view.c: up to 1.12 external/bsd/bind/dist/lib/dns/win32/gen.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.8 external/bsd/bind/dist/lib/dns/win32/libdns.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/win32/libdns.vcxproj.filters.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/win32/libdns.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.13 external/bsd/bind/dist/lib/dns/zone.c: up to 1.16 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.9 external/bsd/bind/dist/lib/irs/win32/libirs.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/irs/win32/libirs.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.20 external/bsd/bind/dist/lib/isc/base32.c: up to 1.7 external/bsd/bind/dist/lib/isc/base64.c: up to 1.7 external/bsd/bind/dist/lib/isc/buffer.c: up to 1.7 external/bsd/bind/dist/lib/isc/commandline.c: up to 1.7 external/bsd/bind/dist/lib/isc/hash.c: up to 1.10 external/bsd/bind/dist/lib/isc/hex.c: up to 1.7 external/bsd/bind/dist/lib/isc/httpd.c: up to 1.10 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/include/isc/assertions.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/error.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/file.h: up to 1.10 external/bsd/bind/dist/lib/isc/include/isc/hash.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/magic.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/include/isc/result.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.10 external/bsd/bind/dist/lib/isc/include/isc/util.h: up to 1.12 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/md5.c: up to 1.8 external/bsd/bind/dist/lib/isc/mem.c: up to 1.14 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.8 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/result.c: up to 1.6 external/bsd/bind/dist/lib/isc/sockaddr.c: up to 1.8 external/bsd/bind/dist/lib/isc/sparc64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/stats.c: up to 1.7 external/bsd/bind/dist/lib/isc/string.c: up to 1.7 external/bsd/bind/dist/lib/isc/task.c: up to 1.13 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/tests/sockaddr_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/tests/socket_test.c: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.10 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.19 external/bsd/bind/dist/lib/isc/win32/file.c: up to 1.10 external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/atomic.h: up to 1.4 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.11 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/x86_32/include/isc/atomic.h: up to 1.5 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/x86_64/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.11 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isccc/sexpr.c: up to 1.7 external/bsd/bind/dist/lib/isccc/win32/libisccc.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccc/win32/libisccc.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isccc/win32/libisccc.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.9 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.18 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.13 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.11 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.vcxproj.filters.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/tests/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/lwres/win32/liblwres.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/win32/liblwres.mak.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.filters.in: up to 1.1.1.3 external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/gai.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/tests/include/tests/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/tests/win32/libtests.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/win32/bindevt/bindevt.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/make/rules.in: up to 1.7 external/bsd/bind/dist/srcid: up to 1.16 external/bsd/bind/dist/unit/unittest.sh.in: up to 1.1.1.4 external/bsd/bind/dist/version: up to 1.20 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.6 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildSetup.bat.in: up to 1.1.1.6 external/bsd/bind/include/config.h: up to 1.20 external/bsd/bind/include/dns/code.h: up to 1.12 external/bsd/bind/include/dns/enumtype.h: up to 1.12 external/bsd/bind/include/dns/rdatastruct.h: up to 1.12 external/bsd/bind/include/isc/atomic.h: up to 1.5 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P3. @ text @d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 1
- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d97 7 a103 12- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
- BIND9 Statistics
- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d513 1 a513 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d324 4 a327 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d435 1 a435 1 (such as max-journal-size) may d501 1 a501 1 d607 1 a607 1 d623 1 a623 1 d697 1 a697 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d530 2 a531 2
- the name of an address match list defined with the acl statement d533 1 a533 1
- a nested address match list enclosed in braces
d557 2 a558 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d564 12 a575 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d588 1 a588 1 1.2.3/24; ! 1.2.3.13; d591 1 a591 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d597 1 a597 1d713 2 a714 2d719 1 a719 1 acl
d730 1 a730 1controls
d735 1 a735 1 by the rndc utility. d741 1 a741 1include
d751 1 a751 1key
d762 1 a762 1logging
d773 1 a773 1lwres
d777 2 a778 2 configures named to also act as a light-weight resolver daemon (lwresd). d784 1 a784 1masters
d790 2 a791 2 masters or also-notify lists. d797 1 a797 1options
d808 1 a808 1server
d819 1 a819 1statistics-channels
d824 1 a824 1 named statistics. d830 1 a830 1trusted-keys
d840 1 a840 1managed-keys
d851 1 a851 1view
d861 1 a861 1zone
d872 2 a873 2 The logging and options statements may only occur once d877 1 a877 1acl acl-name { d885 1 a885 1d887 1 a887 1 acl Statement Definition and d890 1 a890 1 The acl statement assigns a symbolic d899 2 a900 2d905 1 a905 1 any
d915 1 a915 1none
d925 1 a925 1localhost
d931 1 a931 1 added or removed, the localhost d938 1 a938 1localnets
d945 1 a945 1 the localnets d950 1 a950 1 In such a case, localnets d952 1 a952 1 IPv6 addresses, just like localhost. d962 1 a962 1 geoip [dbdatabase]fieldvalued1016 1 a1016 1controls { d1030 1 a1030 1d1032 1 a1032 1 controls Statement Definition and d1035 1 a1035 1 The controls statement declares control d1038 1 a1038 1 used by the rndc utility to send d1042 4 a1045 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d1049 2 a1050 2 use an ip_addr of::. If you will only use rndc on the local host, d1056 1 a1056 1 "*" cannot be used for ip_port. d1060 2 a1061 2 restricted by the allow and keys clauses. d1063 3 a1065 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1069 1 a1069 1 A unix control channel is a UNIX domain d1071 2 a1072 2 Access to the socket is specified by the perm, owner and group clauses. d1074 1 a1074 1 (perm) are applied to the parent directory d1079 3 a1081 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1083 2 a1084 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1087 2 a1088 2 If no controls statement is present, named will set up a default d1091 3 a1093 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1104 1 a1104 1 messages and thus did not have a keys clause. d1108 2 a1109 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1125 1 a1125 1 named is running as) can access it. d1128 1 a1128 1 rndc commands, then you need to create d1136 2 a1137 2 controls statement: controls { };. d1140 1 a1140 1included1145 1 a1145 1 d1150 3 a1152 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1160 1 a1160 1filename;keykey_id{ d1169 1 a1169 1 d1173 2 a1174 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1176 2 a1177 1 (see the section called “controls Statement Definition and d1181 1 a1181 1 The key statement can occur at the d1183 2 a1184 2 of the configuration file or inside a view statement. Keys defined in top-level key d1186 3 a1188 2 a controls statement (see the section called “controls Statement Definition and d1195 1 a1195 1 be used in a server d1216 1 a1216 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1229 3 a1231 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1233 1 a1233 1 [ categorycategory_name{ d1240 1 a1240 1 d1245 1 a1245 1 The logging statement configures a d1247 1 a1247 1 variety of logging options for the name server. Its channel phrase d1249 1 a1249 1 a name that can then be used with the category phrase d1253 1 a1253 1 Only one logging statement is used to d1255 1 a1255 1 as many channels and categories as are wanted. If there is no logging statement, d1267 1 a1267 1 established as soon as the logging d1274 1 a1274 1 d1287 2 a1288 2 info), and whether to include a named-generated time stamp, the d1293 1 a1293 1 The null destination clause d1298 1 a1298 1 The file destination clause directs d1306 1 a1306 1 If you use the versions log file d1308 1 a1308 1 named will retain that many backup d1318 1 a1318 1 You can say versions unlimited to d1321 1 a1321 1 If a size option is associated with d1329 1 a1329 1 The size option for files is used d1331 2 a1332 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1336 1 a1336 1 versions option, no more data will d1345 2 a1346 2 Example usage of the size and versions options: d1355 1 a1355 1 The syslog destination clause d1358 9 a1366 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1369 1 a1369 1 How syslog will handle messages d1371 3 a1373 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1380 1 a1380 1 The severity clause works like syslog's d1382 1 a1382 1 straight to a file rather than using syslog. d1389 1 a1389 1 If you are using syslog, then the syslog.conf priorities d1391 7 a1397 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1401 1 a1401 1 The stderr destination clause d1414 1 a1414 1 level is set either by starting the named server d1416 1 a1416 1 or by running rndc trace. d1418 1 a1418 1 can be set to zero, and debugging mode turned off, by running rndc d1431 1 a1431 1 level. Channels with dynamic d1436 1 a1436 1 If print-time has been turned on, d1438 2 a1439 2 the date and time will be logged. print-time may be specified for a syslog channel, d1441 1 a1441 1 pointless since syslog also logs d1443 1 a1443 1 time. If print-category is d1445 2 a1446 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1450 1 a1450 1 three print- options d1458 1 a1458 1 named's default logging as follows. d1460 1 a1460 1 used is described in the section called “The category Phrase”. d1490 1 a1490 1 The default_debug channel has the d1500 1 a1500 1 is created only after named has d1502 1 a1502 1 new UID, and any debug output generated while named is d1514 1 a1514 1 d1522 1 a1522 1 in that category will be sent to the default category d1543 1 a1543 1 To discard all messages in a category, specify the null channel: d1555 2 a1556 2d1561 2 a1562 2 client
Processing of client requests.
d1574 2 a1575 2cname
d1577 5 a1581 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1585 2 a1586 2config
d1588 6 a1593 4Configuration file parsing and processing.
d1597 2 a1598 2database
d1600 4 a1603 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1607 2 a1608 2default
d1610 4 a1613 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1617 2 a1618 2delegation-only
d1620 6 a1625 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1629 2 a1630 2dispatch
d1632 4 a1635 5Dispatching of incoming packets to the server modules where they are to be processed.
d1639 2 a1640 2dnssec
d1642 4 a1645 4DNSSEC and TSIG protocol processing.
d1649 2 a1650 2edns-disabled
d1652 4 a1655 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1659 2 a1660 2general
d1662 4 a1665 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1669 2 a1670 2lame-servers
d1672 9 a1680 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1684 2 a1685 2network
d1687 4 a1690 4Network operations.
d1694 2 a1695 2notify
d1697 4 a1700 4The NOTIFY protocol.
d1704 2 a1705 2queries
d1707 4 a1710 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1714 2 a1715 2query-errors
d1717 35 a1751 5Information about queries that resulted in some failure.
d1755 2 a1756 2rate-limit
d1758 5 a1762 20The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1766 2 a1767 2resolver
d1769 5 a1773 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1777 2 a1778 2rpz
d1780 4 a1783 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1787 2 a1788 2security
d1790 6 a1795 4Approval and denial of requests.
d1799 2 a1800 2spill
d1802 8 a1809 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1813 2 a1814 2unmatched
d1816 28 a1843 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1847 2 a1848 2update
d1850 7 a1856 4Dynamic updates.
d1860 2 a1861 2update-security
d1863 20 a1882 4Approval and denial of update requests.
d1886 2 a1887 2xfer-in
d1889 5 a1893 14Zone transfers the server is receiving.
xfer-out
d1898 1 a1898 1 d1902 1 a1902 1 The query-errors category is d1907 1 a1907 1 with debug levels. d1970 2 a1971 2 Zone transfers the server is sending.
d2126 1 a2126 1 d2130 1 a2130 1 This is the grammar of the lwres d2133 1 a2133 1 lwres { d2142 1 a2142 1 d2146 1 a2146 1 The lwres statement configures the d2149 2 a2150 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2154 1 a2154 1 The listen-on statement specifies a d2165 1 a2165 1 The view statement binds this d2176 1 a2176 1 The search statement is equivalent to d2178 1 a2178 1 search statement in d2184 1 a2184 1 The ndots statement is equivalent to d2186 1 a2186 1 ndots statement in d2193 1 a2193 1 d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2201 1 a2201 1d2203 1 a2203 1 masters Statement Definition and d2205 1 a2205 1d2215 1 a2215 1 This is the grammar of the options d2218 1 a2218 1masters d2207 2 a2208 2 multiple stub and slave zones in their masters or also-notify lists. d2211 1 a2211 1
options { a2258 2 [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] a2263 1 [ auto-dnssecallow|maintain|off; ] d2340 1 a2340 1 [ fetches-per-zonenumber[(drop | fail)]; ] d2357 3 a2359 2 [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr[portip_port] ) [keykeyname] ; ... }; ] d2376 1 a2376 2 [ max-zone-ttl (unlimited|number; ] [ serial-update-methodincrement|unixtime|date; ] d2404 1 a2404 1 [ suffixIPv6-address; ] a2466 1 [ automatic-interface-scanyes_or_no] d2471 1 a2471 1d2473 1 a2473 1 options Statement Definition and d2476 1 a2476 1 The options statement sets up global d2480 1 a2480 1 once in a configuration file. If there is no options d2484 2 a2485 2d4145 2 a4146 2
- attach-cache
d2497 2 a2498 2 The attach-cache option may also be specified in view d2500 1 a2500 1 global attach-cache option. d2505 1 a2505 1 When the named server configures d2516 1 a2516 1 the attach-cache as a global d2525 1 a2525 1 attach-cache option as a view A (or d2548 8 a2555 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2570 1 a2570 1- directory
d2585 1 a2585 1- geoip-directory
d2592 2 a2593 1 (For details, see the section called “acl Statement Definition and d2595 1 a2595 1 geoip ACL.) d2597 1 a2597 1- key-directory
d2608 1 a2608 1- managed-keys-directory
d2616 1 a2616 1 If named is not configured to use views, d2625 1 a2625 1- named-xfer
d2629 1 a2629 1 the pathname to the named-xfer d2631 1 a2631 1 named-xfer program is needed; d2634 1 a2634 1- tkey-gssapi-keytab
d2641 1 a2641 1- tkey-gssapi-credential
d2652 1 a2652 1 To use GSS-TSIG, tkey-domain must d2656 1 a2656 1- tkey-domain
d2659 2 a2660 2 generated with TKEY. When a client requests a TKEY exchange, d2667 1 a2667 1 In most cases, the domainname d2674 1 a2674 1- tkey-dhkey
d2679 1 a2679 1 of TKEY. The server must be d2685 1 a2685 1- cache-file
d2689 1 a2689 1- dump-file
d2693 1 a2693 1 rndc dumpdb. d2696 1 a2696 1- memstatistics-file
d2702 1 a2702 1- pid-file
d2709 1 a2709 1 name server. Specifying pid-file none disables the d2711 1 a2711 1 existing one will be removed. Note that none d2716 1 a2716 1- recursing-file
d2720 1 a2720 1 to do so with rndc recursing. d2723 1 a2723 1- statistics-file
d2726 1 a2726 1 to when instructed to do so using rndc stats. d2730 1 a2730 1 in the section called “The Statistics File”. d2732 1 a2732 1- bindkeys-file
d2735 3 a2737 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2741 1 a2741 1- secroots-file
d2745 1 a2745 1 rndc secroots. d2749 1 a2749 1- session-keyfile
d2752 2 a2753 2 session key generated by named for use by nsupdate -l. If not specified, the d2755 1 a2755 1 (See the section called “Dynamic Update Policies”, and in d2757 1 a2757 1 update-policy statement's d2761 1 a2761 1- session-keyname
d2766 1 a2766 1- session-keyalg
d2773 1 a2773 1- port
d2783 1 a2783 1- dscp
d2790 1 a2790 1- random-device
d2804 1 a2804 1 random-device option takes d2809 1 a2809 1- preferred-glue
d2814 1 a2814 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2817 1 a2817 1 root-delegation-only d2863 1 a2863 1- disable-algorithms
d2868 1 a2868 1 Multiple disable-algorithms d2870 1 a2870 1 Only the best match disable-algorithms d2875 1 a2875 1 by the disable-algorithms will be treated d2879 1 a2879 1- disable-ds-digests
d2884 1 a2884 1 Multiple disable-ds-digests d2886 1 a2886 1 Only the best match disable-ds-digests d2891 1 a2891 1 by the disable-ds-digests will be treated d2895 1 a2895 1- dnssec-lookaside
d2898 1 a2898 1 When set, dnssec-lookaside provides the d2902 1 a2902 1 dnssec-lookaside, and the normal DNSSEC d2910 1 a2910 1 If dnssec-lookaside is set to d2916 1 a2916 1 If dnssec-lookaside is set to d2923 2 a2924 2 named will load that key at startup if dnssec-lookaside is set to d2929 1 a2929 1 from https://www.isc.org/solutions/dlv/. d2934 2 a2935 2 named. Relying on this is not recommended, however, as it requires named d2939 1 a2939 1 NOTE: named only loads certain specific d2945 1 a2945 1- dnssec-must-be-secure
d2949 1 a2949 1 then named will only accept answers if d2953 3 a2955 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2957 1 a2957 1- dns64
d2960 1 a2960 1 This directive instructs named to d2964 1 a2964 1 dns64 defines one DNS64 prefix. d2975 2 a2976 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2982 2 a2983 2 Each dns64 supports an optional clients ACL that determines which d2988 2 a2989 2 Each dns64 supports an optional mapped ACL that selects which d2998 1 a2998 1 exclude ACL allows specification d3002 1 a3002 1 name owns. If not defined, exclude d3006 1 a3006 1 A optional suffix can also d3014 2 a3015 2 If recursive-only is set to yes the DNS64 synthesis will d3017 1 a3017 1 is no. d3020 2 a3021 2 If break-dnssec is set to yes the DNS64 synthesis will d3024 1 a3024 1 is set to no (the default), the DO d3039 1 a3039 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d3046 2 a3047 2 the section called “Dynamic Update Policies”), and if named has access to the d3049 1 a3049 1 named will automatically sign all new d3056 1 a3056 1 then named will sign all new or d3061 1 a3061 1 With either of these settings, named d3064 1 a3064 1 named. (A planned third option, d3070 1 a3070 1- max-zone-ttl
a3093 27The default value is
unlimited. Amax-zone-ttlof zero is treated asunlimited.- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
d3095 1 a3095 1- zone-statistics
d3101 3 a3103 3 zone-statistics terse or zone-statistics none in the zone statement). d3111 2 a3112 2 statistics-channel or using rndc stats, which d3114 2 a3115 2 in the statistics-file. See also the section called “The Statistics File”. d3119 1 a3119 1 of BIND 9, the zone-statistics d3130 1 a3130 1d3133 2 a3134 2d4104 2 a4105 2
- automatic-interface-scan
d3144 1 a3144 1 automatic-interface-scan to be d3148 1 a3148 1- allow-new-zones
d3151 2 a3152 2 added at runtime via rndc addzone or deleted via rndc delzone. d3155 1 a3155 1- auth-nxdomain
d3157 1 a3157 1 Ifyes, then the AA bit d3166 1 a3166 1- deallocate-on-exit
d3173 1 a3173 1- memstatistics
d3176 1 a3176 1 memstatistics-file at exit. d3181 1 a3181 1- dialup
d3193 1 a3193 1 happens in a short interval, once every heartbeat-interval and d3199 4 a3202 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3215 1 a3215 1 notify and also-notify. d3223 1 a3223 1 heartbeat-interval expires in d3236 1 a3236 1 when the heartbeat-interval d3244 4 a3247 4d3274 1 a3274 1 no (default)
d3294 1 a3294 1yes
d3314 1 a3314 1notify
d3334 1 a3334 1refresh
d3354 1 a3354 1passive
d3374 1 a3374 1notify-passive
d3396 1 a3396 1 dialup. d3399 1 a3399 1- fake-iquery
d3406 1 a3406 1- fetch-glue
d3417 1 a3417 1- flush-zones-on-shutdown
d3422 1 a3422 1 flush-zones-on-shutdownno. d3424 1 a3424 1- has-old-clients
d3430 3 a3432 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3434 1 a3434 1- host-statistics
d3441 1 a3441 1- maintain-ixfr-base
d3449 1 a3449 1 transfers, use provide-ixfrno. d3451 1 a3451 1- minimal-responses
d3460 1 a3460 1- multiple-cnames
d3468 1 a3468 1- notify
d3474 1 a3474 1 changes, see the section called “Notify”. The messages are d3479 1 a3479 1 also-notify option. d3487 1 a3487 1 servers explicitly listed using also-notify. d3491 2 a3492 2 The notify option may also be specified in the zone d3494 1 a3494 1 in which case it overrides the options notify statement. d3500 1 a3500 1- notify-to-soa
d3511 1 a3511 1- recursion
d3522 1 a3522 1 Note that setting recursion no does not prevent d3528 1 d3530 1 a3530 1- request-nsid
d3537 2 a3538 2 the resolver category at level info. d3541 1 a3541 1- request-sit
d3557 1 a3557 1 the nosit-udp-size option. d3559 1 a3559 10- nosit-udp-size
Sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. A value below 128 will be silently raised to 128. The default value is 4096, but the max-udp-size option may further limit the response size.
- sit-secret
d3569 1 a3569 1- rfc2308-type1
d3585 1 a3585 1- use-id-pool
d3591 1 a3591 1- use-ixfr
d3596 3 a3598 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3601 1 a3601 1 the section called “Incremental Zone Transfers (IXFR)”. d3603 1 a3603 1- provide-ixfr
d3606 3 a3608 2 provide-ixfr in the section called “server Statement Definition and d3611 1 a3611 1- request-ixfr
d3614 3 a3616 2 request-ixfr in the section called “server Statement Definition and d3619 1 a3619 1- treat-cr-as-space
d3623 1 a3623 1 the server treat carriage return ("\r") characters the same way d3627 2 a3628 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3633 1 a3633 1 additional-from-auth, additional-from-cache d3668 1 a3668 1 Setting these options to no d3676 1 a3676 1 them to no without also d3678 1 a3678 1 recursion no will cause the d3683 1 a3683 1 Specifying additional-from-cache no actually d3703 1 a3703 1 referrals when additional-from-cache no d3711 1 a3711 1- match-mapped-addresses
d3724 1 a3724 1 named now solves this problem d3728 1 a3728 1- filter-aaaa-on-v4
d3739 3 a3741 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3746 1 a3746 1 the DNS client is at an IPv4 address, in filter-aaaa, d3779 1 a3779 1- filter-aaaa-on-v6
d3781 1 a3781 1 Identical to filter-aaaa-on-v4, d3786 1 a3786 1- ixfr-from-differences
d3810 3 a3812 3ixfr-from-differences also accepts master and slave at the view and options d3814 3 a3816 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3820 1 a3820 1
- multi-master
d3824 1 a3824 1 addresses refer to different machines. Ifyes, named will d3826 1 a3826 1 when the serial number on the master is less than what named d3830 1 a3830 41- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
d3833 1 a3833 1 records are to be returned by named. d3835 1 a3835 1 named will not return DNSSEC-related d3839 1 a3839 1- dnssec-validation
d3842 2 a3843 2 Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3851 2 a3852 2 a trusted-keys or managed-keys statement. The default d3861 1 a3861 1 dnssec-validation is off. d3865 1 a3865 1- dnssec-accept-expired
d3870 1 a3870 1 leaves named vulnerable to d3873 1 a3873 1- querylog
d3875 1 a3875 1 Specify whether query logging should be started when named d3877 1 a3877 1 If querylog is not specified, d3879 1 a3879 1 is determined by the presence of the logging category queries. d3881 1 a3881 1- check-names
d3890 5 a3894 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3900 1 a3900 1check-names d3909 1 a3909 1
- check-dup-records
d3913 3 a3915 3 default is to warn. Other possible values are fail and ignore. d3917 1 a3917 1- check-mx
d3920 3 a3922 3 The default is to warn. Other possible values are fail and ignore. d3924 1 a3924 1- check-wildcard
d3931 1 a3931 1 affects master zones. The default (yes) is to check d3934 1 a3934 1- check-integrity
d3943 1 a3943 1 named-checkzone). d3946 2 a3947 2 checks use named-checkzone). The default is yes. d3957 1 a3957 1 check-spf. d3960 1 a3960 1- check-mx-cname
d3962 1 a3962 1 If check-integrity is set then d3964 1 a3964 1 to CNAMES. The default is to warn. d3966 1 a3966 1- check-srv-cname
d3968 1 a3968 1 If check-integrity is set then d3970 1 a3970 1 to CNAMES. The default is to warn. d3972 1 a3972 1- check-sibling
d3975 1 a3975 1 sibling glue exists. The default is yes. d3977 1 a3977 1- check-spf
d3979 1 a3979 1 If check-integrity is set then d3983 1 a3983 1 warn. d3985 1 a3985 1- zero-no-soa-ttl
d3990 1 a3990 1 The default is yes. d3992 1 a3992 1- zero-no-soa-ttl-cache
d3996 1 a3996 1 The default is no. d3998 1 a3998 1- update-check-ksk
d4013 1 a4013 1 similar to the dnssec-signzone -z d4025 1 a4025 1- dnssec-dnskey-kskonly
d4028 1 a4028 1 When this option and update-check-ksk d4035 1 a4035 1 dnssec-signzone -x command line option. d4038 2 a4039 2 The default is no. If update-check-ksk is set to d4043 16 a4058 1- try-tcp-refresh
d4062 1 a4062 1 yes. d4064 1 a4064 1- dnssec-secure-to-insecure
d4069 2 a4070 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d4083 1 a4083 1 auto-dnssec maintain and the d4086 1 a4086 1 next time named is started. d4091 1 a4091 1
- forward
d4117 1 a4117 1- forwarders
d4129 3 a4131 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d4135 1 a4135 1d4918 2 a4919 2 example, 1G can be used instead of 1073741824 to specify a limit of d4921 1 a4921 1 gigabyte. unlimited requests d4923 1 a4923 1 maximum available amount. default d4926 1 a4926 1 of size_spec in the section called “Configuration File Elements”. d4936 2 a4937 2
- dual-stack-servers
d4153 1 a4153 1 stacked, then the dual-stack-servers have no effect unless d4155 1 a4155 1 (e.g. named -4). d4159 1 a4159 1d4164 1 a4164 1 of the requesting system. See the section called “Address Match Lists” for d4167 2 a4168 2d4408 1 a4408 1 from may be specified using the listen-on option. listen-on takes d4416 1 a4416 1 Multiple listen-on statements are d4429 1 a4429 1 If no listen-on is specified, the d4433 1 a4433 1 The listen-on-v6 option is used to d4444 1 a4444 1 listen-on-v6 option, d4459 1 a4459 1 IPv4 addresses specified in listen-on-v6 d4463 1 a4463 1 Multiple listen-on-v6 options can d4482 1 a4482 1
- allow-notify
d4173 1 a4173 1 allow-notify may also be d4175 1 a4175 1 zone statement, in which case d4177 1 a4177 1 options allow-notify d4183 1 a4183 1- allow-query
d4187 2 a4188 2 DNS questions. allow-query may also be specified in the zone d4190 1 a4190 1 options allow-query statement. d4197 1 a4197 1 allow-query-cache is now d4202 1 a4202 1- allow-query-on
d4212 1 a4212 1 Note that allow-query-on is only d4214 1 a4214 1 allow-query. A query must be d4218 2 a4219 2 allow-query-on may also be specified in the zone d4221 1 a4221 1 options allow-query-on statement. d4230 1 a4230 1 allow-query-cache is d4235 1 a4235 1- allow-query-cache
d4238 7 a4244 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4246 1 a4246 1- allow-query-cache-on
d4251 2 a4252 2 localnets and localhost. d4254 1 a4254 1- allow-recursion
d4258 3 a4260 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4262 2 a4263 2 (localnets; localhost;) is used. d4265 1 a4265 1- allow-recursion-on
d4271 1 a4271 1- allow-update
d4278 1 a4278 1 the section called “Dynamic Update Security” for details. d4280 1 a4280 1- allow-update-forwarding
d4304 1 a4304 1 access control to attacks; see the section called “Dynamic Update Security” d4308 1 a4308 1- allow-v6-synthesis
d4318 1 a4318 1- allow-transfer
d4321 2 a4322 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4324 1 a4324 1 case it overrides the options allow-transfer statement. d4328 1 a4328 1- blackhole
d4336 1 a4336 1- filter-aaaa
d4339 1 a4339 1 filter-aaaa-on-v4 d4342 1 a4342 1- no-case-compress
d4347 1 a4347 1 used when named needs to work with d4354 1 a4354 1 none: case-insensitive compression d4378 1 a4378 1 There are circumstances in which named d4393 1 a4393 1- resolver-query-timeout
d4403 1 a4403 1d4487 1 a4487 1 query other name servers. query-source specifies d4489 3 a4491 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4495 1 a4495 1 If port is * or is omitted, d4499 2 a4500 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4502 2 a4503 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4506 2 a4507 2 The defaults of the query-source and query-source-v6 options d4514 3 a4516 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4520 1 a4520 1 named will use the corresponding system d4533 2 a4534 2 changed while named is running; the new range will automatically be applied when named d4537 2 a4538 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4544 1 a4544 1 where named runs may prohibit the use d4546 1 a4546 1 named running without a root privilege d4555 2 a4556 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4564 1 a4564 1 the use-queryport-pool d4570 2 a4571 2 query-source or query-source-v6 options; d4574 2 a4575 2d4874 4 a4877 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4880 1 a4880 1 See the section called “Query Address” about how the d4890 1 a4890 1 from named will be in one d4895 3 a4897 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4905 3 a4907 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4912 1 a4912 1
- use-queryport-pool
d4579 1 a4579 1- queryport-pool-ports
d4583 1 a4583 1- queryport-pool-updateinterval
d4591 1 a4591 1 The address specified in the query-source option d4607 2 a4608 2 See also transfer-source and notify-source. d4612 1 a4612 1d4621 2 a4622 2d4824 1 a4824 1
- also-notify
d4633 1 a4633 1 also-notify address to send d4640 1 a4640 1 masters lists can be used. d4643 2 a4644 2 If an also-notify list is given in a zone statement, d4646 2 a4647 2 the options also-notify statement. When a zone notify d4649 2 a4650 2 is set to no, the IP addresses in the global also-notify list will d4656 1 a4656 1- max-transfer-time-in
d4663 1 a4663 1- max-transfer-idle-in
d4670 1 a4670 1- max-transfer-time-out
d4677 1 a4677 1- max-transfer-idle-out
d4684 1 a4684 1- serial-query-rate
d4693 1 a4693 1 serial-query-rate option, an d4702 1 a4702 1 serial-query-rate also controls d4707 1 a4707 1- serial-queries
d4709 1 a4709 1 In BIND 8, the serial-queries d4714 1 a4714 1 serial queries and ignores the serial-queries option. d4716 1 a4716 1 as defined using the serial-query-rate option. d4718 1 a4718 1- transfer-format
d4721 3 a4723 3 one-answer and many-answers. The transfer-format option is used d4725 1 a4725 1 one-answer uses one DNS message per d4727 1 a4727 1 many-answers packs as many resource d4729 1 a4729 1 many-answers is more efficient, but is d4733 1 a4733 1 The many-answers format is also supported by d4735 3 a4737 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4740 1 a4740 1- transfers-in
d4744 1 a4744 1 Increasing transfers-in may d4749 1 a4749 1- transfers-out
d4756 1 a4756 1- transfers-per-ns
d4762 1 a4762 1 Increasing transfers-per-ns d4766 3 a4768 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4770 1 a4770 1- transfer-source
d4772 1 a4772 1transfer-source d4782 1 a4782 1 allow-transfer option for the d4785 1 a4785 1 transfer-source for all zones, d4788 3 a4790 3 transfer-source statement within the view or zone block in the configuration d4801 1 a4801 1
- transfer-source-v6
d4803 1 a4803 1 The same as transfer-source, d4806 1 a4806 1- alt-transfer-source
d4810 2 a4811 2 transfer-source fails and use-alt-transfer-source is a4815 1d4818 1 a4818 1 use-alt-transfer-source d4822 1 a4822 2
- alt-transfer-source-v6
d4827 2 a4828 2 transfer-source-v6 fails and use-alt-transfer-source is d4831 1 a4831 1- use-alt-transfer-source
d4834 1 a4834 1 specified this defaults to no d4836 1 a4836 1 yes (for BIND 8 d4839 1 a4839 1- notify-source
d4841 1 a4841 1notify-source d4845 3 a4847 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4850 3 a4852 3 notify-source statement within the zone or view block in the configuration d4863 1 a4863 1
- notify-source-v6
d4865 1 a4865 1 Like notify-source, d4870 1 a4870 1d7528 1 a7528 1 The view statement is a powerful d7537 1 a7537 1 Each view statement defines a view d7543 1 a7543 1 match-clients clause and its d7547 1 a7547 1 match-destinations clause. If not d7549 1 a7549 1 match-clients and match-destinations d7552 2 a7553 2 match-clients and match-destinations can also take keys which provide an d7556 1 a7556 1 as match-recursive-only, which d7559 1 a7559 1 The order of the view statements is d7562 1 a7562 1 view that it matches. d7565 1 a7565 1 Zones defined within a view d7567 1 a7567 1 only be accessible to clients that match the view. d7574 2 a7575 2 Many of the options given in the options statement can also be used within a view d7579 1 a7579 1 value is given, the value in the options statement d7582 1 a7582 1 in the view statement; these d7584 1 a7584 1 take precedence over those in the options statement. d7592 1 a7592 1 If there are no view statements in d7596 1 a7596 1 in class IN. Any zone statements d7600 1 a7600 1 this default view, and the options d7602 2 a7603 2 apply to the default view. If any explicit view statements are present, all zone d7605 1 a7605 1 occur inside view statements. d7609 1 a7609 1 using view statements: d7644 1 a7644 1
- coresize
d4942 1 a4942 1- datasize
d4955 2 a4956 2 max-cache-size and recursive-clients d4959 1 a4959 1- files
d4964 1 a4964 1- stacksize
d4971 1 a4971 1d4979 2 a4980 2
- max-ixfr-log-size
d4984 1 a4984 1 max-journal-size performs a d4987 1 a4987 1- max-journal-size
d4990 1 a4990 1 (see the section called “The journal file”). When the journal file d5000 1 a5000 1- host-statistics-max
d5006 1 a5006 1- recursive-clients
d5016 1 a5016 1 recursive-clients option may d5037 1 a5037 1- tcp-clients
d5044 1 a5044 1 clients-per-query, max-clients-per-query d5051 1 a5051 1 before dropping additional clients. named will attempt to d5058 1 a5058 1 If the number of queries exceed this value, named will d5066 1 a5066 1 If clients-per-query is set to zero, d5071 1 a5071 1 If max-clients-per-query is set to zero, d5073 1 a5073 1 recursive-clients. d5077 1 a5077 1 fetches-per-zone d5111 1 a5111 1 If fetches-per-zone is set to zero, d5117 1 a5117 1 running rndc recursing. The list d5130 1 a5130 1 built with configure --enable-fetchlimit.) d5134 1 a5134 1 fetches-per-server d5157 1 a5157 1 If fetches-per-server is set to zero, d5162 1 a5162 1 The fetches-per-server quota is d5169 1 a5169 1 threshold, then fetches-per-server d5172 2 a5173 2 fetches-per-server is increased. The fetch-quota-params options d5179 1 a5179 1 built with configure --enable-fetchlimit.) d5182 1 a5182 1- fetch-quota-params
d5214 1 a5214 1 built with configure --enable-fetchlimit.) d5217 1 a5217 1- reserved-sockets
d5222 1 a5222 1 interfaces named listens on, tcp-clients as well as d5233 1 a5233 1- max-cache-size
d5251 1 a5251 1- tcp-listen-queue
d5265 1 a5265 1d5376 2 a5377 2 (but see the rrset-order statement in the section called “RRset Ordering”). d5388 1 a5388 1 The sortlist statement (see below) d5390 1 a5390 1 an address_match_list and d5392 1 a5392 1 more specifically than the topology d5394 3 a5396 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5399 1 a5399 1 an IP prefix, an ACL name or a nested address_match_list) d5411 2 a5412 2 treated the same as the address_match_list in a topology statement. Each top d5477 1 a5477 1
- cleaning-interval
d5273 1 a5273 1 from the cache every cleaning-interval minutes. d5280 1 a5280 1- heartbeat-interval
d5283 1 a5283 1 for all zones marked as dialup whenever this d5290 1 a5290 1- interface-interval
d5293 1 a5293 1 every interface-interval d5301 1 a5301 1 listen-on configuration), and d5305 1 a5305 1- statistics-interval
d5309 1 a5309 1 every statistics-interval d5324 1 a5324 1d5484 1 a5484 1 The rrset-order statement permits d5487 2 a5488 2 See also the sortlist statement, the section called “The sortlist Statement”. d5491 1 a5491 1 An order_spec is defined as d5501 3 a5503 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5506 1 a5506 1 The legal values for ordering are: d5510 2 a5511 2d5516 1 a5516 1 fixed
d5527 1 a5527 1random
d5537 1 a5537 1cyclic
d5568 1 a5568 1 If multiple rrset-order statements d5578 1 a5578 1 rrset-order statement does not support d5585 1 a5585 1d5588 2 a5589 2
- lame-ttl
d5606 1 a5606 1- max-ncache-ttl
d5609 1 a5609 1 the server stores negative answers. max-ncache-ttl is d5613 2 a5614 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5618 1 a5618 1- max-cache-ttl
d5628 1 a5628 1- min-roots
d5643 1 a5643 1- sig-validity-interval
d5648 1 a5648 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5665 1 a5665 1 The sig-validity-interval d5671 1 a5671 1- sig-signing-nodes
d5678 1 a5678 1- sig-signing-signatures
d5685 1 a5685 1- sig-signing-type
d5698 1 a5698 1 named to track the current state of d5702 2 a5703 2 rndc signing -listzone. Once named has finished signing d5707 1 a5707 1 rndc signing -clearkeyid/algorithmzone. d5710 1 a5710 1 rndc signing -clear allzone. d5714 1 a5714 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5738 4 a5741 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5745 1 a5745 1- edns-udp-size
d5757 1 a5757 1 edns-udp-size to a non-default value d5763 1 a5763 1 When named first queries a remote d5768 1 a5768 1 If the initial response times out, named d5772 1 a5772 1 successes using plain DNS, named d5774 1 a5774 1 with that server. (Periodically, named d5781 1 a5781 1 named will advertise progressively d5784 1 a5784 1 edns-udp-size is reached. d5787 1 a5787 1 The default buffer sizes used by named d5789 1 a5789 1 edns-udp-size. (The values 1232 and d5795 1 a5795 1- max-udp-size
d5799 1 a5799 1 named will send in bytes. d5807 1 a5807 1 edns-udp-size. d5811 1 a5811 1 max-udp-size to a non-default d5816 1 a5816 1 buffer (edns-udp-size). d5823 1 a5823 1- masterfile-format
d5827 1 a5827 1 the section called “Additional File Formats”). d5833 2 a5834 2 named-compilezone tool, or dumped by named. d5838 1 a5838 1textis loaded, named d5841 1 a5841 1 check-names checks do not apply d5845 1 a5845 1 specified in the named configuration d5852 1 a5852 1 masterfile-format for all zones, d5854 3 a5856 3 by including a masterfile-format statement within the zone or view block in the configuration d5861 1 a5861 1 max-recursion-depth d5874 1 a5874 1 max-recursion-queries d5885 1 a5885 1- notify-delay
d5893 1 a5893 1 zones is controlled by serial-query-rate. d5896 1 a5896 1- max-rsa-exponent-size
d5903 1 a5903 1- prefetch
d5907 1 a5907 1 is to expire shortly, named can d5930 1 a5930 1 if it isn't, named will silently d5937 1 a5937 1d5944 1 a5944 1 CHAOS class. These zones are part d5946 1 a5946 1 built-in view (see the section called “view Statement Grammar”) of d5948 3 a5950 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5952 3 a5954 3 overridden: notify, recursion and allow-new-zones are d5956 1 a5956 1 rate-limit is set to allow d5961 1 a5961 1 below, or hide the built-in CHAOS d5963 1 a5963 1 defining an explicit view of class CHAOS d5966 2 a5967 2
- version
d5971 1 a5971 1 with type TXT, class CHAOS. d5973 1 a5973 1 Specifying version none d5976 1 a5976 1- hostname
d5980 1 a5980 1 with type TXT, class CHAOS. d5986 1 a5986 1 answering your queries. Specifying hostname none; d5989 1 a5989 1- server-id
d5994 1 a5994 1 TXT, class CHAOS. d5997 1 a5997 1 answering your queries. Specifying server-id none; d5999 1 a5999 1 Specifying server-id hostname; will cause named to d6001 1 a6001 1 The default server-id is none. d6005 1 a6005 1d6028 98 a6125 98d6409 1 a6409 1 response-policy option for the view or among the d6414 1 a6414 3 allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones. d6417 1 a6417 1 A response-policy option can support d6422 1 a6422 1 in a single response-policy option; more d6428 2 a6429 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a6151 1d6156 3 a6158 4
- empty-server
d6164 1 a6164 1- empty-contact
d6170 1 a6170 1- empty-zones-enable
d6175 1 a6175 1- disable-empty-zone
d6182 1 a6182 1d6186 1 a6186 1 The additional section cache, also called acache, d6191 1 a6191 1 Note that acache is an internal caching d6206 3 a6208 3 additional-from-cache to no is recommended, since the current implementation of acache d6213 1 a6213 1 One obvious disadvantage of acache is d6218 3 a6220 3 acache mechanism can be disabled by setting acache-enable to no. d6223 1 a6223 1 for acache by using max-acache-size. d6228 2 a6229 2 Without acache, cyclic order is effective for the additional d6234 1 a6234 1 setting of rrset-order. d6243 1 a6243 1 acache. d6245 2 a6246 2d6283 1 a6283 1 deny-answer-addresses option. d6288 1 a6288 1 deny-answer-aliases option, where d6292 1 a6292 1 with except-from, records whose query name d6296 1 a6296 1 corresponding zone, the deny-answer-aliases d6299 1 a6299 1 deny-answer-aliases, d6307 1 a6307 1 deny-answer-addresses option, only d6328 1 a6328 1 d6362 1 a6362 1 matches the except-from element, d6396 1 a6396 1
- RPZ-CLIENT-IP
d6436 1 a6436 1 rpz-client-ip relativized to the d6463 1 a6463 1- QNAME
d6471 1 a6471 1- RPZ-IP
d6476 1 a6476 1 subdomains of rpz-ip. d6478 1 a6478 1- RPZ-NSDNAME
d6484 1 a6484 1 rpz-nsdname relativized d6490 1 a6490 1- RPZ-NSIP
d6493 1 a6493 1 subdomains of rpz-nsip. d6495 2 a6496 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6507 1 a6507 1 DISABLED actions) must be chosen. d6511 3 a6513 3
- Choose the triggered record in the zone that appears first in the response-policy option. d6515 1 a6515 1
- Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP d6518 1 a6518 1
- Among NSDNAME triggers, prefer the d6521 1 a6521 1
- Among IP or NSIP triggers, prefer the trigger d6524 1 a6524 1
- Among triggers with the same prefix length, d6543 2 a6544 2 For example, while the TCP-only policy is commonly used with client-IP triggers, d6548 2 a6549 2
d6775 2 a6776 2 rate-limit clause in an options or view statement. d6803 1 a6803 1 the window option to any value from d6807 1 a6807 1 or more negative than window d6818 2 a6819 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6824 1 a6824 1 with responses-per-second d6829 2 a6830 2 nodata-per-second (default responses-per-second). d6834 2 a6835 2 They are limited by nxdomains-per-second (default base responses-per-second). d6842 2 a6843 2 referrals-per-second (default responses-per-second). d6857 1 a6857 1 responses-per-second value, d6859 1 a6859 1 errors-per-second. d6869 1 a6869 1 Setting slip to 2 (its default) causes every d6875 1 a6875 1 slip must be between 0 and 10. d6883 1 a6883 1 leaked at the slip rate. d6894 1 a6894 1 slip to 1, causing all rate-limited d6900 6 a6905 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6908 1 a6908 1 qps-scale 250; responses-per-second 20; and d6919 2 a6920 2 rate-limit statements in view statements instead of the global option d6922 2 a6923 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6926 1 a6926 1 with the exempt-clients clause. d6930 1 a6930 1 all-per-second phrase. d6932 3 a6934 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6939 2 a6940 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6942 1 a6942 1 An all-per-second limit should be d6950 1 a6950 1 records as it considers the STMP Mail From d6954 1 a6954 1 All-per-second is similar to the d6966 1 a6966 1 rate limit responses is set with max-table-size. d6972 1 a6972 1 min-table-size (default 500) d6974 1 a6974 1 Enable rate-limit category logging to monitor d6979 1 a6979 1 Use log-only yes to test rate limiting parameters d6984 1 a6984 1 RateDropped and QryDropped d6987 1 a6987 1 RateSlipped and RespTruncated. d6991 1 a6991 1
- PASSTHRU
d6552 1 a6552 1 by a CNAME whose target is rpz-passthru. d6557 1 a6557 1- DROP
d6560 1 a6560 1 by a CNAME whose target is rpz-drop. d6564 1 a6564 1- TCP-Only
d6567 1 a6567 1 by a CNAME whose target is rpz-tcp-only. d6572 1 a6572 1- NXDOMAIN
d6577 1 a6577 1- NODATA
d6584 1 a6584 1- Local Data
d6606 2 a6607 2 can be overridden with a policy clause in the response-policy option. d6612 2 a6613 2
- GIVEN
d6617 1 a6617 1- DISABLED
d6630 1 a6630 1 PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA d6635 1 a6635 1- CNAME domain
d6648 1 a6648 1 with a recursive-only no clause. d6660 1 a6660 1 break-dnssec yes clause. In that case, RPZ d6677 1 a6677 1 The qname-wait-recurse no option d6685 1 a6685 1 DNSSEC requests (DO=1) unless break-dnssec yes d6696 1 a6696 1 The max-policy-ttl clause changes that d6766 1 a6766 1 RPZRewrites statistics. d6769 1 a6769 1serverip_addr[/prefixlen]{ d7002 1 d7021 1 a7021 1d7023 1 a7023 1 server Statement Definition and d7026 1 a7026 1 The server statement defines d7035 1 a7035 1 The server statement can occur at d7037 1 a7037 1 configuration file or inside a view d7039 2 a7040 2 If a view statement contains one or more server statements, only d7043 1 a7043 1 If a view contains no server d7045 1 a7045 1 any top-level server statements are d7053 1 a7053 1 value of bogus is no. d7056 1 a7056 1 The provide-ixfr clause determines d7061 1 a7061 1 If set to yes, incremental transfer d7063 1 a7063 1 whenever possible. If set to no, d7067 1 a7067 1 of the provide-ixfr option in the d7072 1 a7072 1 The request-ixfr clause determines d7076 1 a7076 1 value of the request-ixfr option in d7087 3 a7089 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d7096 1 a7096 1 The edns clause determines whether d7098 1 a7098 1 with the remote server. The default is yes. d7101 2 a7102 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named d7111 1 a7111 1 server; named will not deviate from d7113 3 a7115 3 edns-udp-size in options or view statements, where it specifies a maximum value. The server statement d7117 1 a7117 1 options/view behavior in future releases.) d7120 2 a7121 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d7125 8 a7132 1 replies from named. d7135 3 a7137 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d7141 3 a7143 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d7145 1 a7145 1 by the options statement will be d7148 1 a7148 1transfers d7151 1 a7151 1 transfers clause is specified, the d7153 1 a7153 1 transfers-per-ns option. d7156 3 a7158 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d7170 2 a7171 2 The transfer-source and transfer-source-v6 clauses specify d7175 1 a7175 1 For an IPv4 remote server, only transfer-source can d7178 1 a7178 1 transfer-source-v6 can be d7181 3 a7183 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d7186 2 a7187 2 The notify-source and notify-source-v6 clauses specify the d7190 1 a7190 1 IPv4 remote server, only notify-source d7192 1 a7192 1 only notify-source-v6 can be specified. d7195 2 a7196 2 The query-source and query-source-v6 clauses specify the d7199 1 a7199 1 remote server, only query-source can d7201 1 a7201 1 only query-source-v6 can be specified. d7204 1 a7204 1 The request-nsid clause determines d7207 1 a7207 1 request-nsid set at the view or d7211 1 a7211 1 The request-sit clause determines d7214 1 a7214 1 request-sit set at the view or d7220 1 a7220 1
statistics-channels { d7230 1 a7230 1d7232 1 a7232 1 statistics-channels Statement Definition and d7235 1 a7235 1 The statistics-channels statement d7246 1 a7246 1 statistics-channels statement is d7251 4 a7254 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*d7259 1 a7259 1 use an ip_addr of::. d7264 1 a7264 1 ip_port. d7268 1 a7268 1 restricted by the optional allow clause. d7270 3 a7272 3 address_match_list. If no allow clause is present, named accepts connection d7279 2 a7280 2 If no statistics-channels statement is present, named will not open any communication channels. d7287 2 a7288 2 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is d7297 1 a7297 1 http://127.0.0.1:8888/xml/v2 for version 2 d7299 1 a7299 1 http://127.0.0.1:8888/xml/v3 for version 3. d7306 1 a7306 1 http://127.0.0.1:8888/xml/v3/status d7308 1 a7308 1 http://127.0.0.1:8888/xml/v3/server d7310 1 a7310 1 http://127.0.0.1:8888/xml/v3/zones d7312 1 a7312 1 http://127.0.0.1:8888/xml/v3/net d7314 1 a7314 1 http://127.0.0.1:8888/xml/v3/mem d7316 1 a7316 1 http://127.0.0.1:8888/xml/v3/tasks d7321 1 a7321 1 http://127.0.0.1:8888/json, d7323 1 a7323 1 http://127.0.0.1:8888/json/v1/status d7325 1 a7325 1 http://127.0.0.1:8888/json/v1/server d7327 1 a7327 1 http://127.0.0.1:8888/json/v1/zones d7329 1 a7329 1 http://127.0.0.1:8888/json/v1/net d7331 1 a7331 1 http://127.0.0.1:8888/json/v1/mem d7333 1 a7333 1 http://127.0.0.1:8888/json/v1/tasks d7337 1 a7337 1trusted-keys { d7346 1 a7346 1d7348 1 a7348 1 trusted-keys Statement Definition d7351 2 a7352 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d7363 1 a7363 1 trusted-keys are deemed to exist regardless d7365 1 a7365 1 trusted-keys only those keys are d7370 1 a7370 1 The trusted-keys statement can contain d7379 1 a7379 1 trusted-keys may be set at the top level d7386 1 a7386 1managed-keys { d7395 1 a7395 1d7397 1 a7397 1 managed-keys Statement Definition d7400 2 a7401 2 The managed-keys statement, like trusted-keys, defines DNSSEC d7403 1 a7403 1 managed-keys can be kept up to date d7411 1 a7411 1 trusted-keys statement would be d7415 1 a7415 1 trusted-keys statement with the new key. d7419 1 a7419 1 managed-keys statement instead, then the d7421 2 a7422 2 named would store the stand-by key, and when the original key was revoked, named d7429 1 a7429 1 A managed-keys statement contains a list of d7434 1 a7434 1 This means the managed-keys statement must d7440 2 a7441 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d7444 1 a7444 1 keys listed in a trusted-keys continue to be d7447 1 a7447 1 in a managed-keys statement is only trusted d7453 1 a7453 1 The first time named runs with a managed key d7456 1 a7456 1 using the key specified in the managed-keys d7461 2 a7462 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d7465 1 a7465 1 key specified in the managed-keys is not d7470 1 a7470 1 The next time named runs after a name d7472 1 a7472 1 managed-keys statement, the corresponding d7478 3 a7480 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d7492 1 a7492 1 seconds. So, whenever named is using d7496 1 a7496 1 named.) d7499 2 a7500 2 If the dnssec-validation option is set toauto, named d7502 1 a7502 1 root zone. Similarly, if the dnssec-lookaside d7504 1 a7504 1 named will automatically initialize d7507 2 a7508 2 maintenance process is built into named, and can be overridden from bindkeys-file. d7511 1 a7511 1viewview_named7524 1 a7524 1d7646 1 a7646 1 zone d7648 1 a7648 1zonezone_name[class] { d7658 2 a7659 3 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7719 1 d7804 1 a7804 1 [ zone-statisticsfull|terse|none; ] d7818 1 a7818 1 [ zone-statisticsfull|terse|none; ] d7846 1 a7846 1The type keyword is required for the zone configuration unless it is an in-view configuration. Its acceptable values include:
d7854 2 a7855 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7882 1 a7882 1 zone. The masters list d7997 2 a7998 2 server-addresses and server-names zone options. d8004 1 a8004 1 databases by rndc dumpdb -all. d8035 4 a8038 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d8042 1 a8042 1 name. If no forwarders d8044 1 a8044 1 an empty list for forwarders is given, then no d8047 1 a8047 1 any forwarders in the options statement. Thus d8050 1 a8050 1 global forward option d8092 1 a8092 1 per view. allow-query can be d8129 1 a8129 1 rndc reload d8132 1 a8132 1 rndc reload without specifying d8160 1 a8160 1 See caveats in root-delegation-only. d8167 1 a8167 1 d8189 1 a8189 1 d9121 1 a9121 1 in-view zone option provides an efficient d9144 1 a9144 1 An in-view option cannot refer to a view d9148 4 a9151 4 A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control d9163 1 a9163 1 An in-view zone cannot be used as a d9167 2 a9168 2 An in-view zone is not intended to reference a forward zone. d9173 1 a9173 1 d9197 1 a9197 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d9204 2 a9205 2
- allow-notify
d8196 1 a8196 1 allow-notify in the section called “Access Control”. d8198 1 a8198 1- allow-query
d8201 1 a8201 1 allow-query in the section called “Access Control”. d8203 1 a8203 1- allow-query-on
d8206 1 a8206 1 allow-query-on in the section called “Access Control”. d8208 1 a8208 1- allow-transfer
d8210 2 a8211 2 See the description of allow-transfer in the section called “Access Control”. d8213 1 a8213 1- allow-update
d8215 2 a8216 2 See the description of allow-update in the section called “Access Control”. d8218 1 a8218 1- update-policy
d8221 1 a8221 1 the section called “Dynamic Update Policies”. d8223 1 a8223 1- allow-update-forwarding
d8225 2 a8226 2 See the description of allow-update-forwarding in the section called “Access Control”. d8228 1 a8228 1- also-notify
d8230 1 a8230 1 Only meaningful if notify d8239 1 a8239 1 with also-notify. A port d8241 1 a8241 1 with each also-notify d8247 1 a8247 1 also-notify is not d8251 1 a8251 1- check-names
d8257 3 a8259 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d8261 1 a8261 1- check-mx
d8264 1 a8264 1 check-mx in the section called “Boolean Options”. d8266 1 a8266 1- check-spf
d8269 1 a8269 1 check-spf in the section called “Boolean Options”. d8271 1 a8271 1- check-wildcard
d8274 1 a8274 1 check-wildcard in the section called “Boolean Options”. d8276 1 a8276 1- check-integrity
d8279 1 a8279 1 check-integrity in the section called “Boolean Options”. d8281 1 a8281 1- check-sibling
d8284 1 a8284 1 check-sibling in the section called “Boolean Options”. d8286 1 a8286 1- zero-no-soa-ttl
d8289 1 a8289 1 zero-no-soa-ttl in the section called “Boolean Options”. d8291 1 a8291 1- update-check-ksk
d8294 1 a8294 1 update-check-ksk in the section called “Boolean Options”. d8296 1 a8296 1- dnssec-loadkeys-interval
d8299 2 a8300 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d8303 1 a8303 1- dnssec-update-mode
d8306 1 a8306 2 dnssec-update-mode in the section called “options Statement Definition and Usage”. d8308 1 a8308 1- dnssec-dnskey-kskonly
d8311 1 a8311 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d8313 1 a8313 6- try-tcp-refresh
See the description of try-tcp-refresh in the section called “Boolean Options”.
- database
d8317 1 a8317 1 zone data. The string following the database keyword d8339 1 a8339 1- dialup
d8342 1 a8342 1 dialup in the section called “Boolean Options”. d8344 1 a8344 1- delegation-only
d8353 1 a8353 1 See caveats in root-delegation-only. d8356 1 a8356 1- forward
d8359 1 a8359 1 list. The only value causes d8361 1 a8361 1 after trying the forwarders and getting no answer, while first would d8364 1 a8364 1- forwarders
d8367 1 a8367 1 If it is not specified in a zone of type forward, d8371 1 a8371 1- ixfr-base
d8383 1 a8383 1- ixfr-tmp-file
d8388 1 a8388 1- journal
d8392 1 a8392 1 This is applicable to master and slave zones. d8394 1 a8394 1- max-journal-size
d8397 1 a8397 1 max-journal-size in the section called “Server Resource Limits”. d8399 1 a8399 1- max-transfer-time-in
d8402 1 a8402 1 max-transfer-time-in in the section called “Zone Transfers”. d8404 1 a8404 1- max-transfer-idle-in
d8407 1 a8407 1 max-transfer-idle-in in the section called “Zone Transfers”. d8409 1 a8409 1- max-transfer-time-out
d8412 1 a8412 1 max-transfer-time-out in the section called “Zone Transfers”. d8414 1 a8414 1- max-transfer-idle-out
d8417 1 a8417 1 max-transfer-idle-out in the section called “Zone Transfers”. d8419 1 a8419 1- notify
d8422 1 a8422 1 notify in the section called “Boolean Options”. d8424 1 a8424 1- notify-delay
d8427 1 a8427 1 notify-delay in the section called “Tuning”. d8429 1 a8429 1- notify-to-soa
d8432 2 a8433 2 notify-to-soa in the section called “Boolean Options”. d8435 1 a8435 1- pubkey
d8444 1 a8444 1- zone-statistics
d8446 5 a8450 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d8452 1 a8452 1- server-addresses
d8466 1 a8466 1 in a server-addresses option, d8481 1 a8481 1- server-names
d8489 1 a8489 1 named needs to send queries to d8497 1 a8497 1 server-names option, but d8507 1 a8507 1 in a server-names option, d8524 1 a8524 1- sig-validity-interval
d8527 1 a8527 1 sig-validity-interval in the section called “Tuning”. d8529 1 a8529 1- sig-signing-nodes
d8532 1 a8532 1 sig-signing-nodes in the section called “Tuning”. d8534 1 a8534 1- sig-signing-signatures
d8537 1 a8537 1 sig-signing-signatures in the section called “Tuning”. d8539 1 a8539 1- sig-signing-type
d8542 1 a8542 1 sig-signing-type in the section called “Tuning”. d8544 1 a8544 1- transfer-source
d8547 1 a8547 1 transfer-source in the section called “Zone Transfers”. d8549 1 a8549 1- transfer-source-v6
d8552 1 a8552 1 transfer-source-v6 in the section called “Zone Transfers”. d8554 1 a8554 1- alt-transfer-source
d8557 1 a8557 1 alt-transfer-source in the section called “Zone Transfers”. d8559 1 a8559 1- alt-transfer-source-v6
d8562 1 a8562 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d8564 1 a8564 1- use-alt-transfer-source
d8567 1 a8567 1 use-alt-transfer-source in the section called “Zone Transfers”. d8569 1 a8569 1- notify-source
d8572 1 a8572 1 notify-source in the section called “Zone Transfers”. d8574 1 a8574 1- notify-source-v6
d8577 1 a8577 1 notify-source-v6 in the section called “Zone Transfers”. d8580 1 a8580 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d8583 1 a8583 1 See the description in the section called “Tuning”. d8585 1 a8585 1- ixfr-from-differences
d8588 2 a8589 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d8594 1 a8594 1- key-directory
d8597 2 a8598 1 key-directory in the section called “options Statement Definition and d8601 63 a8663 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8672 1 a8672 1- multi-master
d8674 2 a8675 2 See the description of multi-master in the section called “Boolean Options”. d8677 1 a8677 1- masterfile-format
d8679 2 a8680 2 See the description of masterfile-format in the section called “Tuning”. d8682 1 a8682 1- max-zone-ttl
d8684 3 a8686 2 See the description of max-zone-ttl in the section called “options Statement Definition and d8689 1 a8689 1- dnssec-secure-to-insecure
d8692 1 a8692 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8696 1 a8696 1d8702 2 a8703 2 allow-update and update-policy option, respectively. d8706 1 a8706 1 The allow-update clause works the d8712 1 a8712 1 The update-policy clause d8722 1 a8722 1 Rules are specified in the update-policy d8724 1 a8724 1 When the update-policy statement d8726 2 a8727 2 allow-update statement to be present. The update-policy statement d8732 1 a8732 1 There is a pre-defined update-policy d8734 1 a8734 1 update-policy local;. d8736 1 a8736 1 named to generate a TSIG session d8742 3 a8744 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8756 1 a8756 1 The command nsupdate -l sends update d8763 1 a8763 1 ( grant | deny )identitynametype[name] [types] d8818 2 a8819 2d8863 1 a8863 1 update-policy statement d8866 1 a8866 1 update-policy statement in d8886 1 a8886 1 is a valid expansion of the wildcard. d9059 1 a9059 1 This rule allows named d9111 1 a9111 1 d9283 2 a9284 2 a9368 12 AVC Application Visibility and Control record.
a9434 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a9812 12 NINFO
Contains zone status information.
a9982 12 RKEY
Resource key.
a10038 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a10090 24 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
d10196 2 a10197 2
d10286 1 a10286 1 d10328 3 a10330 3 d10446 3 a10448 3 d10489 1 a10489 1 d10529 5 a10533 5 d10672 1 a10672 1 d10764 2 a10765 2 d10797 1 a10797 1 The $ORIGIN lines in the examples d10805 1 a10805 1 d10817 2 a10818 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d10820 1 a10820 1 d10831 1 a10831 1 d10835 1 a10835 1 Syntax: $ORIGIN d10839 1 a10839 1 $ORIGIN d10842 2 a10843 2 is an implicit $ORIGIN <
d10864 1 a10864 1 Syntax: $INCLUDE d10872 3 a10874 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d10879 1 a10879 1 revert to the values they had prior to the $INCLUDE once d10887 1 a10887 1 an $INCLUDE, but it is silent d10896 1 a10896 1 d10900 1 a10900 1 Syntax: $TTL d10910 1 a10910 1zone_name>. d10845 2 a10846 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d10860 1 a10860 1$TTL d10915 1 a10915 1
d10919 1 a10919 1 Syntax: $GENERATE d10928 1 a10928 1$GENERATE d10931 1 a10931 1 iterator. $GENERATE can be used to d10973 2 a10974 2
d10979 1 a10979 1 range
d10993 1 a10993 1lhs
d10998 1 a10998 1 to be created. Any single $ d11000 1 a11000 1 symbols within the lhs string d11004 4 a11007 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d11012 4 a11015 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d11021 3 a11023 3 (d), octal (o), hexadecimal (x or X d11025 1 a11025 1 (n or N\ d11027 3 a11029 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d11041 1 a11041 1 $$ is still recognized as d11048 1 a11048 1ttl
d11056 2 a11057 2class and ttl can be d11064 1 a11064 1
class
d11072 2 a11073 2class and ttl can be d11080 1 a11080 1
type
d11090 1 a11090 1rhs
d11094 1 a11094 1 rhs, optionally, quoted string. d11101 1 a11101 1 The $GENERATE directive is a BIND extension d11108 1 a11108 1d11126 1 a11126 1 directly into memory via the mmap() d11134 1 a11134 1 file by the named-compilezone command. d11137 2 a11138 2 masterfile-format option) when named dumps the zone contents after d11144 1 a11144 1 named-compilezone command. All d11147 1 a11147 1 named-compilezone command again. d11150 1 a11150 1 Note that map format is extremely d11168 1 a11168 1d11959 2 a11960 2d11186 2 a11187 2d11287 5 a11291 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a11293 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d11297 1 a11297 1 by the statistics-file configuration option. d11299 1 a11299 1 when the statistics-channels statement d11301 1 a11301 1 (see the section called “statistics-channels Statement Grammar”.) d11303 3 a11305 3
d11310 1 a11310 1 +++ Statistics Dump +++ (973798949) d11322 1 a11322 1 ++ Name Server Statistics ++ d11336 1 a11336 1 --- Statistics Dump --- (973798949) d11339 1 a11339 1d11363 3 a11365 3d11387 1 a11387 1 Requestv4
d11390 1 a11390 1RQ
d11401 1 a11401 1Requestv6
d11404 1 a11404 1RQ
d11415 1 a11415 1ReqEdns0
d11418 1 a11418 1d11428 1 a11428 1
ReqBadEDNSVer
d11431 1 a11431 1d11441 1 a11441 1
ReqTSIG
d11444 1 a11444 1d11454 1 a11454 1
ReqSIG0
d11457 1 a11457 1d11467 1 a11467 1
ReqBadSIG
d11470 1 a11470 1d11480 1 a11480 1
ReqTCP
d11483 1 a11483 1RTCP
d11493 1 a11493 1AuthQryRej
d11496 1 a11496 1RUQ
d11506 1 a11506 1RecQryRej
d11509 1 a11509 1RURQ
d11519 1 a11519 1XfrRej
d11522 1 a11522 1RUXFR
d11532 1 a11532 1UpdateRej
d11535 1 a11535 1RUUpd
d11545 1 a11545 1Response
d11548 1 a11548 1SAns
d11558 1 a11558 1RespTruncated
d11561 1 a11561 1d11571 1 a11571 1
RespEDNS0
d11574 1 a11574 1d11584 1 a11584 1
RespTSIG
d11587 1 a11587 1d11597 1 a11597 1
RespSIG0
d11600 1 a11600 1d11610 1 a11610 1
QrySuccess
d11613 1 a11613 1d11621 1 a11621 1 success counter d11629 1 a11629 1
QryAuthAns
d11632 1 a11632 1d11642 1 a11642 1
QryNoauthAns
d11645 1 a11645 1SNaAns
d11655 1 a11655 1QryReferral
d11658 1 a11658 1d11664 1 a11664 1 referral counter d11672 1 a11672 1
QryNxrrset
d11675 1 a11675 1d11681 1 a11681 1 nxrrset counter d11689 1 a11689 1
QrySERVFAIL
d11692 1 a11692 1SFail
d11702 1 a11702 1QryFORMERR
d11705 1 a11705 1SFErr
d11715 1 a11715 1QryNXDOMAIN
d11718 1 a11718 1SNXD
d11724 1 a11724 1 nxdomain counter d11732 1 a11732 1QryRecursion
d11735 1 a11735 1RFwdQ
d11742 1 a11742 1 recursion counter d11750 1 a11750 1QryDuplicate
d11753 1 a11753 1RDupQ
d11762 1 a11762 1 duplicate counter d11770 1 a11770 1QryDropped
d11773 1 a11773 1d11783 1 a11783 1 clients-per-query d11785 1 a11785 1 max-clients-per-query d11788 1 a11788 1 clients-per-query.) d11790 1 a11790 1 dropped counter d11798 1 a11798 1
QryFailure
d11801 1 a11801 1d11807 1 a11807 1 failure counter d11813 2 a11814 2 AuthQryRej and RecQryRej d11823 1 a11823 1
XfrReqDone
d11826 1 a11826 1d11836 1 a11836 1
UpdateReqFwd
d11839 1 a11839 1d11849 1 a11849 1
UpdateRespFwd
d11852 1 a11852 1d11862 1 a11862 1
UpdateFwdFail
d11865 1 a11865 1d11875 1 a11875 1
UpdateDone
d11878 1 a11878 1d11888 1 a11888 1
UpdateFail
d11891 1 a11891 1d11901 1 a11901 1
UpdateBadPrereq
d11904 1 a11904 1d11914 1 a11914 1
RateDropped
d11917 1 a11917 1d11927 1 a11927 1
RateSlipped
d11930 1 a11930 1d11940 1 a11940 1
RPZRewrites
d11943 1 a11943 1d11954 1 a11954 1
d11977 1 a11977 1 NotifyOutv4
d11987 1 a11987 1NotifyOutv6
d11997 1 a11997 1NotifyInv4
d12007 1 a12007 1NotifyInv6
d12017 1 a12017 1NotifyRej
d12027 1 a12027 1SOAOutv4
d12037 1 a12037 1SOAOutv6
d12047 1 a12047 1AXFRReqv4
d12057 1 a12057 1AXFRReqv6
d12067 1 a12067 1IXFRReqv4
d12077 1 a12077 1IXFRReqv6
d12087 1 a12087 1XfrSuccess
d12097 1 a12097 1XfrFail
d12108 1 a12108 1 d12113 3 a12115 3d12137 1 a12137 1 Queryv4
d12140 1 a12140 1SFwdQ
d12150 1 a12150 1Queryv6
d12153 1 a12153 1SFwdQ
d12163 1 a12163 1Responsev4
d12166 1 a12166 1RR
d12176 1 a12176 1Responsev6
d12179 1 a12179 1RR
d12189 1 a12189 1NXDOMAIN
d12192 1 a12192 1RNXD
d12202 1 a12202 1SERVFAIL
d12205 1 a12205 1RFail
d12215 1 a12215 1FORMERR
d12218 1 a12218 1RFErr
d12228 1 a12228 1OtherError
d12231 1 a12231 1RErr
d12241 1 a12241 1EDNS0Fail
d12244 1 a12244 1d12254 1 a12254 1
Mismatch
d12257 1 a12257 1RDupR
d12266 1 a12266 1 the port option.) d12274 1 a12274 1Truncated
d12277 1 a12277 1d12287 1 a12287 1
Lame
d12290 1 a12290 1RLame
d12300 1 a12300 1Retry
d12303 1 a12303 1SDupQ
d12313 1 a12313 1QueryAbort
d12316 1 a12316 1d12326 1 a12326 1
QuerySockFail
d12329 1 a12329 1d12342 1 a12342 1
QueryTimeout
d12345 1 a12345 1d12355 1 a12355 1
GlueFetchv4
d12358 1 a12358 1SSysQ
d12368 1 a12368 1GlueFetchv6
d12371 1 a12371 1SSysQ
d12381 1 a12381 1GlueFetchv4Fail
d12384 1 a12384 1d12394 1 a12394 1
GlueFetchv6Fail
d12397 1 a12397 1d12407 1 a12407 1
ValAttempt
d12410 1 a12410 1d12420 1 a12420 1
ValOk
d12423 1 a12423 1d12433 1 a12433 1
ValNegOk
d12436 1 a12436 1d12446 1 a12446 1
ValFail
d12449 1 a12449 1d12459 1 a12459 1
QryRTTnn
d12462 1 a12462 1d12468 1 a12468 1 Each nn specifies the corresponding d12471 2 a12472 2 nn_1, nn_2, d12474 2 a12475 2 nn_m, the value of nn_i is the d12477 2 a12478 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d12480 1 a12480 1 nn_0 to be 0. d12482 1 a12482 1 nn_m+, which means the d12484 1 a12484 1 nn_m milliseconds. d12491 1 a12491 1 d12497 6 a12502 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d12504 1 a12504 1 In the following table <TYPE> d12511 2 a12512 2
d12529 1 a12529 1 <TYPE>Open
d12535 1 a12535 1 FDwatch type. d12541 1 a12541 1<TYPE>OpenFail
d12547 1 a12547 1 FDwatch type. d12553 1 a12553 1<TYPE>Close
d12563 1 a12563 1<TYPE>BindFail
d12573 1 a12573 1<TYPE>ConnFail
d12583 1 a12583 1<TYPE>Conn
d12593 1 a12593 1<TYPE>AcceptFail
d12599 2 a12600 2 UDP and FDwatch types. d12606 1 a12606 1<TYPE>Accept
d12612 2 a12613 2 UDP and FDwatch types. d12619 1 a12619 1<TYPE>SendErr
d12625 2 a12626 2 to SErr counter of BIND 8. d12632 1 a12632 1<TYPE>RecvErr
d12646 1 a12646 1 d12651 2 a12652 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d12656 2 a12657 2d7849 1 a7849 1 glue A or AAAA RRs d7933 1 a7933 1 that point to the desired addresses: d7941 1 a7941 1 "*.ES." instead of "*.". To redirect all d7996 1 a7996 1 Class d8018 1 a8018 1 Zone Options d8451 1 a8451 1 active. d8482 1 a8482 1 When set to d8779 1 a8779 1 and converts it machine.realm allowing the machine d8794 1 a8794 1 This rule takes a Windows machine principal d8813 1 a8813 1 and converts it machine.realm allowing the machine d8828 1 a8828 1 This rule takes a Kerberos machine principal d8940 1 a8940 1 Multiple views a8982 7 Zone level acls (e.g. allow-query, allow-transfer) and other configuration details of the zone are all set in the view the referenced zone is defined in. Care need to be taken to ensure that acls are wide enough for all views referencing the zone.
- RFwdR,SFwdR
d12660 1 a12660 1 because BIND 9 does not adopt d12662 1 a12662 1 as BIND 8 did. d12664 1 a12664 1- RAXFR
d12668 1 a12668 1- RIQ
d12672 1 a12672 1- ROpts
d12675 1 a12675 1 because BIND 9 does not care d12700 1 a12700 1BIND 9.10.4-P3
@ 1.1.1.15.2.8 log @Pull up following revision(s) (requested by snj in ticket #1271): doc/3RDPARTY: 1.1374 via patch external/bsd/bind/Makefile.inc: up to 1.24 via patch external/bsd/bind/bin/delv/Makefile: up to 1.3 external/bsd/bind/bin/dig/Makefile: up to 1.2 external/bsd/bind/bin/dnssec/Makefile.inc: up to 1.2 external/bsd/bind/bin/host/Makefile: up to 1.2 external/bsd/bind/bin/named/Makefile: up to 1.10 external/bsd/bind/bin/nslookup/Makefile: up to 1.3 external/bsd/bind/bin/nsupdate/Makefile: up to 1.3 external/bsd/bind/bin/rndc/Makefile: up to 1.2 external/bsd/bind/bin/tools/Makefile.inc: up to 1.2 external/bsd/bind/dist/CHANGES: up to 1.23 external/bsd/bind/dist/README: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.17 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.11 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/api: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.27 external/bsd/bind/dist/srcid: up to 1.17 external/bsd/bind/dist/version: up to 1.21 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch external/bsd/bind/lib/libbind9/Makefile: up to 1.3 Update BIND to 9.10.4-P4. Fixes CVE-2016-8864. @ text @d12848 1 a12848 1BIND 9.10.4-P4
@ 1.1.1.15.2.9 log @Pull up following revision(s) (requested by snj in ticket #1348): doc/3RDPARTY: 1.1397 via patch external/bsd/bind/Makefile.inc: up to 1.24 via patch external/bsd/bind/dist/CHANGES: up to 1.24 external/bsd/bind/dist/README: up to 1.12 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-signer delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer delete external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.12 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/api: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.21 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.28 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.21 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.20 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.12 external/bsd/bind/dist/srcid: up to 1.18 external/bsd/bind/dist/version: up to 1.22 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P5, fixing CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444. @ text @d12848 1 a12848 1BIND 9.10.4-P5
@ 1.1.1.15.2.10 log @Pull up following revision(s) (requested by snj in ticket #1363): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.25 via patch external/bsd/bind/dist/CHANGES: up to 1.25 external/bsd/bind/dist/README: up to 1.13 external/bsd/bind/dist/bin/named/query.c: up to 1.23 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/config.guess: up to 1.2 external/bsd/bind/dist/config.sub: up to 1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.guess: up to 1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.sub: up to 1.2 external/bsd/bind/dist/contrib/idn/idnkit-1.0-src/config.guess: up to 1.2 external/bsd/bind/dist/contrib/idn/idnkit-1.0-src/config.sub: up to 1.2 external/bsd/bind/dist/contrib/nslint-3.0a2/config.guess: up to 1.2 external/bsd/bind/dist/contrib/nslint-3.0a2/config.sub: up to 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.18 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.13 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.11 external/bsd/bind/dist/lib/dns/api: up to 1.13 external/bsd/bind/dist/lib/dns/message.c: up to 1.22 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.9 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.29 external/bsd/bind/dist/srcid: up to 1.19 external/bsd/bind/dist/unit/atf-src/admin/config.guess: up to 1.2 external/bsd/bind/dist/unit/atf-src/admin/config.sub: up to 1.2 external/bsd/bind/dist/version: up to 1.23 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P6, fixing CVE-2017-3135. @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.1.1.15.2.11 log @Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8. @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.1.1.15.2.12 log @Pull up following revision(s) (requested by spz in ticket #1436): distrib/sets/lists/base/ad.aarch64: patch distrib/sets/lists/base/ad.arm: patch distrib/sets/lists/base/ad.mips: patch distrib/sets/lists/base/ad.powerpc: patch distrib/sets/lists/base/md.amd64: patch distrib/sets/lists/base/md.sparc64: patch distrib/sets/lists/base/shl.mi: patch distrib/sets/lists/debug/ad.aarch64: patch distrib/sets/lists/debug/ad.arm: patch distrib/sets/lists/debug/ad.mips: patch distrib/sets/lists/debug/ad.powerpc: patch distrib/sets/lists/debug/md.amd64: patch distrib/sets/lists/debug/md.sparc64: patch distrib/sets/lists/debug/shl.mi: patch doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.27 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.12 external/bsd/bind/dist/Makefile.in: up to 1.4 external/bsd/bind/dist/README: up to 1.15 external/bsd/bind/dist/acconfig.h: up to 1.10 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.14 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.11 external/bsd/bind/dist/bin/check/win32/checkconf.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checktool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checkzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.c: up to 1.9 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.8 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.5 external/bsd/bind/dist/bin/delv/delv.c: up to 1.6 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/win32/delv.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dig.1: up to 1.13 external/bsd/bind/dist/bin/dig/dig.c: up to 1.13 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.19 external/bsd/bind/dist/bin/dig/host.1: up to 1.7 external/bsd/bind/dist/bin/dig/host.c: up to 1.12 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/win32/dig.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/dighost.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/host.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/nslookup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dnssec/dnssectool.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssectool.h: up to 1.8 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/importkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/settime.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/verify.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/bin/named/client.c: up to 1.17 external/bsd/bind/dist/bin/named/config.c: up to 1.14 external/bsd/bind/dist/bin/named/control.c: up to 1.12 external/bsd/bind/dist/bin/named/geoip.c: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/config.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/globals.h: up to 1.10 external/bsd/bind/dist/bin/named/include/named/seccomp.h: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.12 external/bsd/bind/dist/bin/named/logconf.c: up to 1.9 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.7 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/bin/named/lwsearch.c: up to 1.5 external/bsd/bind/dist/bin/named/main.c: up to 1.21 external/bsd/bind/dist/bin/named/named.8: up to 1.10 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.15 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.15 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.11 external/bsd/bind/dist/bin/named/query.c: up to 1.25 external/bsd/bind/dist/bin/named/server.c: up to 1.22 external/bsd/bind/dist/bin/named/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.10 external/bsd/bind/dist/bin/named/update.c: up to 1.13 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.13 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.16 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.12 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2h-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/python/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.7 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.8 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.8 external/bsd/bind/dist/bin/python/isc/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/__init__.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/checkds.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/coverage.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/dnskey.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/eventlist.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keydict.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyevent.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyzone.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/dnskey_test.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/utils.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/setup.py: up to 1.1.1.1 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.10 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.15 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.7 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/db/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/db/win32/t_db.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/dst/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/dst/t_dst.c: up to 1.11 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/hashes/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/hashes/t_hashes.c: up to 1.6 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/master/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/master/win32/t_master.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/mdig.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/pkcs11/README: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/create.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/privrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/pubrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.10 external/bsd/bind/dist/bin/tests/resolver/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/acl/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/additional/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/addzone/ns2/hints.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/ns2/redirect.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in delete external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c delete external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/case/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/bad-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-slip.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-window.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rpz-zone.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/good-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/checkds/dig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkds/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/checknames/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/checkzone/zones/crashzone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/conf.sh.win32: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/coverage/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/database/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dialup/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/digcomp.pl: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dlv/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/dlopen.c delete external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dns64/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dscp/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dsdigest/ns2/sign.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/feature-test.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in delete external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c delete external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/filter-aaaa.c delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in delete external/bsd/bind/dist/bin/tests/system/geoip/geoip.c delete external/bsd/bind/dist/bin/tests/system/geoip/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/glue/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/gost/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ifconfig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ifconfig.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/inline/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/integrity/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/mx-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/srv-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/legacy/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/limits/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/nosearch.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.10 external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/metadata/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/too-big.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/pending/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/pending/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11ssl/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/redirect/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/ns6/ds.example.net.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in delete external/bsd/bind/dist/bin/tests/system/rpz/rpz.c delete external/bsd/bind/dist/bin/tests/system/rpz/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip21: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/spf/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in delete external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c delete external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/stop.pl: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/stub/tests.sh: up to 1.5 external/bsd/bind/dist/bin/tests/system/tcp/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tsig/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsig/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tsig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in delete external/bsd/bind/dist/bin/tests/system/tsiggss/gssapi_krb.c delete external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/unknown/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/v6synth/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/verify/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/views/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/ns1/axfr-too-big.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/ixfr-too-big.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/xfer/ns6/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/xferquota/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/ans5/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/win32/makejournal.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.7 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.8 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.7 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.7 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.12 external/bsd/bind/dist/bind.keys: up to 1.1.1.7 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.5 external/bsd/bind/dist/config.h.in: up to 1.14 external/bsd/bind/dist/configure: up to 1.8 external/bsd/bind/dist/configure.in: up to 1.10 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.5 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.2 external/bsd/bind/dist/contrib/queryperf/utils/gen-data-queryperf.py: up to 1.1.1.4 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.6 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.20 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.15 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.10 external/bsd/bind/dist/doc/misc/options: up to 1.9 external/bsd/bind/dist/doc/misc/sort-options.pl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.1: up to 1.7 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.9 external/bsd/bind/dist/lib/Atffile: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.19 external/bsd/bind/dist/lib/bind9/check.c: up to 1.15 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/dns/acl.c: up to 1.8 external/bsd/bind/dist/lib/dns/adb.c: up to 1.13 external/bsd/bind/dist/lib/dns/api: up to 1.15 external/bsd/bind/dist/lib/dns/client.c: up to 1.13 external/bsd/bind/dist/lib/dns/db.c: up to 1.9 external/bsd/bind/dist/lib/dns/dbtable.c: up to 1.6 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.12 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.14 external/bsd/bind/dist/lib/dns/dst_gost.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/dst_internal.h: up to 1.11 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.10 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.10 external/bsd/bind/dist/lib/dns/ecdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.10 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/events.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/keytable.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/masterdump.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/peer.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.13 external/bsd/bind/dist/lib/dns/include/dns/rdata.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/rdataslab.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/tsig.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.18 external/bsd/bind/dist/lib/dns/include/dns/zt.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/include/dst/gssapi.h: up to 1.6 external/bsd/bind/dist/lib/dns/iptable.c: up to 1.6 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.12 external/bsd/bind/dist/lib/dns/masterdump.c: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.23 external/bsd/bind/dist/lib/dns/name.c: up to 1.14 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.14 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/peer.c: up to 1.8 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.13 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.24 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.15 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.12 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdataslab.c: up to 1.12 external/bsd/bind/dist/lib/dns/request.c: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.31 external/bsd/bind/dist/lib/dns/result.c: up to 1.8 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.12 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.11 external/bsd/bind/dist/lib/dns/tests/Krsa.+005+29235.key: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.9 external/bsd/bind/dist/lib/dns/tests/acl_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/dh_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rsa_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.12 external/bsd/bind/dist/lib/dns/tsec.c: up to 1.5 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.10 external/bsd/bind/dist/lib/dns/view.c: up to 1.13 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.14 external/bsd/bind/dist/lib/dns/zone.c: up to 1.17 external/bsd/bind/dist/lib/dns/zt.c: up to 1.9 external/bsd/bind/dist/lib/irs/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.10 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.9 external/bsd/bind/dist/lib/irs/include/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.10 external/bsd/bind/dist/lib/irs/tests/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/resconf_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/domain.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v6.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-debug.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-ndots.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/port.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/resolv.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/search.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/sortlist-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/isc/aes.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.22 external/bsd/bind/dist/lib/isc/backtrace-emptytbl.c: up to 1.5 external/bsd/bind/dist/lib/isc/hash.c: up to 1.11 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.10 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.11 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/backtrace.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/errno.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/isc/event.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/hmacmd5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/hmacsha.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/md5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/sha1.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sha2.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.11 external/bsd/bind/dist/lib/isc/include/isc/types.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pk11/README.site: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pk11/pk11.h: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/pk11/site.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11f.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11t.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/lex.c: up to 1.9 external/bsd/bind/dist/lib/isc/log.c: up to 1.9 external/bsd/bind/dist/lib/isc/md5.c: up to 1.9 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/mips/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.9 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/print.c: up to 1.7 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/radix.c: up to 1.9 external/bsd/bind/dist/lib/isc/random.c: up to 1.6 external/bsd/bind/dist/lib/isc/ratelimiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/sha1.c: up to 1.9 external/bsd/bind/dist/lib/isc/sha2.c: up to 1.11 external/bsd/bind/dist/lib/isc/task.c: up to 1.14 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/tests/errno_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/netaddr_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/dir.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/unix/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.12 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/include/isc/net.h: up to 1.7 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.21 external/bsd/bind/dist/lib/isc/unix/stdio.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/app.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/condition.c: up to 1.5 external/bsd/bind/dist/lib/isc/win32/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/win32/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/include/isc/ipv6.h: up to 1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.13 external/bsd/bind/dist/lib/isc/win32/stdio.c: up to 1.6 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.12 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/win32/libisccc.def: up to 1.1.1.2 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.14 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.9 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.15 external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/lwres_grbn.c: up to 1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/win32/liblwres.def: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/win32/async.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/nsprobe.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/request.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/resolve.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/update.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/tests/t_api.c: up to 1.8 external/bsd/bind/dist/make/rules.in: up to 1.8 external/bsd/bind/dist/srcid: up to 1.21 external/bsd/bind/dist/util/bindkeys.pl: up to 1.1.1.2 external/bsd/bind/dist/version: up to 1.25 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.7 external/bsd/bind/dist/win32utils/bind9.sln.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.5 external/bsd/bind/dist/win32utils/legacy/BINDBuild.dsw.in: up to 1.5 external/bsd/bind/dist/win32utils/legacy/BuildAll.bat.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildPost.bat.in: up to 1.1.1.3 external/bsd/bind/dist/win32utils/readme1st.txt: up to 1.1.1.8 external/bsd/bind/include/config.h: up to 1.21 external/bsd/bind/include/dns/code.h: up to 1.13 external/bsd/bind/include/dns/enumclass.h: up to 1.9 external/bsd/bind/include/dns/enumtype.h: up to 1.13 external/bsd/bind/include/dns/rdatastruct.h: up to 1.13 external/bsd/bind/include/isc/platform.h: up to 1.23 via patch external/bsd/bind/lib/libbind9/shlib_version: up to 1.17 external/bsd/bind/lib/libdns/Makefile: up to 1.14 external/bsd/bind/lib/libdns/shlib_version: up to 1.19 external/bsd/bind/lib/libirs/shlib_version: up to 1.6 external/bsd/bind/lib/libisc/Makefile: up to 1.8 external/bsd/bind/lib/libisc/shlib_version: up to 1.19 external/bsd/bind/lib/libisccc/shlib_version: up to 1.17 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.17 external/bsd/bind/lib/liblwres/shlib_version: up to 1.17 @ text @a0 1 d2 1 a2 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d109 1 a109 2d119 1 a119 2
d125 1 a125 1
d128 1 a128 2d7678 1 a7678 1 Zone Typesd132 1 a132 2
d500 2 a501 3
d504 1 a504 2d507 4 a510 5address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} ) d512 2 a513 3d516 1 a516 2d523 3 a525 4
- an IP address (IPv4 or IPv6)
a526 4 an IP prefix (in `/' notation)- d529 2 a530 4
- the name of an address match list defined with d532 2 a533 5
- a nested address match list enclosed in braces
d535 1 a535 2d541 1 a541 2
d548 1 a548 2
d555 1 a555 2
d560 1 a560 2
d579 1 a579 2
d595 3 a597 4
d600 1 a600 2d607 1 a607 2
d610 1 a610 2d622 2 a623 2
d626 1 a626 2d630 1 a630 1
d636 1 a636 1
d640 1 a640 1
d651 1 a651 2
d658 1 a658 1
d668 1 a668 1
d675 1 a675 2
d685 1 a685 2
d687 1 a687 1d693 5 a697 6
d700 1 a700 2d708 1 a708 2
d711 1 a711 3
d870 2 a871 4
d877 1 a877 2
d880 3 a882 4aclacl-name{address_match_list}; d884 2 a885 3d889 1 a889 2d894 1 a894 2
d897 1 a897 3
d957 2 a958 4
d964 1 a964 1
d971 1 a971 1
d987 1 a987 1
d1002 1 a1002 1
d1005 1 a1005 1
geoip country US; d1015 2 a1016 4d1019 9 a1027 9controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] }; d1029 2 a1030 4d1034 1 a1034 2d1041 1 a1041 2
d1054 1 a1054 2
d1058 1 a1058 2
d1068 1 a1068 2
d1077 1 a1077 2
d1086 1 a1086 2
d1100 1 a1100 2
d1113 1 a1113 2
d1134 1 a1134 2
d1139 2 a1140 3
d1143 3 a1145 4includefilename;d1148 1 a1148 2d1158 2 a1159 3
d1162 4 a1165 5keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1167 2 a1168 4d1171 1 a1171 2d1178 1 a1178 2
d1189 1 a1189 2
d1198 1 a1198 2
d1212 2 a1213 3
d1216 19 a1234 20logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... }; d1236 2 a1237 4d1240 1 a1240 2d1248 1 a1248 1
a1253 1 d1259 1 a1259 2
d1270 1 a1270 2
d1273 1 a1273 2d1277 1 a1277 2
d1288 1 a1288 2
d1293 1 a1293 2
d1301 1 a1301 2
d1324 1 a1324 2
d1340 1 a1340 2
a1343 1 d1350 1 a1350 2
d1372 1 a1372 1
d1375 1 a1375 1
d1384 1 a1384 1
d1396 1 a1396 2
d1405 1 a1405 2
a1418 1 d1424 1 a1424 2
d1431 1 a1431 1
d1449 1 a1449 2
d1452 1 a1452 2
a1457 1 d1485 1 a1485 2
d1493 1 a1493 2
d1503 1 a1503 2
d1509 2 a1510 3
d1513 1 a1513 2a1521 1 d1524 1 a1524 2
a1528 1 d1538 1 a1538 2
a1540 1 d1544 1 a1544 2
d1549 1 a1549 2
d1904 1 a1904 1
d1906 1 a1906 2d1909 1 a1909 2d1917 1 a1917 2
d1921 1 a1921 1
d1924 1 a1924 1
d1932 1 a1932 1
d1938 1 a1938 1
d1949 1 a1949 1
d1956 1 a1956 1
d1966 1 a1966 1
d1976 1 a1976 3
d2115 2 a2116 3
d2123 1 a2123 1
d2132 3 a2134 4
d2137 1 a2137 2d2141 7 a2147 10
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] }; d2149 2 a2150 3d2153 1 a2153 2d2161 1 a2161 2
d2172 1 a2172 2
d2183 1 a2183 2
d2191 1 a2191 2
d2200 2 a2201 2
a2203 1 d2205 2 a2206 5 mastersname[ portip_port] [ dscpip_dscp] { (masters_list; ) | (ip_addr[ portip_port] [ keykey] ; ) ... }; d2208 2 a2209 4d2213 1 a2213 2masters d2218 2 a2219 3
d2222 1 a2222 2d2226 255 a2480 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] } ; ] d2482 2 a2483 4d2487 1 a2487 2d7644 1 a7644 1 [ server-names { [d2496 1 a2496 2
d2499 1 a2499 1
d2508 1 a2508 2
d2514 1 a2514 2
d2524 1 a2524 2
d2531 1 a2531 2
a2539 1 d2554 1 a2554 2
d2569 1 a2569 2
d2581 1 a2581 1 d2583 1 a2583 2
- d2598 1 a2598 2
d2596 1 a2596 2
- d2609 1 a2609 2
d2607 1 a2607 2
- d2621 1 a2621 1
d2618 1 a2618 2
d2626 1 a2626 1
d2635 1 a2635 1 d2637 1 a2637 2
- d2646 1 a2646 2
d2644 1 a2644 2
- d2653 1 a2653 2
d2651 1 a2651 2
- d2668 1 a2668 2
d2666 1 a2666 2
- d2686 1 a2686 2
d2684 1 a2684 2
- d2697 1 a2697 2
d2694 2 a2695 3 most cases, the
key_nameshould be the server's host name.- d2701 1 a2701 2
d2699 1 a2699 2
- d2708 1 a2708 2
d2706 1 a2706 2
- d2714 1 a2714 2
d2712 1 a2712 2
- d2728 1 a2728 2
d2726 1 a2726 2
- d2735 1 a2735 2
d2733 1 a2733 2
- d2744 1 a2744 2
d2742 1 a2742 2
- d2753 1 a2753 2
d2751 1 a2751 2
- d2761 1 a2761 2
d2759 1 a2759 2
- d2773 1 a2773 2
d2771 1 a2771 2
- d2778 1 a2778 2
d2776 1 a2776 2
- d2785 1 a2785 2
d2783 1 a2783 2
- d2795 1 a2795 2
d2793 1 a2793 2
- d2802 1 a2802 2
d2800 1 a2800 2
- d2821 1 a2821 2
d2819 1 a2819 2
- d2833 1 a2833 1
d2828 1 a2828 2
d2838 1 a2838 1
d2845 1 a2845 1
d2861 1 a2861 1
d2866 1 a2866 1
a2869 1 d2875 1 a2875 2 d2878 1 a2878 1
d2886 1 a2886 1
d2891 1 a2891 1 d2894 1 a2894 1
d2902 1 a2902 1
d2907 1 a2907 1 d2910 1 a2910 1
d2922 1 a2922 1
d2928 1 a2928 1
d2933 1 a2933 1
d2944 1 a2944 1
d2951 1 a2951 1
d2957 1 a2957 1 d2959 1 a2959 2
- d2972 1 a2972 1
d2969 1 a2969 2
d2980 1 a2980 1
d2984 1 a2984 1
d2994 1 a2994 1
d3000 1 a3000 1
d3007 1 a3007 1
d3016 1 a3016 1 defaults to ::ffff:0.0.0.0/96. d3018 1 a3018 1
d3026 1 a3026 1
d3032 1 a3032 1
d3051 1 a3051 1 d3053 1 a3053 2
- d3069 1 a3069 1
d3066 1 a3066 2
d3082 1 a3082 1
d3088 1 a3088 1
d3097 1 a3097 1 d3100 1 a3100 1
d3109 1 a3109 1
d3117 1 a3117 1
d3122 1 a3122 1
d3127 1 a3127 1 d3130 1 a3130 1
d3135 1 a3135 1
d3141 1 a3141 1
d3149 1 a3149 1 d3152 1 a3152 1
d3164 1 a3164 1
d3172 1 a3172 1
d3183 1 a3183 1 d3185 1 a3185 2
d3188 1 a3188 2d3191 1 a3191 1
d3197 1 a3197 1
d3202 1 a3202 1 d3204 1 a3204 2
- d3211 1 a3211 2
d3209 1 a3209 2
- d3222 1 a3222 2
d3220 1 a3220 2
- d3229 1 a3229 2
d3227 1 a3227 2
- d3238 1 a3238 1
d3235 1 a3235 2
d3253 1 a3253 1
d3260 1 a3260 1
d3272 1 a3272 1
d3282 1 a3282 1
d3297 1 a3297 3
d3448 2 a3449 4
d3453 1 a3453 2 d3455 1 a3455 2
- d3462 1 a3462 2
d3460 1 a3460 2
- d3473 1 a3473 2
d3471 1 a3471 2
- d3480 1 a3480 2
d3478 1 a3478 2
- d3490 1 a3490 2
d3488 1 a3488 2
- d3497 1 a3497 2
d3495 1 a3495 2
- d3507 1 a3507 2
d3505 1 a3505 2
- d3516 1 a3516 2
d3514 1 a3514 2
- d3525 1 a3525 1
d3522 1 a3522 2
d3536 1 a3536 1
d3545 1 a3545 1
d3554 1 a3554 1 d3556 1 a3556 2
- d3567 1 a3567 2
d3565 1 a3565 2
- d3585 1 a3585 2
d3583 1 a3583 2
- d3596 1 a3596 2
d3594 1 a3594 2
- d3614 1 a3614 2
d3612 1 a3612 2
- d3623 1 a3623 2
d3621 1 a3621 2
- d3634 1 a3634 1
d3631 1 a3631 2
d3640 1 a3640 1
d3642 1 a3642 1d3646 2 a3647 30
- trust-anchor-telemetry
- d3649 1 a3649 2
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is
yes.- d3655 1 a3655 2
d3653 1 a3653 2
- d3666 1 a3666 2
d3664 1 a3664 2
- d3673 1 a3673 2
d3671 1 a3671 2
- d3680 1 a3680 2
d3678 1 a3678 2
- d3696 1 a3696 2
d3691 1 a3691 2
d3703 1 a3703 2
d3723 1 a3723 2
d3733 1 a3733 2
d3742 1 a3742 2
d3752 1 a3752 2
d3770 1 a3770 2 d3773 1 a3773 1
d3778 1 a3778 1
d3787 1 a3787 1 d3790 1 a3790 1
d3804 1 a3804 1
d3812 1 a3812 1
d3818 1 a3818 1
d3826 1 a3826 1
d3833 1 a3833 1
d3838 1 a3838 1 d3840 1 a3840 2
- d3848 1 a3848 1
d3845 1 a3845 2
d3858 1 a3858 1
d3870 1 a3870 1
ixfr-from-differences d3879 1 a3879 1 d3881 1 a3881 2
- d3892 1 a3892 1
d3889 1 a3889 2
d3897 1 a3897 1
d3903 1 a3903 1
d3926 1 a3926 1
d3929 1 a3929 1 d3931 1 a3931 2
- d3941 1 a3941 1
d3938 1 a3938 2
d3955 1 a3955 1
d3957 1 a3957 1d3966 1 a3966 2d3963 2 a3964 2
- d3974 1 a3974 2
d3972 1 a3972 2
- d3983 1 a3983 1
d3980 1 a3980 2
d3996 1 a3996 1
d4000 1 a4000 1
check-names d4008 1 a4008 1 d4010 1 a4010 2
- d4018 1 a4018 2
d4016 1 a4016 2
- d4025 1 a4025 2
d4023 1 a4023 2
- d4036 1 a4036 1
d4033 1 a4033 2
d4049 1 a4049 1
d4059 1 a4059 1 d4061 1 a4061 2
- d4067 1 a4067 2
d4065 1 a4065 2
- d4073 1 a4073 2
d4071 1 a4071 2
- d4078 1 a4078 2
d4076 1 a4076 2
- d4086 1 a4086 2
d4084 1 a4084 2
- d4093 1 a4093 2
d4091 1 a4091 2
- d4100 1 a4100 1
d4097 1 a4097 2
d4105 1 a4105 1
d4116 1 a4116 1
d4124 1 a4124 1 d4127 1 a4127 1
d4137 1 a4137 1
d4142 1 a4142 1 d4144 1 a4144 2
- d4151 1 a4151 1
d4148 1 a4148 2
d4159 1 a4159 1
d4166 1 a4166 1
d4173 1 a4173 1 d4175 2 a4176 4
d4179 1 a4179 2d7227 1 a7227 1 The managed-keys statement, like d7273 1 a7273 1d4189 1 a4189 2
d4191 1 a4191 2
- d4203 1 a4203 2
d4201 1 a4201 2
- d4209 1 a4209 2
d4207 1 a4207 2
d4218 2 a4219 3
d4222 1 a4222 2d4229 1 a4229 2
d4231 1 a4231 2
- d4242 2 a4243 3
d4240 1 a4240 2
d4246 1 a4246 3d4251 1 a4251 2
d4253 1 a4253 2
- d4269 1 a4269 1
d4266 1 a4266 2
d4278 1 a4278 1
d4280 1 a4280 1d4288 1 a4288 1d4284 2 a4285 2
d4295 1 a4295 1
d4301 1 a4301 1
d4307 1 a4307 1
d4311 1 a4311 1
d4313 1 a4313 1d4320 1 a4320 2d4317 2 a4318 2
- d4331 1 a4331 2
d4329 1 a4329 2
- d4339 1 a4339 2
d4337 1 a4337 2
- d4350 1 a4350 2
d4348 1 a4348 2
- d4356 1 a4356 2
d4354 1 a4354 2
- d4366 1 a4366 1
d4363 1 a4363 2
d4383 1 a4383 1
d4391 1 a4391 1 d4393 1 a4393 2
- d4403 1 a4403 2
d4401 1 a4401 2
- d4413 1 a4413 2
d4411 1 a4411 2
- d4421 1 a4421 2
d4419 1 a4419 2
- d4428 1 a4428 1
d4425 1 a4425 2
d4436 1 a4436 1
d4444 1 a4444 1
d4456 1 a4456 1
d4461 1 a4461 1
d4476 1 a4476 1 d4478 1 a4478 2
- d4486 2 a4487 4
d4484 1 a4484 2
d4490 1 a4490 2d4499 1 a4499 1
a4503 1 d4507 1 a4507 2
d4512 1 a4512 2
d4516 1 a4516 2
d4522 1 a4522 2
d4537 1 a4537 2
d4546 1 a4546 2
a4550 1 d4554 1 a4554 2
d4560 1 a4560 2
a4562 1 d4565 2 a4566 4
d4569 1 a4569 2d6829 1 a6829 1 [ keys {d4578 1 a4578 2
d4589 1 a4589 2
a4593 1 d4597 1 a4597 2
a4606 1 d4610 1 a4610 2
d4626 1 a4626 2
d4638 1 a4638 2
a4642 1 d4646 1 a4646 2
d4658 1 a4658 2
d4660 1 a4660 2
- d4664 1 a4664 2
d4662 1 a4662 2
- d4668 1 a4668 2
d4666 1 a4666 2
- d4672 1 a4672 1
d4670 1 a4670 2
d4674 1 a4674 1d4680 2 a4681 2
d4683 1 a4683 1d4687 2 a4688 2
d4690 1 a4690 1d4694 3 a4696 4
d4699 1 a4699 2d4705 1 a4705 2
d4708 1 a4708 1
d4726 1 a4726 1
d4739 1 a4739 1 d4741 1 a4741 2
- d4748 1 a4748 2
d4746 1 a4746 2
- d4755 1 a4755 2
d4753 1 a4753 2
- d4762 1 a4762 2
d4760 1 a4760 2
- d4770 1 a4770 1
d4767 1 a4767 2
d4783 1 a4783 1
d4790 1 a4790 1 d4792 1 a4792 2
- d4803 1 a4803 3
d4801 1 a4801 2
- d4825 1 a4825 2
d4823 1 a4823 3
- d4834 1 a4834 2
d4832 1 a4832 2
- d4841 1 a4841 2
d4839 1 a4839 2
- d4856 1 a4856 1
d4853 1 a4853 2
transfer-source d4877 1 a4877 1
d4879 1 a4879 1d4886 1 a4886 2d4883 2 a4884 2
- d4892 1 a4892 1
d4889 1 a4889 2
d4898 1 a4898 1
d4909 1 a4909 1 d4911 1 a4911 2- d4918 1 a4918 2
d4916 1 a4916 2
- d4927 1 a4927 1
d4924 1 a4924 2
notify-source d4941 1 a4941 1
d4943 1 a4943 1d4950 1 a4950 2d4947 2 a4948 2
- d4955 2 a4956 4
d4953 1 a4953 2
d4959 1 a4959 2a4969 1 d4974 1 a4974 2
d4980 1 a4980 2
d4997 2 a4998 3
d5001 1 a5001 2d6265 1 a6265 1d5014 1 a5014 2
d5022 1 a5022 2
d5024 1 a5024 2
- d5029 1 a5029 2
d5027 1 a5027 2
- d5046 1 a5046 2
d5044 1 a5044 2
- d5051 1 a5051 2
d5049 1 a5049 2
- d5056 2 a5057 4
d5054 1 a5054 2
d5060 1 a5060 2d5065 1 a5065 2
d5067 1 a5067 2
- d5074 1 a5074 2
d5072 1 a5072 2
d5085 1 a5085 9
- max-records
- d5087 1 a5087 2
The maximum number of records permitted in a zone. The default is zero which means unlimited.
- d5094 1 a5094 1
d5091 1 a5091 2
d5105 1 a5105 1
d5112 1 a5112 1
d5122 1 a5122 1 d5124 1 a5124 2
- d5133 1 a5133 1
d5128 1 a5128 2
These set the d5141 1 a5141 1
d5151 1 a5151 1
d5156 1 a5156 1
d5161 1 a5161 1 d5166 1 a5166 1
d5176 1 a5176 1
d5188 1 a5188 1
d5196 1 a5196 1
d5201 1 a5201 1
d5214 1 a5214 1
d5218 1 a5218 1 d5223 1 a5223 1
d5233 1 a5233 1
d5242 1 a5242 1
d5247 1 a5247 1
d5263 1 a5263 1
d5267 1 a5267 1 d5270 1 a5270 1
d5275 1 a5275 1
d5283 1 a5283 1
d5298 1 a5298 1
d5302 1 a5302 1 d5305 1 a5305 1
d5315 1 a5315 1
d5318 1 a5318 1 d5320 1 a5320 2
- d5338 1 a5338 2
d5336 1 a5336 2
- d5350 2 a5351 4
d5348 1 a5348 2
d5354 1 a5354 2d5409 2 a5410 4d5356 1 a5356 2
- d5367 1 a5367 2
d5365 1 a5365 2
- d5377 1 a5377 2
d5375 1 a5375 2
- d5393 1 a5393 1
d5390 1 a5390 2
d5402 1 a5402 1
d5406 2 a5407 2
d5413 1 a5413 2a5429 1 d5435 1 a5435 2
d5441 1 a5441 1
a5443 1 d5446 1 a5446 2
d5448 1 a5448 1d5452 3 a5454 4
d5457 1 a5457 2d5473 1 a5473 2
d5489 1 a5489 1
d5504 1 a5504 1
a5521 1 d5545 1 a5545 2
a5556 1 d5562 2 a5563 3
d5566 1 a5566 2d5576 1 a5576 2
d5580 1 a5580 1
d5586 1 a5586 1
d5591 1 a5591 1
d5594 1 a5594 2
d5638 2 a5639 3
a5641 1 d5647 1 a5647 2
d5653 1 a5653 1
d5657 1 a5657 1
d5660 1 a5660 2
d5662 1 a5662 1d5669 3 a5671 4
d5674 1 a5674 2d5677 1 a5677 1
d5685 1 a5685 2
d5691 1 a5691 2 d5693 1 a5693 2
- d5705 1 a5705 2
d5703 1 a5703 2
- d5716 1 a5716 1
d5713 1 a5713 2
d5722 1 a5722 1
d5724 1 a5724 1d5731 1 a5731 1d5727 2 a5728 2
d5745 1 a5745 1
d5750 1 a5750 1
d5756 1 a5756 1 d5758 1 a5758 2
- d5765 1 a5765 2
d5763 1 a5763 2
- d5773 1 a5773 1
d5770 1 a5770 2
d5778 1 a5778 1
d5782 1 a5782 1
d5798 1 a5798 1 d5803 1 a5803 1
d5813 1 a5813 1
d5822 1 a5822 1
d5830 1 a5830 1 d5833 1 a5833 1
d5841 1 a5841 1
d5848 1 a5848 1
d5853 1 a5853 1
d5864 1 a5864 1
d5872 1 a5872 1
d5880 1 a5880 1 d5883 1 a5883 1
d5890 1 a5890 1
d5895 1 a5895 1
d5904 1 a5904 1
d5908 1 a5908 1 d5911 1 a5911 1
Specifies d5922 1 a5922 1
d5936 1 a5936 1
d5945 1 a5945 1 d5949 1 a5949 2
- d5962 1 a5962 2
d5958 1 a5958 2
- d5973 1 a5973 1
d5970 1 a5970 2
d5977 1 a5977 1
d5981 1 a5981 1 d5983 1 a5983 2
- d5991 1 a5991 1
d5988 1 a5988 2
d5998 1 a5998 1
d6010 1 a6010 1
d6020 1 a6020 1 d6022 2 a6023 4
d6026 1 a6026 2d6223 1 a6223 1 Response Policy Zone (RPZ) Rewritingd6045 1 a6045 1
d6052 1 a6052 2
d6054 1 a6054 2
- d6063 1 a6063 2
d6061 1 a6061 2
- d6076 1 a6076 2
d6074 1 a6074 2
- d6090 2 a6091 4
d6088 1 a6088 2
d6094 1 a6094 2d6106 1 a6106 1
d6111 1 a6111 1
d6215 1 a6215 1
d6227 1 a6227 1
d6236 1 a6236 1
d6245 1 a6245 1d6247 1 a6247 2
- d6253 1 a6253 2
d6251 1 a6251 2
- d6259 1 a6259 2
d6257 1 a6257 2
- d6264 1 a6264 2
d6262 1 a6262 2
- d6269 2 a6270 3
d6267 1 a6267 2
d6273 1 a6273 3d6283 1 a6283 2
d6291 1 a6291 2
d6300 1 a6300 2
d6313 1 a6313 2
d6329 1 a6329 2
d6333 1 a6333 2
d6335 1 a6335 2
- d6340 1 a6340 2
d6338 1 a6338 2
- d6348 1 a6348 2
d6346 1 a6346 2
- d6360 2 a6361 4
d6358 1 a6358 2
d6364 1 a6364 2d6390 1 a6390 2
d6393 1 a6393 2
d6401 1 a6401 2
d6406 1 a6406 2
d6421 1 a6421 2
a6425 1 d6429 1 a6429 2
a6433 1 d6435 1 a6435 2
d6441 1 a6441 2
a6446 1 d6448 1 a6448 2
d6453 1 a6453 2
d6474 1 a6474 2
d6483 2 a6484 3
d6487 1 a6487 2d6495 1 a6495 2
d6506 1 a6506 2
d6515 1 a6515 2
d6521 1 a6521 1
d6536 1 a6536 2
d6552 1 a6552 1 d6554 1 a6554 2
- d6562 1 a6562 2
d6560 1 a6560 2
- d6569 1 a6569 2
d6567 1 a6567 2
- d6581 1 a6581 2
d6579 1 a6579 2
- d6592 1 a6592 2
d6588 1 a6588 2
d6621 1 a6621 2
d6628 1 a6628 2
d6640 1 a6640 2
- d6648 1 a6648 2
d6646 1 a6646 2
- d6655 1 a6655 2
d6653 1 a6653 2
- d6663 1 a6663 2
d6661 1 a6661 2
- d6668 1 a6668 2
d6666 1 a6666 2
- d6676 1 a6676 1
d6673 1 a6673 2
d6681 1 a6681 2
d6689 1 a6689 1 d6693 1 a6693 2
d6704 1 a6704 2
- d6708 1 a6708 2
The placeholder policy says "do not override but d6706 1 a6706 2
- d6722 1 a6722 2
d6718 1 a6718 2
- d6726 1 a6726 2
d6724 1 a6724 2
- d6733 1 a6733 2
d6729 1 a6729 2
d6744 1 a6744 2
d6755 1 a6755 2
d6782 1 a6782 2
d6789 1 a6789 2
d6793 1 a6793 1
d6797 1 a6797 1
d6839 1 a6839 1
d6854 1 a6854 2
d6858 2 a6859 3
d6862 1 a6862 2d6875 1 a6875 2
d6883 1 a6883 2
d6902 1 a6902 2
d6911 1 a6911 2
d6935 1 a6935 2
d6940 1 a6940 2
d6951 1 a6951 2
d6975 1 a6975 2
d6988 1 a6988 2
d7006 1 a7006 2
d7018 1 a7018 2
d7054 1 a7054 2
d7068 1 a7068 2
d7072 1 a7072 2
d7079 3 a7081 4
d7084 24 a7107 30server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ; d7109 2 a7110 4d7114 1 a7114 2d7123 1 a7123 2
d7138 1 a7138 2
d7144 1 a7144 1
d7160 1 a7160 2
d7170 1 a7170 2
d7184 1 a7184 2
d7189 1 a7189 2
d7208 1 a7208 2
d7216 1 a7216 9
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
d7230 1 a7230 2
transfers d7237 1 a7237 2
d7248 1 a7248 2
d7251 1 a7251 2
d7267 1 a7267 2
d7276 1 a7276 2
d7285 1 a7285 2
d7292 1 a7292 2
d7301 2 a7302 3
d7305 5 a7309 6statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... }; d7311 2 a7312 3d7316 1 a7316 2d7322 1 a7322 2
d7332 1 a7332 2
d7343 1 a7343 2
d7348 1 a7348 2
d7360 1 a7360 2
d7364 1 a7364 2
d7376 1 a7376 2
d7386 1 a7386 2
d7401 1 a7401 2
d7418 2 a7419 3
d7422 4 a7425 5trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ; d7427 2 a7428 3d7432 1 a7432 2d7443 1 a7443 1
d7451 1 a7451 1
d7460 1 a7460 1
d7467 2 a7468 3
d7471 4 a7474 5managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ; d7476 2 a7477 3d7481 1 a7481 2d7489 1 a7489 1
d7499 1 a7499 1
d7510 1 a7510 1
d7521 1 a7521 1
d7534 1 a7534 1
d7542 1 a7542 1
d7547 3 a7549 3 key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d7551 1 a7551 1
d7559 15 a7573 18
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in use, there will be a separate managed keys database for each view; the filename will be a hash of the view name followed by the suffix.mkeys.When the key database is changed, the zone is updated. As with any other dynamic zone, changes will be written into a journal file, e.g.,
managed-keys.bind.jnl. Changes are committed to the master file as soon as possible afterward; this will usually occur within 30 d7575 4 a7578 4 automatic key maintenance, the zone file and journal file can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.) d7580 1 a7580 1d7588 3 a7590 5 (Note: The ISC DLV service is expected to cease operation by the end of 2017.) In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d7592 2 a7593 3
d7596 8 a7603 8viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ; d7605 2 a7606 3d7609 1 a7609 2d7618 1 a7618 2
d7646 1 a7646 2
d7655 1 a7655 2
d7668 1 a7668 2
d7673 1 a7673 2
d7689 1 a7689 2
a7692 1 d7725 2 a7726 3
d7730 191 d7922 3 a7924 205zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ; d7927 2 a7928 3d7931 1 a7931 2d7934 1 a7934 2d7944 1 a7944 3
d8257 3 a8259 5
d8262 1 a8262 2d8267 1 a8267 1
d8276 1 a8276 1
d8280 2 a8281 3
d8284 1 a8284 2d8286 1 a8286 2
- d8291 1 a8291 2
d8289 1 a8289 2
- d8296 1 a8296 2
d8294 1 a8294 2
- d8301 1 a8301 2
d8299 1 a8299 2
- d8306 1 a8306 2
d8304 1 a8304 2
- d8311 1 a8311 2
d8309 1 a8309 2
- d8316 1 a8316 2
d8314 1 a8314 2
- d8321 1 a8321 2
d8319 1 a8319 2
- d8344 1 a8344 2
d8342 1 a8342 2
- d8354 1 a8354 2
d8352 1 a8352 2
- d8359 1 a8359 2
d8357 1 a8357 2
- d8364 1 a8364 2
d8362 1 a8362 2
- d8369 1 a8369 2
d8367 1 a8367 2
- d8374 1 a8374 2
d8372 1 a8372 2
- d8379 1 a8379 2
d8377 1 a8377 2
- d8384 1 a8384 2
d8382 1 a8382 2
- d8389 1 a8389 2
d8387 1 a8387 2
- d8395 1 a8395 2
d8393 1 a8393 2
- d8401 1 a8401 2
d8399 1 a8399 2
- d8406 1 a8406 2
d8404 1 a8404 2
- d8412 1 a8412 1
d8409 1 a8409 2
d8423 1 a8423 1
d8429 1 a8429 1
d8435 1 a8435 1 d8437 1 a8437 2
- d8443 1 a8443 1
d8440 1 a8440 2
d8449 1 a8449 1
d8452 1 a8452 1 d8454 1 a8454 2
- d8462 1 a8462 2
d8460 1 a8460 2
- d8469 1 a8469 2
d8467 1 a8467 2
- d8481 1 a8481 2
d8479 1 a8479 2
- d8486 1 a8486 2
d8484 1 a8484 2
- d8492 1 a8492 2
d8490 1 a8490 2
d8495 1 a8495 9
- max-records
- d8497 1 a8497 2
See the description of max-records in the section called “Server Resource Limits”.
- d8502 1 a8502 2
d8500 1 a8500 2
- d8507 1 a8507 2
d8505 1 a8505 2
- d8512 1 a8512 2
d8510 1 a8510 2
- d8517 1 a8517 2
d8515 1 a8515 2
- d8522 1 a8522 2
d8520 1 a8520 2
- d8527 1 a8527 2
d8525 1 a8525 2
- d8533 1 a8533 2
d8531 1 a8531 2
- d8542 1 a8542 2
d8540 1 a8540 2
- d8550 1 a8550 1
d8547 1 a8547 2
d8559 1 a8559 1
d8568 1 a8568 1
d8576 1 a8576 1 d8579 1 a8579 1
d8597 1 a8597 1
d8609 1 a8609 1
d8619 1 a8619 1 d8621 1 a8621 2
- d8626 1 a8626 2
d8624 1 a8624 2
- d8631 1 a8631 2
d8629 1 a8629 2
- d8636 1 a8636 2
d8634 1 a8634 2
- d8641 1 a8641 2
d8639 1 a8639 2
- d8646 1 a8646 2
d8644 1 a8644 2
- d8651 1 a8651 2
d8649 1 a8649 2
- d8656 1 a8656 2
d8654 1 a8654 2
- d8661 1 a8661 2
d8659 1 a8659 2
- d8666 1 a8666 2
d8664 1 a8664 2
- d8671 1 a8671 2
d8669 1 a8669 2
- d8678 1 a8678 2
d8674 1 a8674 2
- d8682 1 a8682 2
d8680 1 a8680 2
- d8691 1 a8691 2
d8689 1 a8689 2
- d8697 1 a8697 2
d8695 1 a8695 2
- d8704 1 a8704 2
d8702 1 a8702 2
- d8711 1 a8711 2
d8709 1 a8709 2
- d8720 1 a8720 2
d8718 1 a8718 2
- d8725 1 a8725 2
d8723 1 a8723 2
- d8730 1 a8730 2
d8728 1 a8728 2
- d8736 1 a8736 2
d8734 1 a8734 2
- d8741 2 a8742 3
d8739 1 a8739 2
d8745 1 a8745 2BIND 9 supports two alternative d8751 1 a8751 1
d8757 1 a8757 1
d8767 1 a8767 1
d8777 1 a8777 1
d8792 1 a8792 1
d8799 1 a8799 2
update-policy { grant local-ddns zonesub any; }; d8801 1 a8801 2d8805 1 a8805 2
a8807 1 d8811 1 a8811 2
d8820 1 a8820 1
d8826 1 a8826 1
d8843 1 a8843 1
d8850 1 a8850 1
d8862 1 a8862 2
d9142 2 a9143 4
d9147 1 a9147 2
d9156 2 a9157 3
d9160 1 a9160 2d9171 1 a9171 1
d9189 1 a9189 1d9193 1 a9193 1
d9201 1 a9201 1
d9208 1 a9208 1
d9212 1 a9212 1
d9216 4 a9219 5
d9222 1 a9222 2d9225 1 a9225 2d9232 1 a9232 1
d9235 1 a9235 2d9245 1 a9245 2
d9248 1 a9248 2
d9323 2 a9324 3
d9327 1 a9327 2
d10332 2 a10333 3
d10337 1 a10337 2
d10390 2 a10391 4
d10402 1 a10402 1
d10422 1 a10422 1
d10428 2 a10429 2
d10432 1 a10432 2d10445 1 a10445 1
d10451 1 a10451 1
d10462 1 a10462 1
d10466 1 a10466 1
d10469 1 a10469 2
d10573 2 a10574 3
d10580 1 a10580 1
d10584 1 a10584 1
d10587 1 a10587 2
d10625 2 a10626 3
d10630 3 a10632 4
d10635 1 a10635 2d10644 1 a10644 2
d10661 1 a10661 1
d10670 1 a10670 2
d10814 2 a10815 2d10807 1 a10807 2
d10818 1 a10818 2d10826 1 a10826 2
d10881 2 a10882 3
d10886 2 a10887 2
d10890 1 a10890 2d10905 1 a10905 2
d10936 2 a10937 3
d10939 1 a10939 1d10946 3 a10948 3
d10951 1 a10951 2d10959 1 a10959 1
d10963 1 a10963 1
d10966 1 a10966 2d10973 2 a10974 2
d10977 1 a10977 2d10982 1 a10982 1
$ORIGIN a10991 1 d10996 1 a10996 2
a10998 1 d11002 2 a11003 3
d11006 1 a11006 2d11013 1 a11013 1
d11020 1 a11020 1
d11025 1 a11025 1
d11027 1 a11027 1d11037 3 a11039 3
d11042 1 a11042 2d11048 1 a11048 1
d11053 1 a11053 1
$TTL d11056 3 a11058 3
d11061 1 a11061 2d11071 1 a11071 1
$GENERATE a11078 1 d11082 1 a11082 2
a11084 1 d11092 1 a11092 2
a11096 1 d11101 1 a11101 2
a11103 1 d11114 1 a11114 3
d11242 2 a11243 3
d11247 1 a11247 1
d11250 2 a11251 3
d11254 1 a11254 2d11259 1 a11259 1
d11265 1 a11265 1
d11273 1 a11273 1
d11284 1 a11284 1
d11292 1 a11292 1
d11309 3 a11311 4
d11314 1 a11314 2d12848 1 a12848 1d11323 1 a11323 2
d11327 1 a11327 3
d11426 2 a11427 4
d11437 1 a11437 2
d11441 1 a11441 2
d11451 1 a11451 2
d11454 1 a11454 2d11457 1 a11457 1
d11460 1 a11460 1
d11469 1 a11469 2
d11472 1 a11472 2
d11479 1 a11479 2
d11483 1 a11483 1
d11486 2 a11487 3
d11490 1 a11490 2d11506 1 a11506 2
d11509 1 a11509 3d12100 3 a12102 5
d12105 1 a12105 3d12254 3 a12256 5
d12259 1 a12259 3d12637 3 a12639 6
d12642 1 a12642 2d12657 1 a12657 3
d12792 3 a12794 5
d12797 1 a12797 2d12804 1 a12804 2
d12806 1 a12806 2
- d12813 1 a12813 2
d12811 1 a12811 2
- d12817 1 a12817 2
d12815 1 a12815 2
- d12821 1 a12821 2
d12819 1 a12819 2
- d12827 4 a12830 5
d12825 1 a12825 2
BIND 9.10.5-P1
@ 1.1.1.15.2.13 log @Pull up following revision(s) (requested by mrg in ticket #1489): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.28 external/bsd/bind/dist/README: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.29 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.21 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.16 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.14 external/bsd/bind/dist/lib/dns/api: up to 1.16 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.14 external/bsd/bind/dist/lib/dns/message.c: up to 1.24 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.13 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.11 external/bsd/bind/dist/srcid: up to 1.22 external/bsd/bind/dist/version: up to 1.26 external/bsd/bind/include/isc/platform.h: up to 1.23 Update BIND to 9.10.5-P2. @ text @d13793 1 a13793 1BIND 9.10.5-P2
@ 1.1.1.15.2.10.2.1 log @Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8. @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.1.1.15.2.10.2.2 log @Pull up following revision(s) (requested by spz in ticket #1436): distrib/sets/lists/base/ad.aarch64: patch distrib/sets/lists/base/ad.arm: patch distrib/sets/lists/base/ad.mips: patch distrib/sets/lists/base/ad.powerpc: patch distrib/sets/lists/base/md.amd64: patch distrib/sets/lists/base/md.sparc64: patch distrib/sets/lists/base/shl.mi: patch distrib/sets/lists/debug/ad.aarch64: patch distrib/sets/lists/debug/ad.arm: patch distrib/sets/lists/debug/ad.mips: patch distrib/sets/lists/debug/ad.powerpc: patch distrib/sets/lists/debug/md.amd64: patch distrib/sets/lists/debug/md.sparc64: patch distrib/sets/lists/debug/shl.mi: patch doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.27 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.12 external/bsd/bind/dist/Makefile.in: up to 1.4 external/bsd/bind/dist/README: up to 1.15 external/bsd/bind/dist/acconfig.h: up to 1.10 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.14 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.11 external/bsd/bind/dist/bin/check/win32/checkconf.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checktool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checkzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.c: up to 1.9 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.8 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.5 external/bsd/bind/dist/bin/delv/delv.c: up to 1.6 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/win32/delv.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dig.1: up to 1.13 external/bsd/bind/dist/bin/dig/dig.c: up to 1.13 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.19 external/bsd/bind/dist/bin/dig/host.1: up to 1.7 external/bsd/bind/dist/bin/dig/host.c: up to 1.12 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/win32/dig.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/dighost.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/host.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/nslookup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dnssec/dnssectool.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssectool.h: up to 1.8 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/importkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/settime.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/verify.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/bin/named/client.c: up to 1.17 external/bsd/bind/dist/bin/named/config.c: up to 1.14 external/bsd/bind/dist/bin/named/control.c: up to 1.12 external/bsd/bind/dist/bin/named/geoip.c: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/config.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/globals.h: up to 1.10 external/bsd/bind/dist/bin/named/include/named/seccomp.h: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.12 external/bsd/bind/dist/bin/named/logconf.c: up to 1.9 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.7 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/bin/named/lwsearch.c: up to 1.5 external/bsd/bind/dist/bin/named/main.c: up to 1.21 external/bsd/bind/dist/bin/named/named.8: up to 1.10 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.15 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.15 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.11 external/bsd/bind/dist/bin/named/query.c: up to 1.25 external/bsd/bind/dist/bin/named/server.c: up to 1.22 external/bsd/bind/dist/bin/named/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.10 external/bsd/bind/dist/bin/named/update.c: up to 1.13 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.13 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.16 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.12 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2h-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/python/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.7 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.8 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.8 external/bsd/bind/dist/bin/python/isc/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/__init__.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/checkds.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/coverage.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/dnskey.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/eventlist.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keydict.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyevent.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyzone.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/dnskey_test.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/utils.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/setup.py: up to 1.1.1.1 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.10 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.15 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.7 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/db/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/db/win32/t_db.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/dst/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/dst/t_dst.c: up to 1.11 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/hashes/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/hashes/t_hashes.c: up to 1.6 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/master/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/master/win32/t_master.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/mdig.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/pkcs11/README: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/create.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/privrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/pubrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.10 external/bsd/bind/dist/bin/tests/resolver/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/acl/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/additional/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/addzone/ns2/hints.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/ns2/redirect.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in delete external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c delete external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/case/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/bad-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-slip.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-window.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rpz-zone.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/good-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/checkds/dig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkds/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/checknames/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/checkzone/zones/crashzone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/conf.sh.win32: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/coverage/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/database/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dialup/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/digcomp.pl: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dlv/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/dlopen.c delete external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dns64/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dscp/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dsdigest/ns2/sign.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/feature-test.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in delete external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c delete external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/filter-aaaa.c delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in delete external/bsd/bind/dist/bin/tests/system/geoip/geoip.c delete external/bsd/bind/dist/bin/tests/system/geoip/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/glue/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/gost/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ifconfig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ifconfig.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/inline/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/integrity/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/mx-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/srv-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/legacy/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/limits/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/nosearch.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.10 external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/metadata/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/too-big.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/pending/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/pending/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11ssl/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/redirect/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/ns6/ds.example.net.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in delete external/bsd/bind/dist/bin/tests/system/rpz/rpz.c delete external/bsd/bind/dist/bin/tests/system/rpz/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip21: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/spf/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in delete external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c delete external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/stop.pl: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/stub/tests.sh: up to 1.5 external/bsd/bind/dist/bin/tests/system/tcp/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tsig/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsig/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tsig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in delete external/bsd/bind/dist/bin/tests/system/tsiggss/gssapi_krb.c delete external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/unknown/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/v6synth/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/verify/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/views/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/ns1/axfr-too-big.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/ixfr-too-big.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/xfer/ns6/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/xferquota/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/ans5/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/win32/makejournal.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.7 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.8 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.7 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.7 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.12 external/bsd/bind/dist/bind.keys: up to 1.1.1.7 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.5 external/bsd/bind/dist/config.h.in: up to 1.14 external/bsd/bind/dist/configure: up to 1.8 external/bsd/bind/dist/configure.in: up to 1.10 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.5 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.2 external/bsd/bind/dist/contrib/queryperf/utils/gen-data-queryperf.py: up to 1.1.1.4 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.6 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.20 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.15 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.10 external/bsd/bind/dist/doc/misc/options: up to 1.9 external/bsd/bind/dist/doc/misc/sort-options.pl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.1: up to 1.7 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.9 external/bsd/bind/dist/lib/Atffile: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.19 external/bsd/bind/dist/lib/bind9/check.c: up to 1.15 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/dns/acl.c: up to 1.8 external/bsd/bind/dist/lib/dns/adb.c: up to 1.13 external/bsd/bind/dist/lib/dns/api: up to 1.15 external/bsd/bind/dist/lib/dns/client.c: up to 1.13 external/bsd/bind/dist/lib/dns/db.c: up to 1.9 external/bsd/bind/dist/lib/dns/dbtable.c: up to 1.6 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.12 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.14 external/bsd/bind/dist/lib/dns/dst_gost.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/dst_internal.h: up to 1.11 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.10 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.10 external/bsd/bind/dist/lib/dns/ecdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.10 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/events.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/keytable.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/masterdump.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/peer.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.13 external/bsd/bind/dist/lib/dns/include/dns/rdata.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/rdataslab.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/tsig.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.18 external/bsd/bind/dist/lib/dns/include/dns/zt.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/include/dst/gssapi.h: up to 1.6 external/bsd/bind/dist/lib/dns/iptable.c: up to 1.6 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.12 external/bsd/bind/dist/lib/dns/masterdump.c: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.23 external/bsd/bind/dist/lib/dns/name.c: up to 1.14 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.14 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/peer.c: up to 1.8 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.13 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.24 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.15 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.12 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdataslab.c: up to 1.12 external/bsd/bind/dist/lib/dns/request.c: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.31 external/bsd/bind/dist/lib/dns/result.c: up to 1.8 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.12 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.11 external/bsd/bind/dist/lib/dns/tests/Krsa.+005+29235.key: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.9 external/bsd/bind/dist/lib/dns/tests/acl_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/dh_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rsa_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.12 external/bsd/bind/dist/lib/dns/tsec.c: up to 1.5 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.10 external/bsd/bind/dist/lib/dns/view.c: up to 1.13 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.14 external/bsd/bind/dist/lib/dns/zone.c: up to 1.17 external/bsd/bind/dist/lib/dns/zt.c: up to 1.9 external/bsd/bind/dist/lib/irs/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.10 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.9 external/bsd/bind/dist/lib/irs/include/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.10 external/bsd/bind/dist/lib/irs/tests/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/resconf_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/domain.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v6.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-debug.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-ndots.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/port.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/resolv.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/search.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/sortlist-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/isc/aes.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.22 external/bsd/bind/dist/lib/isc/backtrace-emptytbl.c: up to 1.5 external/bsd/bind/dist/lib/isc/hash.c: up to 1.11 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.10 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.11 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/backtrace.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/errno.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/isc/event.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/hmacmd5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/hmacsha.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/md5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/sha1.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sha2.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.11 external/bsd/bind/dist/lib/isc/include/isc/types.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pk11/README.site: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pk11/pk11.h: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/pk11/site.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11f.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11t.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/lex.c: up to 1.9 external/bsd/bind/dist/lib/isc/log.c: up to 1.9 external/bsd/bind/dist/lib/isc/md5.c: up to 1.9 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/mips/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.9 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/print.c: up to 1.7 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/radix.c: up to 1.9 external/bsd/bind/dist/lib/isc/random.c: up to 1.6 external/bsd/bind/dist/lib/isc/ratelimiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/sha1.c: up to 1.9 external/bsd/bind/dist/lib/isc/sha2.c: up to 1.11 external/bsd/bind/dist/lib/isc/task.c: up to 1.14 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/tests/errno_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/netaddr_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/dir.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/unix/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.12 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/include/isc/net.h: up to 1.7 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.21 external/bsd/bind/dist/lib/isc/unix/stdio.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/app.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/condition.c: up to 1.5 external/bsd/bind/dist/lib/isc/win32/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/win32/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/include/isc/ipv6.h: up to 1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.13 external/bsd/bind/dist/lib/isc/win32/stdio.c: up to 1.6 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.12 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/win32/libisccc.def: up to 1.1.1.2 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.14 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.9 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.15 external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/lwres_grbn.c: up to 1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/win32/liblwres.def: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/win32/async.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/nsprobe.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/request.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/resolve.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/update.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/tests/t_api.c: up to 1.8 external/bsd/bind/dist/make/rules.in: up to 1.8 external/bsd/bind/dist/srcid: up to 1.21 external/bsd/bind/dist/util/bindkeys.pl: up to 1.1.1.2 external/bsd/bind/dist/version: up to 1.25 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.7 external/bsd/bind/dist/win32utils/bind9.sln.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.5 external/bsd/bind/dist/win32utils/legacy/BINDBuild.dsw.in: up to 1.5 external/bsd/bind/dist/win32utils/legacy/BuildAll.bat.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildPost.bat.in: up to 1.1.1.3 external/bsd/bind/dist/win32utils/readme1st.txt: up to 1.1.1.8 external/bsd/bind/include/config.h: up to 1.21 external/bsd/bind/include/dns/code.h: up to 1.13 external/bsd/bind/include/dns/enumclass.h: up to 1.9 external/bsd/bind/include/dns/enumtype.h: up to 1.13 external/bsd/bind/include/dns/rdatastruct.h: up to 1.13 external/bsd/bind/include/isc/platform.h: up to 1.23 via patch external/bsd/bind/lib/libbind9/shlib_version: up to 1.17 external/bsd/bind/lib/libdns/Makefile: up to 1.14 external/bsd/bind/lib/libdns/shlib_version: up to 1.19 external/bsd/bind/lib/libirs/shlib_version: up to 1.6 external/bsd/bind/lib/libisc/Makefile: up to 1.8 external/bsd/bind/lib/libisc/shlib_version: up to 1.19 external/bsd/bind/lib/libisccc/shlib_version: up to 1.17 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.17 external/bsd/bind/lib/liblwres/shlib_version: up to 1.17 @ text @a0 1 d2 1 a2 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d109 1 a109 2d119 1 a119 2
d125 1 a125 1
d128 1 a128 2d5652 34 d6100 1 a6100 1 Content Filteringd132 1 a132 2
d500 2 a501 3
d504 1 a504 2d507 4 a510 5address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} ) d512 2 a513 3d516 1 a516 2d523 3 a525 4
- an IP address (IPv4 or IPv6)
a526 4 an IP prefix (in `/' notation)- d529 2 a530 4
- the name of an address match list defined with d532 2 a533 5
- a nested address match list enclosed in braces
d535 1 a535 2d541 1 a541 2
d548 1 a548 2
d555 1 a555 2
d560 1 a560 2
d579 1 a579 2
d595 3 a597 4
d600 1 a600 2d607 1 a607 2
d610 1 a610 2d622 2 a623 2
d626 1 a626 2d630 1 a630 1
d636 1 a636 1
d640 1 a640 1
d651 1 a651 2
d658 1 a658 1
d668 1 a668 1
d675 1 a675 2
d685 1 a685 2
d687 1 a687 1d693 5 a697 6
d700 1 a700 2d708 1 a708 2
d711 1 a711 3
d870 2 a871 4
d877 1 a877 2
d880 3 a882 4aclacl-name{address_match_list}; d884 2 a885 3d889 1 a889 2d894 1 a894 2
d897 1 a897 3
d957 2 a958 4
d964 1 a964 1
d971 1 a971 1
d987 1 a987 1
d1002 1 a1002 1
d1005 1 a1005 1
geoip country US; d1015 2 a1016 4d1019 9 a1027 9controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] }; d1029 2 a1030 4d1034 1 a1034 2d1041 1 a1041 2
d1054 1 a1054 2
d1058 1 a1058 2
d1068 1 a1068 2
d1077 1 a1077 2
d1086 1 a1086 2
d1100 1 a1100 2
d1113 1 a1113 2
d1134 1 a1134 2
d1139 2 a1140 3
d1143 3 a1145 4includefilename;d1148 1 a1148 2d1158 2 a1159 3
d1162 4 a1165 5keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1167 2 a1168 4d1171 1 a1171 2d1178 1 a1178 2
d1189 1 a1189 2
d1198 1 a1198 2
d1212 2 a1213 3
d1216 19 a1234 20logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... }; d1236 2 a1237 4d1240 1 a1240 2d1248 1 a1248 1
a1253 1 d1259 1 a1259 2
d1270 1 a1270 2
d1273 1 a1273 2d1277 1 a1277 2
d1288 1 a1288 2
d1293 1 a1293 2
d1301 1 a1301 2
d1324 1 a1324 2
d1340 1 a1340 2
a1343 1 d1350 1 a1350 2
d1372 1 a1372 1
d1375 1 a1375 1
d1384 1 a1384 1
d1396 1 a1396 2
d1405 1 a1405 2
a1418 1 d1424 1 a1424 2
d1431 1 a1431 1
d1449 1 a1449 2
d1452 1 a1452 2
a1457 1 d1485 1 a1485 2
d1493 1 a1493 2
d1503 1 a1503 2
d1509 2 a1510 3
d1513 1 a1513 2a1521 1 d1524 1 a1524 2
a1528 1 d1538 1 a1538 2
a1540 1 d1544 1 a1544 2
d1549 1 a1549 2
d1904 1 a1904 1
d1906 1 a1906 2d1909 1 a1909 2d1917 1 a1917 2
d1921 1 a1921 1
d1924 1 a1924 1
d1932 1 a1932 1
d1938 1 a1938 1
d1949 1 a1949 1
d1956 1 a1956 1
d1966 1 a1966 1
d1976 1 a1976 3
d2115 2 a2116 3
d2123 1 a2123 1
d2132 3 a2134 4
d2137 1 a2137 2d2141 7 a2147 10
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] }; d2149 2 a2150 3d2153 1 a2153 2d2161 1 a2161 2
d2172 1 a2172 2
d2183 1 a2183 2
d2191 1 a2191 2
d2200 2 a2201 2
a2203 1 d2205 2 a2206 5 mastersname[ portip_port] [ dscpip_dscp] { (masters_list; ) | (ip_addr[ portip_port] [ keykey] ; ) ... }; d2208 2 a2209 4d2213 1 a2213 2masters d2218 2 a2219 3
d2222 1 a2222 2d2226 255 a2480 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] } ; ] d2482 2 a2483 4d2487 1 a2487 2d4990 4 a4993 5d2496 1 a2496 2
d2499 1 a2499 1
d2508 1 a2508 2
d2514 1 a2514 2
d2524 1 a2524 2
d2531 1 a2531 2
a2539 1 d2554 1 a2554 2
d2569 1 a2569 2
d2581 1 a2581 1 d2583 1 a2583 2
- d2598 1 a2598 2
d2596 1 a2596 2
- d2609 1 a2609 2
d2607 1 a2607 2
- d2621 1 a2621 1
d2618 1 a2618 2
d2626 1 a2626 1
d2635 1 a2635 1 d2637 1 a2637 2
- d2646 1 a2646 2
d2644 1 a2644 2
- d2653 1 a2653 2
d2651 1 a2651 2
- d2668 1 a2668 2
d2666 1 a2666 2
- d2686 1 a2686 2
d2684 1 a2684 2
- d2697 1 a2697 2
d2694 2 a2695 3 most cases, the
key_nameshould be the server's host name.- d2701 1 a2701 2
d2699 1 a2699 2
- d2708 1 a2708 2
d2706 1 a2706 2
- d2714 1 a2714 2
d2712 1 a2712 2
- d2728 1 a2728 2
d2726 1 a2726 2
- d2735 1 a2735 2
d2733 1 a2733 2
- d2744 1 a2744 2
d2742 1 a2742 2
- d2753 1 a2753 2
d2751 1 a2751 2
- d2761 1 a2761 2
d2759 1 a2759 2
- d2773 1 a2773 2
d2771 1 a2771 2
- d2778 1 a2778 2
d2776 1 a2776 2
- d2785 1 a2785 2
d2783 1 a2783 2
- d2795 1 a2795 2
d2793 1 a2793 2
- d2802 1 a2802 2
d2800 1 a2800 2
- d2821 1 a2821 2
d2819 1 a2819 2
- d2833 1 a2833 1
d2828 1 a2828 2
d2838 1 a2838 1
d2845 1 a2845 1
d2861 1 a2861 1
d2866 1 a2866 1
a2869 1 d2875 1 a2875 2 d2878 1 a2878 1
d2886 1 a2886 1
d2891 1 a2891 1 d2894 1 a2894 1
d2902 1 a2902 1
d2907 1 a2907 1 d2910 1 a2910 1
d2922 1 a2922 1
d2928 1 a2928 1
d2933 1 a2933 1
d2944 1 a2944 1
d2951 1 a2951 1
d2957 1 a2957 1 d2959 1 a2959 2
- d2972 1 a2972 1
d2969 1 a2969 2
d2980 1 a2980 1
d2984 1 a2984 1
d2994 1 a2994 1
d3000 1 a3000 1
d3007 1 a3007 1
d3016 1 a3016 1 defaults to ::ffff:0.0.0.0/96. d3018 1 a3018 1
d3026 1 a3026 1
d3032 1 a3032 1
d3051 1 a3051 1 d3053 1 a3053 2
- d3069 1 a3069 1
d3066 1 a3066 2
d3082 1 a3082 1
d3088 1 a3088 1
d3097 1 a3097 1 d3100 1 a3100 1
d3109 1 a3109 1
d3117 1 a3117 1
d3122 1 a3122 1
d3127 1 a3127 1 d3130 1 a3130 1
d3135 1 a3135 1
d3141 1 a3141 1
d3149 1 a3149 1 d3152 1 a3152 1
d3164 1 a3164 1
d3172 1 a3172 1
d3183 1 a3183 1 d3185 1 a3185 2
d3188 1 a3188 2d3191 1 a3191 1
d3197 1 a3197 1
d3202 1 a3202 1 d3204 1 a3204 2
- d3211 1 a3211 2
d3209 1 a3209 2
- d3222 1 a3222 2
d3220 1 a3220 2
- d3229 1 a3229 2
d3227 1 a3227 2
- d3238 1 a3238 1
d3235 1 a3235 2
d3253 1 a3253 1
d3260 1 a3260 1
d3272 1 a3272 1
d3282 1 a3282 1
d3297 1 a3297 3
d3448 2 a3449 4
d3453 1 a3453 2 d3455 1 a3455 2
- d3462 1 a3462 2
d3460 1 a3460 2
- d3473 1 a3473 2
d3471 1 a3471 2
- d3480 1 a3480 2
d3478 1 a3478 2
- d3490 1 a3490 2
d3488 1 a3488 2
- d3497 1 a3497 2
d3495 1 a3495 2
- d3507 1 a3507 2
d3505 1 a3505 2
- d3516 1 a3516 2
d3514 1 a3514 2
- d3525 1 a3525 1
d3522 1 a3522 2
d3536 1 a3536 1
d3545 1 a3545 1
d3554 1 a3554 1 d3556 1 a3556 2
- d3567 1 a3567 2
d3565 1 a3565 2
- d3585 1 a3585 2
d3583 1 a3583 2
- d3596 1 a3596 2
d3594 1 a3594 2
- d3614 1 a3614 2
d3612 1 a3612 2
- d3623 1 a3623 2
d3621 1 a3621 2
- d3634 1 a3634 1
d3631 1 a3631 2
d3640 1 a3640 1
d3642 1 a3642 1d3646 2 a3647 30
- trust-anchor-telemetry
- d3649 1 a3649 2
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is
yes.- d3655 1 a3655 2
d3653 1 a3653 2
- d3666 1 a3666 2
d3664 1 a3664 2
- d3673 1 a3673 2
d3671 1 a3671 2
- d3680 1 a3680 2
d3678 1 a3678 2
- d3696 1 a3696 2
d3691 1 a3691 2
d3703 1 a3703 2
d3723 1 a3723 2
d3733 1 a3733 2
d3742 1 a3742 2
d3752 1 a3752 2
d3770 1 a3770 2 d3773 1 a3773 1
d3778 1 a3778 1
d3787 1 a3787 1 d3790 1 a3790 1
d3804 1 a3804 1
d3812 1 a3812 1
d3818 1 a3818 1
d3826 1 a3826 1
d3833 1 a3833 1
d3838 1 a3838 1 d3840 1 a3840 2
- d3848 1 a3848 1
d3845 1 a3845 2
d3858 1 a3858 1
d3870 1 a3870 1
ixfr-from-differences d3879 1 a3879 1 d3881 1 a3881 2
- d3892 1 a3892 1
d3889 1 a3889 2
d3897 1 a3897 1
d3903 1 a3903 1
d3926 1 a3926 1
d3929 1 a3929 1 d3931 1 a3931 2
- d3941 1 a3941 1
d3938 1 a3938 2
d3955 1 a3955 1
d3957 1 a3957 1d3966 1 a3966 2d3963 2 a3964 2
- d3974 1 a3974 2
d3972 1 a3972 2
- d3983 1 a3983 1
d3980 1 a3980 2
d3996 1 a3996 1
d4000 1 a4000 1
check-names d4008 1 a4008 1 d4010 1 a4010 2
- d4018 1 a4018 2
d4016 1 a4016 2
- d4025 1 a4025 2
d4023 1 a4023 2
- d4036 1 a4036 1
d4033 1 a4033 2
d4049 1 a4049 1
d4059 1 a4059 1 d4061 1 a4061 2
- d4067 1 a4067 2
d4065 1 a4065 2
- d4073 1 a4073 2
d4071 1 a4071 2
- d4078 1 a4078 2
d4076 1 a4076 2
- d4086 1 a4086 2
d4084 1 a4084 2
- d4093 1 a4093 2
d4091 1 a4091 2
- d4100 1 a4100 1
d4097 1 a4097 2
d4105 1 a4105 1
d4116 1 a4116 1
d4124 1 a4124 1 d4127 1 a4127 1
d4137 1 a4137 1
d4142 1 a4142 1 d4144 1 a4144 2
- d4151 1 a4151 1
d4148 1 a4148 2
d4159 1 a4159 1
d4166 1 a4166 1
d4173 1 a4173 1 d4175 2 a4176 4
d4179 1 a4179 2d4897 1 a4897 1 Operating System Resource Limitsd4189 1 a4189 2
d4191 1 a4191 2
- d4203 1 a4203 2
d4201 1 a4201 2
- d4209 1 a4209 2
d4207 1 a4207 2
d4218 2 a4219 3
d4222 1 a4222 2d4229 1 a4229 2
d4231 1 a4231 2
- d4242 2 a4243 3
d4240 1 a4240 2
d4246 1 a4246 3d4251 1 a4251 2
d4253 1 a4253 2
- d4269 1 a4269 1
d4266 1 a4266 2
d4278 1 a4278 1
d4280 1 a4280 1d4288 1 a4288 1d4284 2 a4285 2
d4295 1 a4295 1
d4301 1 a4301 1
d4307 1 a4307 1
d4311 1 a4311 1
d4313 1 a4313 1d4320 1 a4320 2d4317 2 a4318 2
- d4331 1 a4331 2
d4329 1 a4329 2
- d4339 1 a4339 2
d4337 1 a4337 2
- d4350 1 a4350 2
d4348 1 a4348 2
- d4356 1 a4356 2
d4354 1 a4354 2
- d4366 1 a4366 1
d4363 1 a4363 2
d4383 1 a4383 1
d4391 1 a4391 1 d4393 1 a4393 2
- d4403 1 a4403 2
d4401 1 a4401 2
- d4413 1 a4413 2
d4411 1 a4411 2
- d4421 1 a4421 2
d4419 1 a4419 2
- d4428 1 a4428 1
d4425 1 a4425 2
d4436 1 a4436 1
d4444 1 a4444 1
d4456 1 a4456 1
d4461 1 a4461 1
d4476 1 a4476 1 d4478 1 a4478 2
- d4486 2 a4487 4
d4484 1 a4484 2
d4490 1 a4490 2d4499 1 a4499 1
a4503 1 d4507 1 a4507 2
d4512 1 a4512 2
d4516 1 a4516 2
d4522 1 a4522 2
d4537 1 a4537 2
d4546 1 a4546 2
a4550 1 d4554 1 a4554 2
d4560 1 a4560 2
a4562 1 d4565 2 a4566 4
d4569 1 a4569 2d4547 1 a4547 1 the use-queryport-pool d4684 1 a4684 1 queries are issued at, d4855 1 a4855 1 UDP Port Listsd4578 1 a4578 2
d4589 1 a4589 2
a4593 1 d4597 1 a4597 2
a4606 1 d4610 1 a4610 2
d4626 1 a4626 2
d4638 1 a4638 2
a4642 1 d4646 1 a4646 2
d4658 1 a4658 2
d4660 1 a4660 2
- d4664 1 a4664 2
d4662 1 a4662 2
- d4668 1 a4668 2
d4666 1 a4666 2
- d4672 1 a4672 1
d4670 1 a4670 2
d4674 1 a4674 1d4680 2 a4681 2
d4683 1 a4683 1d4687 2 a4688 2
d4690 1 a4690 1d4694 3 a4696 4
d4699 1 a4699 2d4705 1 a4705 2
d4708 1 a4708 1
d4726 1 a4726 1
d4739 1 a4739 1 d4741 1 a4741 2
- d4748 1 a4748 2
d4746 1 a4746 2
- d4755 1 a4755 2
d4753 1 a4753 2
- d4762 1 a4762 2
d4760 1 a4760 2
- d4770 1 a4770 1
d4767 1 a4767 2
d4783 1 a4783 1
d4790 1 a4790 1 d4792 1 a4792 2
- d4803 1 a4803 3
d4801 1 a4801 2
- d4825 1 a4825 2
d4823 1 a4823 3
- d4834 1 a4834 2
d4832 1 a4832 2
- d4841 1 a4841 2
d4839 1 a4839 2
- d4856 1 a4856 1
d4853 1 a4853 2
transfer-source d4877 1 a4877 1
d4879 1 a4879 1d4886 1 a4886 2d4883 2 a4884 2
- d4892 1 a4892 1
d4889 1 a4889 2
d4898 1 a4898 1
d4909 1 a4909 1 d4911 1 a4911 2- d4918 1 a4918 2
d4916 1 a4916 2
- d4927 1 a4927 1
d4924 1 a4924 2
notify-source d4941 1 a4941 1
d4943 1 a4943 1d4950 1 a4950 2d4947 2 a4948 2
- d4955 2 a4956 4
d4953 1 a4953 2
d4959 1 a4959 2a4969 1 d4974 1 a4974 2
d4980 1 a4980 2
d4997 2 a4998 3
d5001 1 a5001 2d4388 1 a4388 1 Interfacesd5014 1 a5014 2
d5022 1 a5022 2
d5024 1 a5024 2
- d5029 1 a5029 2
d5027 1 a5027 2
- d5046 1 a5046 2
d5044 1 a5044 2
- d5051 1 a5051 2
d5049 1 a5049 2
- d5056 2 a5057 4
d5054 1 a5054 2
d5060 1 a5060 2d5065 1 a5065 2
d5067 1 a5067 2
- d5074 1 a5074 2
d5072 1 a5072 2
d5085 1 a5085 9
- max-records
- d5087 1 a5087 2
The maximum number of records permitted in a zone. The default is zero which means unlimited.
- d5094 1 a5094 1
d5091 1 a5091 2
d5105 1 a5105 1
d5112 1 a5112 1
d5122 1 a5122 1 d5124 1 a5124 2
- d5133 1 a5133 1
d5128 1 a5128 2
These set the d5141 1 a5141 1
d5151 1 a5151 1
d5156 1 a5156 1
d5161 1 a5161 1 d5166 1 a5166 1
d5176 1 a5176 1
d5188 1 a5188 1
d5196 1 a5196 1
d5201 1 a5201 1
d5214 1 a5214 1
d5218 1 a5218 1 d5223 1 a5223 1
d5233 1 a5233 1
d5242 1 a5242 1
d5247 1 a5247 1
d5263 1 a5263 1
d5267 1 a5267 1 d5270 1 a5270 1
d5275 1 a5275 1
d5283 1 a5283 1
d5298 1 a5298 1
d5302 1 a5302 1 d5305 1 a5305 1
d5315 1 a5315 1
d5318 1 a5318 1 d5320 1 a5320 2
- d5338 1 a5338 2
d5336 1 a5336 2
- d5350 2 a5351 4
d5348 1 a5348 2
d5354 1 a5354 2d5409 2 a5410 4d5356 1 a5356 2
- d5367 1 a5367 2
d5365 1 a5365 2
- d5377 1 a5377 2
d5375 1 a5375 2
- d5393 1 a5393 1
d5390 1 a5390 2
d5402 1 a5402 1
d5406 2 a5407 2
d5413 1 a5413 2a5429 1 d5435 1 a5435 2
d5441 1 a5441 1
a5443 1 d5446 1 a5446 2
d5448 1 a5448 1d5452 3 a5454 4
d5457 1 a5457 2d5473 1 a5473 2
d5489 1 a5489 1
d5504 1 a5504 1
a5521 1 d5545 1 a5545 2
a5556 1 d5562 2 a5563 3
d5566 1 a5566 2d5576 1 a5576 2
d5580 1 a5580 1
d5586 1 a5586 1
d5591 1 a5591 1
d5594 1 a5594 2
d5638 2 a5639 3
a5641 1 d5647 1 a5647 2
d5653 1 a5653 1
d5657 1 a5657 1
d5660 1 a5660 2
d5662 1 a5662 1d5669 3 a5671 4
d5674 1 a5674 2d5677 1 a5677 1
d5685 1 a5685 2
d5691 1 a5691 2 d5693 1 a5693 2
- d5705 1 a5705 2
d5703 1 a5703 2
- d5716 1 a5716 1
d5713 1 a5713 2
d5722 1 a5722 1
d5724 1 a5724 1d5731 1 a5731 1d5727 2 a5728 2
d5745 1 a5745 1
d5750 1 a5750 1
d5756 1 a5756 1 d5758 1 a5758 2
- d5765 1 a5765 2
d5763 1 a5763 2
- d5773 1 a5773 1
d5770 1 a5770 2
d5778 1 a5778 1
d5782 1 a5782 1
d5798 1 a5798 1 d5803 1 a5803 1
d5813 1 a5813 1
d5822 1 a5822 1
d5830 1 a5830 1 d5833 1 a5833 1
d5841 1 a5841 1
d5848 1 a5848 1
d5853 1 a5853 1
d5864 1 a5864 1
d5872 1 a5872 1
d5880 1 a5880 1 d5883 1 a5883 1
d5890 1 a5890 1
d5895 1 a5895 1
d5904 1 a5904 1
d5908 1 a5908 1 d5911 1 a5911 1
Specifies d5922 1 a5922 1
d5936 1 a5936 1
d5945 1 a5945 1 d5949 1 a5949 2
- d5962 1 a5962 2
d5958 1 a5958 2
- d5973 1 a5973 1
d5970 1 a5970 2
d5977 1 a5977 1
d5981 1 a5981 1 d5983 1 a5983 2
- d5991 1 a5991 1
d5988 1 a5988 2
d5998 1 a5998 1
d6010 1 a6010 1
d6020 1 a6020 1 d6022 2 a6023 4
d6026 1 a6026 2d4120 1 a4120 1 Dual-stack Serversd6045 1 a6045 1
d6052 1 a6052 2
d6054 1 a6054 2
- d6063 1 a6063 2
d6061 1 a6061 2
- d6076 1 a6076 2
d6074 1 a6074 2
- d6090 2 a6091 4
d6088 1 a6088 2
d6094 1 a6094 2d6106 1 a6106 1
d6111 1 a6111 1
d6215 1 a6215 1
d6227 1 a6227 1
d6236 1 a6236 1
d6245 1 a6245 1d6247 1 a6247 2
- d6253 1 a6253 2
d6251 1 a6251 2
- d6259 1 a6259 2
d6257 1 a6257 2
- d6264 1 a6264 2
d6262 1 a6262 2
- d6269 2 a6270 3
d6267 1 a6267 2
d6273 1 a6273 3d6283 1 a6283 2
d6291 1 a6291 2
d6300 1 a6300 2
d6313 1 a6313 2
d6329 1 a6329 2
d6333 1 a6333 2
d6335 1 a6335 2
- d6340 1 a6340 2
d6338 1 a6338 2
- d6348 1 a6348 2
d6346 1 a6346 2
- d6360 2 a6361 4
d6358 1 a6358 2
d6364 1 a6364 2d6390 1 a6390 2
d6393 1 a6393 2
d6401 1 a6401 2
d6406 1 a6406 2
d6421 1 a6421 2
a6425 1 d6429 1 a6429 2
a6433 1 d6435 1 a6435 2
d6441 1 a6441 2
a6446 1 d6448 1 a6448 2
d6453 1 a6453 2
d6474 1 a6474 2
d6483 2 a6484 3
d6487 1 a6487 2d6495 1 a6495 2
d6506 1 a6506 2
d6515 1 a6515 2
d6521 1 a6521 1
d6536 1 a6536 2
d6552 1 a6552 1 d6554 1 a6554 2
- d6562 1 a6562 2
d6560 1 a6560 2
- d6569 1 a6569 2
d6567 1 a6567 2
- d6581 1 a6581 2
d6579 1 a6579 2
- d6592 1 a6592 2
d6588 1 a6588 2
d6621 1 a6621 2
d6628 1 a6628 2
d6640 1 a6640 2
- d6648 1 a6648 2
d6646 1 a6646 2
- d6655 1 a6655 2
d6653 1 a6653 2
- d6663 1 a6663 2
d6661 1 a6661 2
- d6668 1 a6668 2
d6666 1 a6666 2
- d6676 1 a6676 1
d6673 1 a6673 2
d6681 1 a6681 2
d6689 1 a6689 1 d6693 1 a6693 2
d6704 1 a6704 2
- d6708 1 a6708 2
The placeholder policy says "do not override but d6706 1 a6706 2
- d6722 1 a6722 2
d6718 1 a6718 2
- d6726 1 a6726 2
d6724 1 a6724 2
- d6733 1 a6733 2
d6729 1 a6729 2
d6744 1 a6744 2
d6755 1 a6755 2
d6782 1 a6782 2
d6789 1 a6789 2
d6793 1 a6793 1
d6797 1 a6797 1
d6839 1 a6839 1
d6854 1 a6854 2
d6858 2 a6859 3
d6862 1 a6862 2d6875 1 a6875 2
d6883 1 a6883 2
d6902 1 a6902 2
d6911 1 a6911 2
d6935 1 a6935 2
d6940 1 a6940 2
d6951 1 a6951 2
d6975 1 a6975 2
d6988 1 a6988 2
d7006 1 a7006 2
d7018 1 a7018 2
d7054 1 a7054 2
d7068 1 a7068 2
d7072 1 a7072 2
d7079 3 a7081 4
d7084 24 a7107 30server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ; d7109 2 a7110 4d7114 1 a7114 2d7123 1 a7123 2
d7138 1 a7138 2
d7144 1 a7144 1
d7160 1 a7160 2
d7170 1 a7170 2
d7184 1 a7184 2
d7189 1 a7189 2
d7208 1 a7208 2
d7216 1 a7216 9
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
d7230 1 a7230 2
transfers d7237 1 a7237 2
d7248 1 a7248 2
d7251 1 a7251 2
d7267 1 a7267 2
d7276 1 a7276 2
d7285 1 a7285 2
d7292 1 a7292 2
d7301 2 a7302 3
d7305 5 a7309 6statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... }; d7311 2 a7312 3d7316 1 a7316 2d7322 1 a7322 2
d7332 1 a7332 2
d7343 1 a7343 2
d7348 1 a7348 2
d7360 1 a7360 2
d7364 1 a7364 2
d7376 1 a7376 2
d7386 1 a7386 2
d7401 1 a7401 2
d7418 2 a7419 3
d7422 4 a7425 5trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ; d7427 2 a7428 3d7432 1 a7432 2d7443 1 a7443 1
d7451 1 a7451 1
d7460 1 a7460 1
d7467 2 a7468 3
d7471 4 a7474 5managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ; d7476 2 a7477 3d7481 1 a7481 2d7489 1 a7489 1
d7499 1 a7499 1
d7510 1 a7510 1
d7521 1 a7521 1
d7534 1 a7534 1
d7542 1 a7542 1
d7547 3 a7549 3 key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d7551 1 a7551 1
d7559 15 a7573 18
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in use, there will be a separate managed keys database for each view; the filename will be a hash of the view name followed by the suffix.mkeys.When the key database is changed, the zone is updated. As with any other dynamic zone, changes will be written into a journal file, e.g.,
managed-keys.bind.jnl. Changes are committed to the master file as soon as possible afterward; this will usually occur within 30 d7575 4 a7578 4 automatic key maintenance, the zone file and journal file can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.) d7580 1 a7580 1d7588 3 a7590 5 (Note: The ISC DLV service is expected to cease operation by the end of 2017.) In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d7592 2 a7593 3
d7596 8 a7603 8viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ; d7605 2 a7606 3d7609 1 a7609 2d7618 1 a7618 2
d7646 1 a7646 2
d7655 1 a7655 2
d7668 1 a7668 2
d7673 1 a7673 2
d7689 1 a7689 2
a7692 1 d7725 2 a7726 3
d7730 191 d7922 3 a7924 205zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ; d7927 2 a7928 3d7931 1 a7931 2d7934 1 a7934 2d7944 1 a7944 3
d8257 3 a8259 5
d8262 1 a8262 2d8267 1 a8267 1
d8276 1 a8276 1
d8280 2 a8281 3
d8284 1 a8284 2d8286 1 a8286 2
- d8291 1 a8291 2
d8289 1 a8289 2
- d8296 1 a8296 2
d8294 1 a8294 2
- d8301 1 a8301 2
d8299 1 a8299 2
- d8306 1 a8306 2
d8304 1 a8304 2
- d8311 1 a8311 2
d8309 1 a8309 2
- d8316 1 a8316 2
d8314 1 a8314 2
- d8321 1 a8321 2
d8319 1 a8319 2
- d8344 1 a8344 2
d8342 1 a8342 2
- d8354 1 a8354 2
d8352 1 a8352 2
- d8359 1 a8359 2
d8357 1 a8357 2
- d8364 1 a8364 2
d8362 1 a8362 2
- d8369 1 a8369 2
d8367 1 a8367 2
- d8374 1 a8374 2
d8372 1 a8372 2
- d8379 1 a8379 2
d8377 1 a8377 2
- d8384 1 a8384 2
d8382 1 a8382 2
- d8389 1 a8389 2
d8387 1 a8387 2
- d8395 1 a8395 2
d8393 1 a8393 2
- d8401 1 a8401 2
d8399 1 a8399 2
- d8406 1 a8406 2
d8404 1 a8404 2
- d8412 1 a8412 1
d8409 1 a8409 2
d8423 1 a8423 1
d8429 1 a8429 1
d8435 1 a8435 1 d8437 1 a8437 2
- d8443 1 a8443 1
d8440 1 a8440 2
d8449 1 a8449 1
d8452 1 a8452 1 d8454 1 a8454 2
- d8462 1 a8462 2
d8460 1 a8460 2
- d8469 1 a8469 2
d8467 1 a8467 2
- d8481 1 a8481 2
d8479 1 a8479 2
- d8486 1 a8486 2
d8484 1 a8484 2
- d8492 1 a8492 2
d8490 1 a8490 2
d8495 1 a8495 9
- max-records
- d8497 1 a8497 2
See the description of max-records in the section called “Server Resource Limits”.
- d8502 1 a8502 2
d8500 1 a8500 2
- d8507 1 a8507 2
d8505 1 a8505 2
- d8512 1 a8512 2
d8510 1 a8510 2
- d8517 1 a8517 2
d8515 1 a8515 2
- d8522 1 a8522 2
d8520 1 a8520 2
- d8527 1 a8527 2
d8525 1 a8525 2
- d8533 1 a8533 2
d8531 1 a8531 2
- d8542 1 a8542 2
d8540 1 a8540 2
- d8550 1 a8550 1
d8547 1 a8547 2
d8559 1 a8559 1
d8568 1 a8568 1
d8576 1 a8576 1 d8579 1 a8579 1
d8597 1 a8597 1
d8609 1 a8609 1
d8619 1 a8619 1 d8621 1 a8621 2
- d8626 1 a8626 2
d8624 1 a8624 2
- d8631 1 a8631 2
d8629 1 a8629 2
- d8636 1 a8636 2
d8634 1 a8634 2
- d8641 1 a8641 2
d8639 1 a8639 2
- d8646 1 a8646 2
d8644 1 a8644 2
- d8651 1 a8651 2
d8649 1 a8649 2
- d8656 1 a8656 2
d8654 1 a8654 2
- d8661 1 a8661 2
d8659 1 a8659 2
- d8666 1 a8666 2
d8664 1 a8664 2
- d8671 1 a8671 2
d8669 1 a8669 2
- d8678 1 a8678 2
d8674 1 a8674 2
- d8682 1 a8682 2
d8680 1 a8680 2
- d8691 1 a8691 2
d8689 1 a8689 2
- d8697 1 a8697 2
d8695 1 a8695 2
- d8704 1 a8704 2
d8702 1 a8702 2
- d8711 1 a8711 2
d8709 1 a8709 2
- d8720 1 a8720 2
d8718 1 a8718 2
- d8725 1 a8725 2
d8723 1 a8723 2
- d8730 1 a8730 2
d8728 1 a8728 2
- d8736 1 a8736 2
d8734 1 a8734 2
- d8741 2 a8742 3
d8739 1 a8739 2
d8745 1 a8745 2BIND 9 supports two alternative d8751 1 a8751 1
d8757 1 a8757 1
d8767 1 a8767 1
d8777 1 a8777 1
d8792 1 a8792 1
d8799 1 a8799 2
update-policy { grant local-ddns zonesub any; }; d8801 1 a8801 2d8805 1 a8805 2
a8807 1 d8811 1 a8811 2
d8820 1 a8820 1
d8826 1 a8826 1
d8843 1 a8843 1
d8850 1 a8850 1
d8862 1 a8862 2
d9142 2 a9143 4
d9147 1 a9147 2
d9156 2 a9157 3
d9160 1 a9160 2d9171 1 a9171 1
d9189 1 a9189 1d9193 1 a9193 1
d9201 1 a9201 1
d9208 1 a9208 1
d9212 1 a9212 1
d9216 4 a9219 5
d9222 1 a9222 2d9225 1 a9225 2d9232 1 a9232 1
d9235 1 a9235 2d9245 1 a9245 2
d9248 1 a9248 2
d9323 2 a9324 3
d9327 1 a9327 2
d10332 2 a10333 3
d10337 1 a10337 2
d10390 2 a10391 4
d10402 1 a10402 1
d10422 1 a10422 1
d10428 2 a10429 2
d10432 1 a10432 2d10445 1 a10445 1
d10451 1 a10451 1
d10462 1 a10462 1
d10466 1 a10466 1
d10469 1 a10469 2
d10573 2 a10574 3
d10580 1 a10580 1
d10584 1 a10584 1
d10587 1 a10587 2
d10625 2 a10626 3
d10630 3 a10632 4
d10635 1 a10635 2d10644 1 a10644 2
d10661 1 a10661 1
d10670 1 a10670 2
d10814 2 a10815 2d10807 1 a10807 2
d10818 1 a10818 2d10826 1 a10826 2
d10881 2 a10882 3
d10886 2 a10887 2
d10890 1 a10890 2d10905 1 a10905 2
d10936 2 a10937 3
d10939 1 a10939 1d10946 3 a10948 3
d10951 1 a10951 2d10959 1 a10959 1
d10963 1 a10963 1
d10966 1 a10966 2d10973 2 a10974 2
d10977 1 a10977 2d10982 1 a10982 1
$ORIGIN a10991 1 d10996 1 a10996 2
a10998 1 d11002 2 a11003 3
d11006 1 a11006 2d11013 1 a11013 1
d11020 1 a11020 1
d11025 1 a11025 1
d11027 1 a11027 1d11037 3 a11039 3
d11042 1 a11042 2d11048 1 a11048 1
d11053 1 a11053 1
$TTL d11056 3 a11058 3
d11061 1 a11061 2d11071 1 a11071 1
$GENERATE a11078 1 d11082 1 a11082 2
a11084 1 d11092 1 a11092 2
a11096 1 d11101 1 a11101 2
a11103 1 d11114 1 a11114 3
d11242 2 a11243 3
d11247 1 a11247 1
d11250 2 a11251 3
d11254 1 a11254 2d11259 1 a11259 1
d11265 1 a11265 1
d11273 1 a11273 1
d11284 1 a11284 1
d11292 1 a11292 1
d11309 3 a11311 4
d11314 1 a11314 2d12848 1 a12848 1d11323 1 a11323 2
d11327 1 a11327 3
d11426 2 a11427 4
d11437 1 a11437 2
d11441 1 a11441 2
d11451 1 a11451 2
d11454 1 a11454 2d11457 1 a11457 1
d11460 1 a11460 1
d11469 1 a11469 2
d11472 1 a11472 2
d11479 1 a11479 2
d11483 1 a11483 1
d11486 2 a11487 3
d11490 1 a11490 2d11506 1 a11506 2
d11509 1 a11509 3d12100 3 a12102 5
d12105 1 a12105 3d12254 3 a12256 5
d12259 1 a12259 3d12637 3 a12639 6
d12642 1 a12642 2d12657 1 a12657 3
d12792 3 a12794 5
d12797 1 a12797 2d12804 1 a12804 2
d12806 1 a12806 2
- d12813 1 a12813 2
d12811 1 a12811 2
- d12817 1 a12817 2
d12815 1 a12815 2
- d12821 1 a12821 2
d12819 1 a12819 2
- d12827 4 a12830 5
d12825 1 a12825 2
BIND 9.10.5-P1
@ 1.1.1.15.2.10.2.3 log @Pull up following revision(s) (requested by mrg in ticket #1489): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.28 external/bsd/bind/dist/README: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.29 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.21 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.16 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.14 external/bsd/bind/dist/lib/dns/api: up to 1.16 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.14 external/bsd/bind/dist/lib/dns/message.c: up to 1.24 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.13 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.11 external/bsd/bind/dist/srcid: up to 1.22 external/bsd/bind/dist/version: up to 1.26 external/bsd/bind/include/isc/platform.h: up to 1.23 Update BIND to 9.10.5-P2. @ text @d13793 1 a13793 1BIND 9.10.5-P2
@ 1.1.1.15.2.5.2.1 log @Pull up following revision(s) (requested by snj in ticket #1140): distrib/sets/lists/base/ad.aarch64: patch distrib/sets/lists/base/ad.arm: patch distrib/sets/lists/base/ad.mips: patch distrib/sets/lists/base/ad.powerpc: patch distrib/sets/lists/base/md.amd64: patch distrib/sets/lists/base/md.sparc64: patch distrib/sets/lists/base/shl.mi: patch distrib/sets/lists/debug/ad.aarch64: patch distrib/sets/lists/debug/ad.arm: patch distrib/sets/lists/debug/ad.mips: patch distrib/sets/lists/debug/ad.powerpc: patch distrib/sets/lists/debug/md.amd64: patch distrib/sets/lists/debug/md.sparc64: patch distrib/sets/lists/debug/shl.mi: patch doc/3RDPARTY: patch external/bsd/bind/bind2netbsd: up to 1.3 external/bsd/bind/dist/CHANGES: up to 1.20 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.10 external/bsd/bind/dist/README: up to 1.8 external/bsd/bind/dist/bin/check/check-tool.c: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.12 external/bsd/bind/dist/bin/check/named-checkzone.c: up to 1.8 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.7 external/bsd/bind/dist/bin/confgen/util.c: up to 1.5 external/bsd/bind/dist/bin/dig/dig.1: up to 1.11 external/bsd/bind/dist/bin/dig/dig.c: up to 1.11 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.17 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.12 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.12 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.c: up to 1.12 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.17 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.16 external/bsd/bind/dist/bin/named/bind9.xsl: up to 1.1.1.8 external/bsd/bind/dist/bin/named/bind9.xsl.h: up to 1.9 external/bsd/bind/dist/bin/named/client.c: up to 1.15 external/bsd/bind/dist/bin/named/config.c: up to 1.12 external/bsd/bind/dist/bin/named/control.c: up to 1.10 external/bsd/bind/dist/bin/named/controlconf.c: up to 1.11 external/bsd/bind/dist/bin/named/include/named/lwdclient.h: up to 1.5 external/bsd/bind/dist/bin/named/include/named/main.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.10 external/bsd/bind/dist/bin/named/interfacemgr.c: up to 1.11 external/bsd/bind/dist/bin/named/logconf.c: up to 1.8 external/bsd/bind/dist/bin/named/lwdclient.c: up to 1.5 external/bsd/bind/dist/bin/named/lwresd.c: up to 1.7 external/bsd/bind/dist/bin/named/main.c: up to 1.19 external/bsd/bind/dist/bin/named/named.8: up to 1.8 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.9 external/bsd/bind/dist/bin/named/query.c: up to 1.21 external/bsd/bind/dist/bin/named/server.c: up to 1.20 external/bsd/bind/dist/bin/named/statschannel.c: up to 1.11 external/bsd/bind/dist/bin/named/update.c: up to 1.12 external/bsd/bind/dist/bin/named/win32/named.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/named.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/named.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/win32/ntservice.c: up to 1.7 external/bsd/bind/dist/bin/named/win32/os.c: up to 1.9 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.7 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.14 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.10 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zc-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8ze-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0o-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0q-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1j-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1l-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.c: up to 1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.14 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/util.c: up to 1.5 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/adb_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/backtrace_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/byaddr_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/cfg_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/compress_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/db/t_db.c: up to 1.8 external/bsd/bind/dist/bin/tests/db_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/dst/dst_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/entropy2_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/entropy_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/fromhex.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/fsaccess_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/gxba_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/gxbn_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/inter_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/keyboard_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lex_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lfsr_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/log_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lwres_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/lwresconf_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/makejournal.c: up to 1.4 external/bsd/bind/dist/bin/tests/master_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/name_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/names/t_names.c: up to 1.10 external/bsd/bind/dist/bin/tests/net/driver.c: up to 1.7 external/bsd/bind/dist/bin/tests/net/netaddr_multicast.c: up to 1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/pkcs11-hmacmd5.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/pkcs11-md5sum.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/printmsg.c: delete external/bsd/bind/dist/bin/tests/printmsg.h: delete external/bsd/bind/dist/bin/tests/ratelimiter_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/rbt/t_rbt.c: up to 1.8 external/bsd/bind/dist/bin/tests/rbt_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/serial_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/sig0_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/sock_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/sym_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/README: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/checkconf/good-class.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-caa-rr.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-dns-sd-reverse.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsap-empty.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-nsap-odd-nibble.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-unspec.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-dns-sd-reverse.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-gc-msdcs.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/good-nsap.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/cleanall.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/ditch.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlzexternal/driver.c: up to 1.4 external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey-auto.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey-update.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cdnskey.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds-auto.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds-update.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/cds.secure.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/dnssec/prereq.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.16 external/bsd/bind/dist/bin/tests/system/ednscompliance/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ans4/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named.args: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/named3.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/ns3/root.hint: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/inline/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/inline/ns3/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/zone/inheritownerafterinclude.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/masterfile/zone/inheritownerafterinclude.good: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/masterfile/zone/nameservers.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/resolver/ns4/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/test1.example.net.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns1/test2.example.net.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard1: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard2a: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard2b: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.wildcard3: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.wildcard3.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rrsetorder/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/bigkey.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/staticstub/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/staticstub/ns2/named.conf.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/named.conf.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/undelegated.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statistics/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/ns1/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/ns1/zone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/fetch.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/server-json.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/server-xml.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/stress/prereq.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.7 external/bsd/bind/dist/bin/tests/system/views/ns2/1.10.in-addr.arpa.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/views/ns2/named2.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/zonechecks/bigserial.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zonechecks/ns1/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/task_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/tasks/t_tasks.c: up to 1.8 external/bsd/bind/dist/bin/tests/timer_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/wire_test.c: up to 1.7 external/bsd/bind/dist/bin/tests/zone_test.c: up to 1.9 external/bsd/bind/dist/bin/tools/arpaname.c: up to 1.5 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.8 external/bsd/bind/dist/bin/tools/named-journalprint.c: up to 1.7 external/bsd/bind/dist/bin/tools/named-rrchecker.c: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.10 external/bsd/bind/dist/bin/win32/BINDInstall/VersionInfo.cpp: up to 1.1.1.2 external/bsd/bind/dist/config.h.in: up to 1.12 external/bsd/bind/dist/config.h.win32: up to 1.1.1.12 external/bsd/bind/dist/configure: up to 1.5 external/bsd/bind/dist/configure.in: up to 1.8 external/bsd/bind/dist/contrib/README: up to 1.1.1.3 external/bsd/bind/dist/contrib/scripts/dnssec-keyset.sh: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.14 external/bsd/bind/dist/doc/arm/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/html-fixup.pl: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/latex-fixup.pl: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.8 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.8 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/misc/rfc-compliance: up to 1.1.1.4 external/bsd/bind/dist/isc-config.sh.in: up to 1.1.1.6 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.17 external/bsd/bind/dist/lib/bind9/check.c: up to 1.13 external/bsd/bind/dist/lib/dns/adb.c: up to 1.12 external/bsd/bind/dist/lib/dns/api: up to 1.8 external/bsd/bind/dist/lib/dns/cache.c: up to 1.9 external/bsd/bind/dist/lib/dns/callbacks.c: up to 1.6 external/bsd/bind/dist/lib/dns/client.c: up to 1.11 external/bsd/bind/dist/lib/dns/diff.c: up to 1.10 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.11 external/bsd/bind/dist/lib/dns/dlz.c: up to 1.8 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.12 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.12 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.8 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.9 external/bsd/bind/dist/lib/dns/geoip.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/gssapi_link.c: up to 1.9 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.9 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/adb.h: up to 1.7 external/bsd/bind/dist/lib/dns/include/dns/log.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/name.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/resolver.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.7 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.4 external/bsd/bind/dist/lib/dns/include/dns/stats.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/update.h: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.17 external/bsd/bind/dist/lib/dns/include/dst/dst.h: up to 1.11 external/bsd/bind/dist/lib/dns/journal.c: up to 1.10 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.11 external/bsd/bind/dist/lib/dns/log.c: up to 1.9 external/bsd/bind/dist/lib/dns/master.c: up to 1.15 external/bsd/bind/dist/lib/dns/message.c: up to 1.18 external/bsd/bind/dist/lib/dns/name.c: up to 1.12 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.11 external/bsd/bind/dist/lib/dns/nsec.c: up to 1.10 external/bsd/bind/dist/lib/dns/nsec3.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/order.c: up to 1.5 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/private.c: up to 1.8 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.11 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.21 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.13 external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cert_37.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/eui48_108.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/eui64_109.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/gpos_27.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/hinfo_13.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/isdn_20.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/keydata_65533.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/l32_105.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/l64_106.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/loc_29.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rdata/generic/nid_104.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3param_51.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/null_10.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/openpgpkey_61.c: up to 1.1.1.3 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/proforma.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/sshfp_44.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/unspec_103.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/uri_256.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/x25_19.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/hs_4/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/a_1.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/aaaa_28.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/apl_42.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/in_1/dhcid_49.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap_22.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.7 external/bsd/bind/dist/lib/dns/request.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.25 external/bsd/bind/dist/lib/dns/result.c: up to 1.7 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.10 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.10 external/bsd/bind/dist/lib/dns/rrl.c: up to 1.5 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.10 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.9 external/bsd/bind/dist/lib/dns/tcpmsg.c: up to 1.5 external/bsd/bind/dist/lib/dns/tests/geoip_test.c: up to 1.4 external/bsd/bind/dist/lib/dns/tests/gost_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/tests/master_test.c: up to 1.7 external/bsd/bind/dist/lib/dns/tests/rbt_serialize_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rbt_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rdatasetstats_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.10 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.9 external/bsd/bind/dist/lib/dns/update.c: up to 1.5 external/bsd/bind/dist/lib/dns/view.c: up to 1.11 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.12 external/bsd/bind/dist/lib/dns/zone.c: up to 1.15 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.9 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.8 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isc/app_api.c: up to 1.8 external/bsd/bind/dist/lib/isc/assertions.c: up to 1.7 external/bsd/bind/dist/lib/isc/backtrace.c: up to 1.8 external/bsd/bind/dist/lib/isc/commandline.c: up to 1.6 external/bsd/bind/dist/lib/isc/entropy.c: up to 1.6 external/bsd/bind/dist/lib/isc/error.c: up to 1.5 external/bsd/bind/dist/lib/isc/heap.c: up to 1.8 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.9 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.10 external/bsd/bind/dist/lib/isc/httpd.c: up to 1.9 external/bsd/bind/dist/lib/isc/include/isc/app.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/isc/json.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/isc/mem.h: up to 1.14 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/include/isc/print.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/safe.h: up to 1.4 external/bsd/bind/dist/lib/isc/include/isc/util.h: up to 1.11 external/bsd/bind/dist/lib/isc/lex.c: up to 1.7 external/bsd/bind/dist/lib/isc/lib.c: up to 1.8 external/bsd/bind/dist/lib/isc/mem.c: up to 1.13 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.7 external/bsd/bind/dist/lib/isc/nothreads/include/isc/mutex.h: up to 1.5 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pool.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/print.c: up to 1.6 external/bsd/bind/dist/lib/isc/pthreads/mutex.c: up to 1.7 external/bsd/bind/dist/lib/isc/regex.c: up to 1.4 external/bsd/bind/dist/lib/isc/rwlock.c: up to 1.9 external/bsd/bind/dist/lib/isc/safe.c: up to 1.4 external/bsd/bind/dist/lib/isc/socket_api.c: up to 1.11 external/bsd/bind/dist/lib/isc/stats.c: up to 1.6 external/bsd/bind/dist/lib/isc/task.c: up to 1.12 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/tests/mem_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/tests/regex_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/tests/safe_test.c: up to 1.4 external/bsd/bind/dist/lib/isc/tests/socket_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/timer.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/app.c: up to 1.14 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.10 external/bsd/bind/dist/lib/isc/unix/ifiter_ioctl.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/ifiter_sysctl.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.9 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.18 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/libisc.def.exclude: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/net.c: up to 1.9 external/bsd/bind/dist/lib/isc/win32/win32os.c: up to 1.7 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/isccc/alist.c: up to 1.5 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.11 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.10 external/bsd/bind/dist/lib/isccc/sexpr.c: up to 1.6 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.17 external/bsd/bind/dist/lib/isccfg/include/isccfg/cfg.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.6 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.8 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.14 external/bsd/bind/dist/lib/lwres/herror.c: up to 1.7 external/bsd/bind/dist/lib/lwres/print.c: up to 1.7 external/bsd/bind/dist/lib/lwres/win32/socket.c: up to 1.5 external/bsd/bind/dist/lib/samples/nsprobe.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-async.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-gai.c: up to 1.1.1.5 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.6 external/bsd/bind/dist/srcid: up to 1.14 external/bsd/bind/dist/version: up to 1.18 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.5 external/bsd/bind/dist/win32utils/index.html: up to 1.1.1.7 external/bsd/bind/dist/win32utils/legacy/BuildSetup.bat.in: up to 1.1.1.5 external/bsd/bind/include/config.h: up to 1.18 external/bsd/bind/include/dns/enumclass.h: up to 1.8 external/bsd/bind/include/dns/enumtype.h: up to 1.11 external/bsd/bind/include/dns/rdatastruct.h: up to 1.11 external/bsd/bind/include/isc/platform.h: up to 1.21 external/bsd/bind/include/lwres/platform.h: up to 1.7 external/bsd/bind/lib/libbind9/shlib_version: up to 1.16 external/bsd/bind/lib/libdns/shlib_version: up to 1.18 external/bsd/bind/lib/libirs/shlib_version: up to 1.5 external/bsd/bind/lib/libisc/shlib_version: up to 1.18 external/bsd/bind/lib/libisccc/shlib_version: up to 1.16 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.16 external/bsd/bind/lib/liblwres/shlib_version: up to 1.16 Update BIND to 9.10.3-P4. @ text @d17 1 a17 1 d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d442 1 a442 1 for details on how they interpret its use. d461 1 a461 1defaultd790 1 a790 1 masters or d1164 2 a1165 2 algorithmalgorithm_id; secretsecret_string; d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2275 1 a2275 1ip_addr[portip_port] [dscpip_dscp]) ; d2323 1 a2323 1 [ address (ip6_addr|*) ] d2333 1 a2335 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2418 2 d2734 1 a2734 1 and dnssec-validation for details. d2987 1 a2987 1 IPv4 addresses are to be mapped in the corresponding d3120 1 a3120 1 As of BIND 9.10, d3530 1 a3530 1 NSID (Name Server Identifier) option is sent with all d3744 1 a3744 1 and if the response does not include DNSSEC signatures, d3756 2 a3757 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3829 2 a3830 5 This indicates whether DNSSEC-related resource records are to be returned by named. If set tono, named will not return DNSSEC-related resource records unless specifically queried for. d3834 1 a3834 2- d4076 1 a4076 1 Forwarding
d3847 1 a3847 11
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
- a5007 174
The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4996 2 a4997 2 bit of memory (on the order of 20 kilobytes), the value of the d4999 3 a5001 20 have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.- clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
- fetches-per-zone
The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetches-per-server
The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
- fetch-quota-params
- d5036 1 a5036 1 Any positive values less than 2MB will be ignored d5051 1 a5051 1 be used; on most platforms this sets the listen queue d5058 1 a5058 1 Periodic Task Intervals
Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
prefixlength.B4.B3.B2.B1.rpz-client-ip. d6274 1 a6274 1prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip. d6276 3 a6278 5 representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IP6.ARPA. (Note that this representation of IPv6 address is different from IP6.ARPA where each hex digit occupies a label.) d6283 1 a6283 1 The IPv6 prefix length must be between 1 and 128. d6594 1 a6594 1 Response Rate Limitingkey_id}; ] d6990 5 a6994 1 Only a single key per server is currently supported. d7035 1 a7035 1 option level. d7059 1 a7059 1 statistics-channels Statement Definition and d7116 2 a7117 2 included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into d7123 1 a7123 1 can request d7125 1 a7125 1 of the statistics XML schema or d7175 1 a7175 1 trusted-keys Statement Definition d7215 1 a7215 1 managed-keys Statement Grammarnamed.conf, an initializing key listed d7353 1 a7353 1 view Statement Definition and Usagenamelist] }; ] d7675 1 a7675 1 zone Statement Definition and Usagea8985 4
An in-view zone is not intended to reference a forward zone.
d8991 1 a8991 1 Zone File d9004 1 a9004 1 Resource Records a9172 52 ATMAATM Address.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a9211 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a9255 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a9280 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a9334 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a9347 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a9374 26 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NIMLOC
Nimrod Locator.
a9387 12 NSAP-PTR
Historical.
a9451 12 NULL
This is an opaque container.
a9470 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a9604 13 TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9616 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d1564 7 a1570 4 d9741 1 a9741 1 Textual expression of RRs d9944 1 a9944 1 Discussion of MX Records d10199 1 a10199 1 Inverse Mapping in IPv4 d10260 1 a10260 1 Other Zone File Directives d10275 1 a10275 1 The @@ (at-sign) d10279 1 a10279 1 At the start of the zone file, it is the d10286 1 a10286 1 The $ORIGIN Directive d10315 1 a10315 1 The $INCLUDE Directive d10351 1 a10351 1 The $TTL Directive d10370 1 a10370 1 BIND Master File Extension: the $GENERATE Directive d10567 1 a10567 1 other formats. d10587 1 a10587 1 file by the named-compilezone command. d10609 1 a10609 1 While
rawformat uses d10813 1 a10813 1 Name Server Statistics Counters d11409 1 a11409 1 Zone Maintenance Statistics Counters d11563 1 a11563 1 Resolver Statistics Counters d11946 1 a11946 1 Socket I/O Statistics Counters d12101 1 a12101 1 Compatibility with BIND 8 Counters d12153 1 a12153 1BIND 9.10.3-P4
@ 1.1.1.15.2.5.2.2 log @Pull up following revision(s) (requested by snj in ticket #1264): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.23 via patch external/bsd/bind/bind2netbsd: up to 1.4 external/bsd/bind/dist/CHANGES: up to 1.22 external/bsd/bind/dist/FAQ: up to 1.1.1.8 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.11 external/bsd/bind/dist/Makefile.in: up to 1.3 external/bsd/bind/dist/README: up to 1.10 external/bsd/bind/dist/acconfig.h: up to 1.9 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.7 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.13 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkzone.c: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.6 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/win32/confgentool.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/confgen/win32/ddnsconfgen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/confgen/win32/rndcconfgen.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/delv.c: up to 1.5 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/dig/dig.1: up to 1.12 external/bsd/bind/dist/bin/dig/dig.c: up to 1.12 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.18 external/bsd/bind/dist/bin/dig/host.1: up to 1.6 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/nslookup.1: up to 1.8 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.5 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.14 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.9 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.17 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/bin/named/bind9.xsl: up to 1.1.1.9 external/bsd/bind/dist/bin/named/bind9.xsl.h: up to 1.10 external/bsd/bind/dist/bin/named/client.c: up to 1.16 external/bsd/bind/dist/bin/named/config.c: up to 1.13 external/bsd/bind/dist/bin/named/control.c: up to 1.11 external/bsd/bind/dist/bin/named/controlconf.c: up to 1.12 external/bsd/bind/dist/bin/named/include/named/log.h: up to 1.5 external/bsd/bind/dist/bin/named/include/named/query.h: up to 1.7 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.11 external/bsd/bind/dist/bin/named/lwdgrbn.c: up to 1.8 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.6 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/bin/named/main.c: up to 1.20 external/bsd/bind/dist/bin/named/named.8: up to 1.9 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.13 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.14 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.10 external/bsd/bind/dist/bin/named/query.c: up to 1.22 external/bsd/bind/dist/bin/named/server.c: up to 1.21 external/bsd/bind/dist/bin/named/statschannel.c: up to 1.12 external/bsd/bind/dist/bin/named/unix/include/named/os.h: up to 1.5 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.9 external/bsd/bind/dist/bin/named/win32/include/named/os.h: up to 1.5 external/bsd/bind/dist/bin/named/win32/named.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/named.mak.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/named.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/bin/named/win32/named.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/win32/os.c: up to 1.10 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.12 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.9 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.8 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.15 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8ze-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-0.9.8zh-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0q-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.0t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1l-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.2 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11keygen.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11list.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.7 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.4 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.9 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.8 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/win32/rndc.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/rndc/win32/rndcutil.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.6 external/bsd/bind/dist/bin/tests/atomic/win32/t_atomic.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/dst/win32/t_dst.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/mem/win32/t_mem.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/names/win32/t_names.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/nsecify.c: up to 1.7 external/bsd/bind/dist/bin/tests/rbt/win32/t_rbt.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/rbt_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/sockaddr/win32/t_sockaddr.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/acl/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/addzone/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/addzone/ns2/named2.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/allow_query/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/autosign/clean.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/cacheclean/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/case/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/checkconf/in-view-good.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/portrange-good.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/shared.example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-any1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-any2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-in1.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/view-class-in2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checknames/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/checkzone/zones/.gitattributes: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkzone/zones/bad-badclass.raw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/delv/clean.sh delete external/bsd/bind/dist/bin/tests/system/delv/ns1/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/ns1/root.db delete external/bsd/bind/dist/bin/tests/system/delv/ns2/example.db delete external/bsd/bind/dist/bin/tests/system/delv/ns2/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/ns3/named.conf delete external/bsd/bind/dist/bin/tests/system/delv/tests.sh delete external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/DNAME=10=example.net.=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/NS=10=example.com.=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/ns1/dns-root/com/broken/dns.d/@@/SOA=10=ns.example.com.=root.example.com.=None=None=None=None=None=: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dns64/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dnssec/clean.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/example.db.in: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/generic.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/keyless.example.db.in delete external/bsd/bind/dist/bin/tests/system/dnssec/ns3/managed-future.example.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/named.conf: up to 1.1.1.13 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dnssec/signer/remove.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/signer/remove2.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.17 external/bsd/bind/dist/bin/tests/system/dscp/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/ednscompliance/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/emptyzones/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/forward/rfc1918-inherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/rfc1918-notinherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/forward/ula-inherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/forward/ula-notinherited.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/genzone.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/geoip/options.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/glue/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ixfr/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/limits/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/lwresd/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/masterfile/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nslookup/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/delegation.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad1.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad2.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/redirect/conf/bad3.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/resolver/ns1/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns6/delegation-only.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named1.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/ns7/named2.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rndc/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/ns4/named.conf.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/rpz/ns3/base.db: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrchecker/typelist.good: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/runall.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/sit/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/sortlist/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statistics/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/stub/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/tkey/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/tsiggss/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/unknown/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/views/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/xfer/dig1.good: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/dig2.good: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/knowngood.mapped: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns2/mapped.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/ns3/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/xferquota/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns2/tld.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns4/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zero/ns4/one.tld.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/tasks/win32/t_tasks.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/backtrace_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/inter_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/rwlock_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/shutdown_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/sock_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/task_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/win32/timer_test.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/wire_test.c: up to 1.8 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.6 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.7 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.6 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-rrchecker.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.6 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/win32/arpaname.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/genrandom.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/journalprint.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/rrchecker.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstall.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.11 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.h: up to 1.5 external/bsd/bind/dist/config.h.in: up to 1.13 external/bsd/bind/dist/config.h.win32: up to 1.1.1.13 external/bsd/bind/dist/configure: up to 1.6 external/bsd/bind/dist/configure.in: up to 1.9 external/bsd/bind/dist/contrib/README: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/bin/dlzbdb/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/contrib/dlz/config.dlz.in: up to 1.1.1.8 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/modules/perl/dlz_perl_driver.c: up to 1.1.1.4 external/bsd/bind/dist/contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c: up to 1.4 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/README: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/RELEASE_NOTES: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/aclocal.m4: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/acx_pthread.m4: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.guess: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.sub: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/INSTALL: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/USAGE: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/contrib/queryparse/queryparse.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/datafile.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/datafile.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dns.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dns.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dnsperf.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/dnsperf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/caching-dns-performance.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/dnsperf.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/doc/resperf.pdf: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/install-sh: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/log.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/log.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/net.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/net.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/opt.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/opt.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/os.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/os.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf-report: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf.1: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/resperf.c: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/util.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/version.h: up to 1.1.1.1 external/bsd/bind/dist/contrib/perftcpdns/perftcpdns.c: up to 1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/config.h.in: up to 1.1.1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/query-loc-0.4.0/configure.in: up to 1.1.1.4 external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.c: up to 1.6 external/bsd/bind/dist/contrib/query-loc-0.4.0/loc.h: up to 1.5 external/bsd/bind/dist/contrib/sdb/ldap/README.zone2ldap: up to 1.1.1.2 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.5 external/bsd/bind/dist/doc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.17 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/Bv9ARM.conf: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.16 external/bsd/bind/dist/doc/arm/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/README-SGML: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/html-fixup.pl delete external/bsd/bind/dist/doc/arm/latex-fixup.pl delete external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.10 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.10 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/notes.conf: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/noteversion.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/pkgversion.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/arm/releaseinfo.xml.in: up to 1.1.1.1 external/bsd/bind/dist/doc/doxygen/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/doc/misc/options: up to 1.8 external/bsd/bind/dist/doc/misc/rfc-compliance: up to 1.1.1.5 external/bsd/bind/dist/doc/tex/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/doc/tex/armstyle.sty.in: up to 1.1.1.1 external/bsd/bind/dist/doc/tex/notestyle.sty: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/arm-param.xsl: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/graphics/caution.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/caution.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/important.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/important.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/note.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/note.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/tip.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/tip.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/warning.eps: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/graphics/warning.pdf: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-latex-mappings.xml delete external/bsd/bind/dist/doc/xsl/isc-docbook-latex.xsl.in delete external/bsd/bind/dist/doc/xsl/isc-docbook-text.xsl: up to 1.1.1.4 external/bsd/bind/dist/doc/xsl/isc-manpage.xsl.in: up to 1.1.1.4 external/bsd/bind/dist/doc/xsl/isc-notes-html.xsl.in: up to 1.1.1.2 external/bsd/bind/dist/doc/xsl/isc-notes-latex.xsl.in delete external/bsd/bind/dist/doc/xsl/notes-param.xsl: up to 1.1.1.1 external/bsd/bind/dist/doc/xsl/pre-latex.xsl: up to 1.1.1.4 external/bsd/bind/dist/isc-config.sh.1: up to 1.6 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.6 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.8 external/bsd/bind/dist/isc-config.sh.in: up to 1.1.1.7 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.18 external/bsd/bind/dist/lib/bind9/check.c: up to 1.14 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/bind9/win32/libbind9.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/win32/libbind9.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/bind9/win32/libbind9.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/lib/dns/acache.c: up to 1.8 external/bsd/bind/dist/lib/dns/api: up to 1.10 external/bsd/bind/dist/lib/dns/cache.c: up to 1.10 external/bsd/bind/dist/lib/dns/client.c: up to 1.12 external/bsd/bind/dist/lib/dns/db.c: up to 1.8 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.9 external/bsd/bind/dist/lib/dns/forward.c: up to 1.6 external/bsd/bind/dist/lib/dns/gen.c: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/dbiterator.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/forward.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/name.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/journal.c: up to 1.11 external/bsd/bind/dist/lib/dns/master.c: up to 1.16 external/bsd/bind/dist/lib/dns/message.c: up to 1.20 external/bsd/bind/dist/lib/dns/name.c: up to 1.13 external/bsd/bind/dist/lib/dns/nsec3.c: up to 1.13 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.12 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.23 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.14 external/bsd/bind/dist/lib/dns/rdata/any_255/tsig_250.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/ch_3/a_1.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/afsdb_18.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/avc_258.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/avc_258.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/caa_257.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cdnskey_60.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/cds_59.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/rdata/generic/cname_5.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/csync_62.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/csync_62.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata/generic/dlv_32769.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/dname_39.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/dnskey_48.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/ds_43.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/hip_55.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/ipseckey_45.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/key_25.h: up to 1.5 external/bsd/bind/dist/lib/dns/rdata/generic/lp_107.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/rdata/generic/mb_7.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/md_3.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mf_4.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mg_8.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/minfo_14.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mr_9.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/mx_15.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/naptr_35.c: up to 1.1.1.8 external/bsd/bind/dist/lib/dns/rdata/generic/ninfo_56.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ninfo_56.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ns_2.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/nsec3_50.c: up to 1.10 external/bsd/bind/dist/lib/dns/rdata/generic/nsec_47.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/nxt_30.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata/generic/ptr_12.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/rkey_57.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/rkey_57.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/rp_17.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/generic/rrsig_46.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/generic/rt_21.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/sig_24.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/sink_40.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/sink_40.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/smimea_53.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/smimea_53.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/soa_6.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdata/generic/spf_99.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/ta_32768.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/ta_32768.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/talink_58.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/talink_58.h: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/rdata/generic/tkey_249.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/generic/tlsa_52.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/rdata/generic/txt_16.c: up to 1.9 external/bsd/bind/dist/lib/dns/rdata/in_1/a6_38.c: up to 1.7 external/bsd/bind/dist/lib/dns/rdata/in_1/kx_36.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/nsap-ptr_23.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/px_26.c: up to 1.6 external/bsd/bind/dist/lib/dns/rdata/in_1/srv_33.c: up to 1.6 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.26 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.10 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.8 external/bsd/bind/dist/lib/dns/tests/dbiterator_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/dbversion_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/dnstest.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/tests/dnstest.h: up to 1.4 external/bsd/bind/dist/lib/dns/tests/name_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.5 external/bsd/bind/dist/lib/dns/tests/rbt_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rdata_test.c: up to 1.6 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.11 external/bsd/bind/dist/lib/dns/update.c: up to 1.6 external/bsd/bind/dist/lib/dns/view.c: up to 1.12 external/bsd/bind/dist/lib/dns/win32/gen.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.8 external/bsd/bind/dist/lib/dns/win32/libdns.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/win32/libdns.vcxproj.filters.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/win32/libdns.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.13 external/bsd/bind/dist/lib/dns/zone.c: up to 1.16 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.9 external/bsd/bind/dist/lib/irs/win32/libirs.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/irs/win32/libirs.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.20 external/bsd/bind/dist/lib/isc/base32.c: up to 1.7 external/bsd/bind/dist/lib/isc/base64.c: up to 1.7 external/bsd/bind/dist/lib/isc/buffer.c: up to 1.7 external/bsd/bind/dist/lib/isc/commandline.c: up to 1.7 external/bsd/bind/dist/lib/isc/hash.c: up to 1.10 external/bsd/bind/dist/lib/isc/hex.c: up to 1.7 external/bsd/bind/dist/lib/isc/httpd.c: up to 1.10 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/include/isc/assertions.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/error.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/file.h: up to 1.10 external/bsd/bind/dist/lib/isc/include/isc/hash.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/magic.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/include/isc/result.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.10 external/bsd/bind/dist/lib/isc/include/isc/util.h: up to 1.12 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/md5.c: up to 1.8 external/bsd/bind/dist/lib/isc/mem.c: up to 1.14 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.8 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/result.c: up to 1.6 external/bsd/bind/dist/lib/isc/sockaddr.c: up to 1.8 external/bsd/bind/dist/lib/isc/sparc64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/stats.c: up to 1.7 external/bsd/bind/dist/lib/isc/string.c: up to 1.7 external/bsd/bind/dist/lib/isc/task.c: up to 1.13 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/tests/sockaddr_test.c: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/tests/socket_test.c: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.10 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.19 external/bsd/bind/dist/lib/isc/win32/file.c: up to 1.10 external/bsd/bind/dist/lib/isc/win32/include/isc/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/atomic.h: up to 1.4 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.11 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/x86_32/include/isc/atomic.h: up to 1.5 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/x86_64/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.11 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/isccc/sexpr.c: up to 1.7 external/bsd/bind/dist/lib/isccc/win32/libisccc.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccc/win32/libisccc.vcxproj.filters.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isccc/win32/libisccc.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.9 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.18 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.13 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.11 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.vcxproj.filters.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.6 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.11 external/bsd/bind/dist/lib/lwres/tests/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/lwres/win32/liblwres.dsp.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/win32/liblwres.mak.in: up to 1.1.1.4 external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.filters.in: up to 1.1.1.3 external/bsd/bind/dist/lib/lwres/win32/liblwres.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/gai.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/tests/include/tests/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/tests/win32/libtests.vcxproj.in: up to 1.1.1.2 external/bsd/bind/dist/lib/win32/bindevt/bindevt.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/make/rules.in: up to 1.7 external/bsd/bind/dist/srcid: up to 1.16 external/bsd/bind/dist/unit/unittest.sh.in: up to 1.1.1.4 external/bsd/bind/dist/version: up to 1.20 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.6 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildSetup.bat.in: up to 1.1.1.6 external/bsd/bind/include/config.h: up to 1.20 external/bsd/bind/include/dns/code.h: up to 1.12 external/bsd/bind/include/dns/enumtype.h: up to 1.12 external/bsd/bind/include/dns/rdatastruct.h: up to 1.12 external/bsd/bind/include/isc/atomic.h: up to 1.5 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P3. @ text @d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2d519 1 a519 1 the listen-on and sortlist d523 5 a527 5
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 1
- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d97 7 a103 12- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d513 1 a513 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d324 4 a327 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d435 1 a435 1 (such as max-journal-size) may d501 1 a501 1 d607 1 a607 1 d623 1 a623 1 d697 1 a697 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d530 2 a531 2
- the name of an address match list defined with the acl statement d533 1 a533 1
- a nested address match list enclosed in braces
d557 2 a558 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d564 12 a575 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d588 1 a588 1 1.2.3/24; ! 1.2.3.13; d591 1 a591 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d597 1 a597 1d713 2 a714 2d719 1 a719 1 acl
d730 1 a730 1controls
d735 1 a735 1 by the rndc utility. d741 1 a741 1include
d751 1 a751 1key
d762 1 a762 1logging
d773 1 a773 1lwres
d777 2 a778 2 configures named to also act as a light-weight resolver daemon (lwresd). d784 1 a784 1masters
d790 2 a791 2 masters or also-notify lists. d797 1 a797 1options
d808 1 a808 1server
d819 1 a819 1statistics-channels
d824 1 a824 1 named statistics. d830 1 a830 1trusted-keys
d840 1 a840 1managed-keys
d851 1 a851 1view
d861 1 a861 1zone
d872 2 a873 2 The logging and options statements may only occur once d877 1 a877 1acl acl-name { d885 1 a885 1d887 1 a887 1 acl Statement Definition and d890 1 a890 1 The acl statement assigns a symbolic d899 2 a900 2d905 1 a905 1 any
d915 1 a915 1none
d925 1 a925 1localhost
d931 1 a931 1 added or removed, the localhost d938 1 a938 1localnets
d945 1 a945 1 the localnets d950 1 a950 1 In such a case, localnets d952 1 a952 1 IPv6 addresses, just like localhost. d962 1 a962 1 geoip [dbdatabase]fieldvalued1016 1 a1016 1controls { d1030 1 a1030 1d1032 1 a1032 1 controls Statement Definition and d1035 1 a1035 1 The controls statement declares control d1038 1 a1038 1 used by the rndc utility to send d1042 4 a1045 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d1049 2 a1050 2 use an ip_addr of::. If you will only use rndc on the local host, d1056 1 a1056 1 "*" cannot be used for ip_port. d1060 2 a1061 2 restricted by the allow and keys clauses. d1063 3 a1065 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1069 1 a1069 1 A unix control channel is a UNIX domain d1071 2 a1072 2 Access to the socket is specified by the perm, owner and group clauses. d1074 1 a1074 1 (perm) are applied to the parent directory d1079 3 a1081 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1083 2 a1084 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1087 2 a1088 2 If no controls statement is present, named will set up a default d1091 3 a1093 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1104 1 a1104 1 messages and thus did not have a keys clause. d1108 2 a1109 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1125 1 a1125 1 named is running as) can access it. d1128 1 a1128 1 rndc commands, then you need to create d1136 2 a1137 2 controls statement: controls { };. d1140 1 a1140 1included1145 1 a1145 1 d1150 3 a1152 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1160 1 a1160 1filename;keykey_id{ d1169 1 a1169 1 d1173 2 a1174 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1176 2 a1177 1 (see the section called “controls Statement Definition and d1181 1 a1181 1 The key statement can occur at the d1183 2 a1184 2 of the configuration file or inside a view statement. Keys defined in top-level key d1186 3 a1188 2 a controls statement (see the section called “controls Statement Definition and d1195 1 a1195 1 be used in a server d1216 1 a1216 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1229 3 a1231 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1233 1 a1233 1 [ categorycategory_name{ d1240 1 a1240 1 d1245 1 a1245 1 The logging statement configures a d1247 1 a1247 1 variety of logging options for the name server. Its channel phrase d1249 1 a1249 1 a name that can then be used with the category phrase d1253 1 a1253 1 Only one logging statement is used to d1255 1 a1255 1 as many channels and categories as are wanted. If there is no logging statement, d1267 1 a1267 1 established as soon as the logging d1274 1 a1274 1 d1287 2 a1288 2 info), and whether to include a named-generated time stamp, the d1293 1 a1293 1 The null destination clause d1298 1 a1298 1 The file destination clause directs d1306 1 a1306 1 If you use the versions log file d1308 1 a1308 1 named will retain that many backup d1318 1 a1318 1 You can say versions unlimited to d1321 1 a1321 1 If a size option is associated with d1329 1 a1329 1 The size option for files is used d1331 2 a1332 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1336 1 a1336 1 versions option, no more data will d1345 2 a1346 2 Example usage of the size and versions options: d1355 1 a1355 1 The syslog destination clause d1358 9 a1366 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1369 1 a1369 1 How syslog will handle messages d1371 3 a1373 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1380 1 a1380 1 The severity clause works like syslog's d1382 1 a1382 1 straight to a file rather than using syslog. d1389 1 a1389 1 If you are using syslog, then the syslog.conf priorities d1391 7 a1397 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1401 1 a1401 1 The stderr destination clause d1414 1 a1414 1 level is set either by starting the named server d1416 1 a1416 1 or by running rndc trace. d1418 1 a1418 1 can be set to zero, and debugging mode turned off, by running rndc d1431 1 a1431 1 level. Channels with dynamic d1436 1 a1436 1 If print-time has been turned on, d1438 2 a1439 2 the date and time will be logged. print-time may be specified for a syslog channel, d1441 1 a1441 1 pointless since syslog also logs d1443 1 a1443 1 time. If print-category is d1445 2 a1446 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1450 1 a1450 1 three print- options d1458 1 a1458 1 named's default logging as follows. d1460 1 a1460 1 used is described in the section called “The category Phrase”. d1490 1 a1490 1 The default_debug channel has the d1500 1 a1500 1 is created only after named has d1502 1 a1502 1 new UID, and any debug output generated while named is d1514 1 a1514 1 d1522 1 a1522 1 in that category will be sent to the default category d1543 1 a1543 1 To discard all messages in a category, specify the null channel: d1555 2 a1556 2d1561 2 a1562 2 client
Processing of client requests.
d1574 2 a1575 2cname
d1577 5 a1581 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1585 2 a1586 2config
d1588 6 a1593 4Configuration file parsing and processing.
d1597 2 a1598 2database
d1600 4 a1603 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1607 2 a1608 2default
d1610 4 a1613 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1617 2 a1618 2delegation-only
d1620 6 a1625 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1629 2 a1630 2dispatch
d1632 4 a1635 5Dispatching of incoming packets to the server modules where they are to be processed.
d1639 2 a1640 2dnssec
d1642 4 a1645 4DNSSEC and TSIG protocol processing.
d1649 2 a1650 2edns-disabled
d1652 4 a1655 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1659 2 a1660 2general
d1662 4 a1665 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1669 2 a1670 2lame-servers
d1672 9 a1680 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1684 2 a1685 2network
d1687 4 a1690 4Network operations.
d1694 2 a1695 2notify
d1697 4 a1700 4The NOTIFY protocol.
d1704 2 a1705 2queries
d1707 4 a1710 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1714 2 a1715 2query-errors
d1717 35 a1751 5Information about queries that resulted in some failure.
d1755 2 a1756 2rate-limit
d1758 5 a1762 20The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1766 2 a1767 2resolver
d1769 5 a1773 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1777 2 a1778 2rpz
d1780 4 a1783 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1787 2 a1788 2security
d1790 6 a1795 4Approval and denial of requests.
d1799 2 a1800 2spill
d1802 8 a1809 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1813 2 a1814 2unmatched
d1816 28 a1843 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1847 2 a1848 2update
d1850 7 a1856 4Dynamic updates.
d1860 2 a1861 2update-security
d1863 20 a1882 4Approval and denial of update requests.
d1886 2 a1887 2xfer-in
d1889 5 a1893 14Zone transfers the server is receiving.
xfer-out
d1898 1 a1898 1 d1902 1 a1902 1 The query-errors category is d1907 1 a1907 1 with debug levels. d1970 2 a1971 2 Zone transfers the server is sending.
d2126 1 a2126 1 d2130 1 a2130 1 This is the grammar of the lwres d2133 1 a2133 1 lwres { d2142 1 a2142 1 d2146 1 a2146 1 The lwres statement configures the d2149 2 a2150 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2154 1 a2154 1 The listen-on statement specifies a d2165 1 a2165 1 The view statement binds this d2176 1 a2176 1 The search statement is equivalent to d2178 1 a2178 1 search statement in d2184 1 a2184 1 The ndots statement is equivalent to d2186 1 a2186 1 ndots statement in d2193 1 a2193 1 d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2201 1 a2201 1d2203 1 a2203 1 masters Statement Definition and d2205 1 a2205 1d2215 1 a2215 1 This is the grammar of the options d2218 1 a2218 1masters d2207 2 a2208 2 multiple stub and slave zones in their masters or also-notify lists. d2211 1 a2211 1
options { a2258 2 [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] a2263 1 [ auto-dnssecallow|maintain|off; ] d2340 1 a2340 1 [ fetches-per-zonenumber[(drop | fail)]; ] d2357 3 a2359 2 [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr[portip_port] ) [keykeyname] ; ... }; ] d2376 1 a2376 2 [ max-zone-ttl (unlimited|number; ] [ serial-update-methodincrement|unixtime|date; ] d2404 1 a2404 1 [ suffixIPv6-address; ] a2466 1 [ automatic-interface-scanyes_or_no] d2471 1 a2471 1d2473 1 a2473 1 options Statement Definition and d2476 1 a2476 1 The options statement sets up global d2480 1 a2480 1 once in a configuration file. If there is no options d2484 2 a2485 2d4145 2 a4146 2
- attach-cache
d2497 2 a2498 2 The attach-cache option may also be specified in view d2500 1 a2500 1 global attach-cache option. d2505 1 a2505 1 When the named server configures d2516 1 a2516 1 the attach-cache as a global d2525 1 a2525 1 attach-cache option as a view A (or d2548 8 a2555 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2570 1 a2570 1- directory
d2585 1 a2585 1- geoip-directory
d2592 2 a2593 1 (For details, see the section called “acl Statement Definition and d2595 1 a2595 1 geoip ACL.) d2597 1 a2597 1- key-directory
d2608 1 a2608 1- managed-keys-directory
d2616 1 a2616 1 If named is not configured to use views, d2625 1 a2625 1- named-xfer
d2629 1 a2629 1 the pathname to the named-xfer d2631 1 a2631 1 named-xfer program is needed; d2634 1 a2634 1- tkey-gssapi-keytab
d2641 1 a2641 1- tkey-gssapi-credential
d2652 1 a2652 1 To use GSS-TSIG, tkey-domain must d2656 1 a2656 1- tkey-domain
d2659 2 a2660 2 generated with TKEY. When a client requests a TKEY exchange, d2667 1 a2667 1 In most cases, the domainname d2674 1 a2674 1- tkey-dhkey
d2679 1 a2679 1 of TKEY. The server must be d2685 1 a2685 1- cache-file
d2689 1 a2689 1- dump-file
d2693 1 a2693 1 rndc dumpdb. d2696 1 a2696 1- memstatistics-file
d2702 1 a2702 1- pid-file
d2709 1 a2709 1 name server. Specifying pid-file none disables the d2711 1 a2711 1 existing one will be removed. Note that none d2716 1 a2716 1- recursing-file
d2720 1 a2720 1 to do so with rndc recursing. d2723 1 a2723 1- statistics-file
d2726 1 a2726 1 to when instructed to do so using rndc stats. d2730 1 a2730 1 in the section called “The Statistics File”. d2732 1 a2732 1- bindkeys-file
d2735 3 a2737 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2741 1 a2741 1- secroots-file
d2745 1 a2745 1 rndc secroots. d2749 1 a2749 1- session-keyfile
d2752 2 a2753 2 session key generated by named for use by nsupdate -l. If not specified, the d2755 1 a2755 1 (See the section called “Dynamic Update Policies”, and in d2757 1 a2757 1 update-policy statement's d2761 1 a2761 1- session-keyname
d2766 1 a2766 1- session-keyalg
d2773 1 a2773 1- port
d2783 1 a2783 1- dscp
d2790 1 a2790 1- random-device
d2804 1 a2804 1 random-device option takes d2809 1 a2809 1- preferred-glue
d2814 1 a2814 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2817 1 a2817 1 root-delegation-only d2863 1 a2863 1- disable-algorithms
d2868 1 a2868 1 Multiple disable-algorithms d2870 1 a2870 1 Only the best match disable-algorithms d2875 1 a2875 1 by the disable-algorithms will be treated d2879 1 a2879 1- disable-ds-digests
d2884 1 a2884 1 Multiple disable-ds-digests d2886 1 a2886 1 Only the best match disable-ds-digests d2891 1 a2891 1 by the disable-ds-digests will be treated d2895 1 a2895 1- dnssec-lookaside
d2898 1 a2898 1 When set, dnssec-lookaside provides the d2902 1 a2902 1 dnssec-lookaside, and the normal DNSSEC d2910 1 a2910 1 If dnssec-lookaside is set to d2916 1 a2916 1 If dnssec-lookaside is set to d2923 2 a2924 2 named will load that key at startup if dnssec-lookaside is set to d2929 1 a2929 1 from https://www.isc.org/solutions/dlv/. d2934 2 a2935 2 named. Relying on this is not recommended, however, as it requires named d2939 1 a2939 1 NOTE: named only loads certain specific d2945 1 a2945 1- dnssec-must-be-secure
d2949 1 a2949 1 then named will only accept answers if d2953 3 a2955 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2957 1 a2957 1- dns64
d2960 1 a2960 1 This directive instructs named to d2964 1 a2964 1 dns64 defines one DNS64 prefix. d2975 2 a2976 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2982 2 a2983 2 Each dns64 supports an optional clients ACL that determines which d2988 2 a2989 2 Each dns64 supports an optional mapped ACL that selects which d2998 1 a2998 1 exclude ACL allows specification d3002 1 a3002 1 name owns. If not defined, exclude d3006 1 a3006 1 A optional suffix can also d3014 2 a3015 2 If recursive-only is set to yes the DNS64 synthesis will d3017 1 a3017 1 is no. d3020 2 a3021 2 If break-dnssec is set to yes the DNS64 synthesis will d3024 1 a3024 1 is set to no (the default), the DO d3039 1 a3039 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d3046 2 a3047 2 the section called “Dynamic Update Policies”), and if named has access to the d3049 1 a3049 1 named will automatically sign all new d3056 1 a3056 1 then named will sign all new or d3061 1 a3061 1 With either of these settings, named d3064 1 a3064 1 named. (A planned third option, d3070 1 a3070 1- max-zone-ttl
a3093 27The default value is
unlimited. Amax-zone-ttlof zero is treated asunlimited.- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
d3095 1 a3095 1- zone-statistics
d3101 3 a3103 3 zone-statistics terse or zone-statistics none in the zone statement). d3111 2 a3112 2 statistics-channel or using rndc stats, which d3114 2 a3115 2 in the statistics-file. See also the section called “The Statistics File”. d3119 1 a3119 1 of BIND 9, the zone-statistics d3130 1 a3130 1d3133 2 a3134 2d4104 2 a4105 2
- automatic-interface-scan
d3144 1 a3144 1 automatic-interface-scan to be d3148 1 a3148 1- allow-new-zones
d3151 2 a3152 2 added at runtime via rndc addzone or deleted via rndc delzone. d3155 1 a3155 1- auth-nxdomain
d3157 1 a3157 1 Ifyes, then the AA bit d3166 1 a3166 1- deallocate-on-exit
d3173 1 a3173 1- memstatistics
d3176 1 a3176 1 memstatistics-file at exit. d3181 1 a3181 1- dialup
d3193 1 a3193 1 happens in a short interval, once every heartbeat-interval and d3199 4 a3202 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3215 1 a3215 1 notify and also-notify. d3223 1 a3223 1 heartbeat-interval expires in d3236 1 a3236 1 when the heartbeat-interval d3244 4 a3247 4d3274 1 a3274 1 no (default)
d3294 1 a3294 1yes
d3314 1 a3314 1notify
d3334 1 a3334 1refresh
d3354 1 a3354 1passive
d3374 1 a3374 1notify-passive
d3396 1 a3396 1 dialup. d3399 1 a3399 1- fake-iquery
d3406 1 a3406 1- fetch-glue
d3417 1 a3417 1- flush-zones-on-shutdown
d3422 1 a3422 1 flush-zones-on-shutdownno. d3424 1 a3424 1- has-old-clients
d3430 3 a3432 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3434 1 a3434 1- host-statistics
d3441 1 a3441 1- maintain-ixfr-base
d3449 1 a3449 1 transfers, use provide-ixfrno. d3451 1 a3451 1- minimal-responses
d3460 1 a3460 1- multiple-cnames
d3468 1 a3468 1- notify
d3474 1 a3474 1 changes, see the section called “Notify”. The messages are d3479 1 a3479 1 also-notify option. d3487 1 a3487 1 servers explicitly listed using also-notify. d3491 2 a3492 2 The notify option may also be specified in the zone d3494 1 a3494 1 in which case it overrides the options notify statement. d3500 1 a3500 1- notify-to-soa
d3511 1 a3511 1- recursion
d3522 1 a3522 1 Note that setting recursion no does not prevent d3528 1 d3530 1 a3530 1- request-nsid
d3537 2 a3538 2 the resolver category at level info. d3541 1 a3541 1- request-sit
d3557 1 a3557 1 the nosit-udp-size option. d3559 1 a3559 10- nosit-udp-size
Sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. A value below 128 will be silently raised to 128. The default value is 4096, but the max-udp-size option may further limit the response size.
- sit-secret
d3569 1 a3569 1- rfc2308-type1
d3585 1 a3585 1- use-id-pool
d3591 1 a3591 1- use-ixfr
d3596 3 a3598 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3601 1 a3601 1 the section called “Incremental Zone Transfers (IXFR)”. d3603 1 a3603 1- provide-ixfr
d3606 3 a3608 2 provide-ixfr in the section called “server Statement Definition and d3611 1 a3611 1- request-ixfr
d3614 3 a3616 2 request-ixfr in the section called “server Statement Definition and d3619 1 a3619 1- treat-cr-as-space
d3623 1 a3623 1 the server treat carriage return ("\r") characters the same way d3627 2 a3628 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3633 1 a3633 1 additional-from-auth, additional-from-cache d3668 1 a3668 1 Setting these options to no d3676 1 a3676 1 them to no without also d3678 1 a3678 1 recursion no will cause the d3683 1 a3683 1 Specifying additional-from-cache no actually d3703 1 a3703 1 referrals when additional-from-cache no d3711 1 a3711 1- match-mapped-addresses
d3724 1 a3724 1 named now solves this problem d3728 1 a3728 1- filter-aaaa-on-v4
d3739 3 a3741 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3746 1 a3746 1 the DNS client is at an IPv4 address, in filter-aaaa, d3779 1 a3779 1- filter-aaaa-on-v6
d3781 1 a3781 1 Identical to filter-aaaa-on-v4, d3786 1 a3786 1- ixfr-from-differences
d3810 3 a3812 3ixfr-from-differences also accepts master and slave at the view and options d3814 3 a3816 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3820 1 a3820 1
- multi-master
d3824 1 a3824 1 addresses refer to different machines. Ifyes, named will d3826 1 a3826 1 when the serial number on the master is less than what named d3830 1 a3830 41- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
d3833 1 a3833 1 records are to be returned by named. d3835 1 a3835 1 named will not return DNSSEC-related d3839 1 a3839 1- dnssec-validation
d3842 2 a3843 2 Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3851 2 a3852 2 a trusted-keys or managed-keys statement. The default d3861 1 a3861 1 dnssec-validation is off. d3865 1 a3865 1- dnssec-accept-expired
d3870 1 a3870 1 leaves named vulnerable to d3873 1 a3873 1- querylog
d3875 1 a3875 1 Specify whether query logging should be started when named d3877 1 a3877 1 If querylog is not specified, d3879 1 a3879 1 is determined by the presence of the logging category queries. d3881 1 a3881 1- check-names
d3890 5 a3894 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3900 1 a3900 1check-names d3909 1 a3909 1
- check-dup-records
d3913 3 a3915 3 default is to warn. Other possible values are fail and ignore. d3917 1 a3917 1- check-mx
d3920 3 a3922 3 The default is to warn. Other possible values are fail and ignore. d3924 1 a3924 1- check-wildcard
d3931 1 a3931 1 affects master zones. The default (yes) is to check d3934 1 a3934 1- check-integrity
d3943 1 a3943 1 named-checkzone). d3946 2 a3947 2 checks use named-checkzone). The default is yes. d3957 1 a3957 1 check-spf. d3960 1 a3960 1- check-mx-cname
d3962 1 a3962 1 If check-integrity is set then d3964 1 a3964 1 to CNAMES. The default is to warn. d3966 1 a3966 1- check-srv-cname
d3968 1 a3968 1 If check-integrity is set then d3970 1 a3970 1 to CNAMES. The default is to warn. d3972 1 a3972 1- check-sibling
d3975 1 a3975 1 sibling glue exists. The default is yes. d3977 1 a3977 1- check-spf
d3979 1 a3979 1 If check-integrity is set then d3983 1 a3983 1 warn. d3985 1 a3985 1- zero-no-soa-ttl
d3990 1 a3990 1 The default is yes. d3992 1 a3992 1- zero-no-soa-ttl-cache
d3996 1 a3996 1 The default is no. d3998 1 a3998 1- update-check-ksk
d4013 1 a4013 1 similar to the dnssec-signzone -z d4025 1 a4025 1- dnssec-dnskey-kskonly
d4028 1 a4028 1 When this option and update-check-ksk d4035 1 a4035 1 dnssec-signzone -x command line option. d4038 2 a4039 2 The default is no. If update-check-ksk is set to d4043 16 a4058 1- try-tcp-refresh
d4062 1 a4062 1 yes. d4064 1 a4064 1- dnssec-secure-to-insecure
d4069 2 a4070 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d4083 1 a4083 1 auto-dnssec maintain and the d4086 1 a4086 1 next time named is started. d4091 1 a4091 1
- forward
d4117 1 a4117 1- forwarders
d4129 3 a4131 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d4135 1 a4135 1d4918 2 a4919 2 example, 1G can be used instead of 1073741824 to specify a limit of d4921 1 a4921 1 gigabyte. unlimited requests d4923 1 a4923 1 maximum available amount. default d4926 1 a4926 1 of size_spec in the section called “Configuration File Elements”. d4936 2 a4937 2
- dual-stack-servers
d4153 1 a4153 1 stacked, then the dual-stack-servers have no effect unless d4155 1 a4155 1 (e.g. named -4). d4159 1 a4159 1d4164 1 a4164 1 of the requesting system. See the section called “Address Match Lists” for d4167 2 a4168 2d4408 1 a4408 1 from may be specified using the listen-on option. listen-on takes d4416 1 a4416 1 Multiple listen-on statements are d4429 1 a4429 1 If no listen-on is specified, the d4433 1 a4433 1 The listen-on-v6 option is used to d4444 1 a4444 1 listen-on-v6 option, d4459 1 a4459 1 IPv4 addresses specified in listen-on-v6 d4463 1 a4463 1 Multiple listen-on-v6 options can d4482 1 a4482 1
- allow-notify
d4173 1 a4173 1 allow-notify may also be d4175 1 a4175 1 zone statement, in which case d4177 1 a4177 1 options allow-notify d4183 1 a4183 1- allow-query
d4187 2 a4188 2 DNS questions. allow-query may also be specified in the zone d4190 1 a4190 1 options allow-query statement. d4197 1 a4197 1 allow-query-cache is now d4202 1 a4202 1- allow-query-on
d4212 1 a4212 1 Note that allow-query-on is only d4214 1 a4214 1 allow-query. A query must be d4218 2 a4219 2 allow-query-on may also be specified in the zone d4221 1 a4221 1 options allow-query-on statement. d4230 1 a4230 1 allow-query-cache is d4235 1 a4235 1- allow-query-cache
d4238 7 a4244 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4246 1 a4246 1- allow-query-cache-on
d4251 2 a4252 2 localnets and localhost. d4254 1 a4254 1- allow-recursion
d4258 3 a4260 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4262 2 a4263 2 (localnets; localhost;) is used. d4265 1 a4265 1- allow-recursion-on
d4271 1 a4271 1- allow-update
d4278 1 a4278 1 the section called “Dynamic Update Security” for details. d4280 1 a4280 1- allow-update-forwarding
d4304 1 a4304 1 access control to attacks; see the section called “Dynamic Update Security” d4308 1 a4308 1- allow-v6-synthesis
d4318 1 a4318 1- allow-transfer
d4321 2 a4322 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4324 1 a4324 1 case it overrides the options allow-transfer statement. d4328 1 a4328 1- blackhole
d4336 1 a4336 1- filter-aaaa
d4339 1 a4339 1 filter-aaaa-on-v4 d4342 1 a4342 1- no-case-compress
d4347 1 a4347 1 used when named needs to work with d4354 1 a4354 1 none: case-insensitive compression d4378 1 a4378 1 There are circumstances in which named d4393 1 a4393 1- resolver-query-timeout
d4403 1 a4403 1d4487 1 a4487 1 query other name servers. query-source specifies d4489 3 a4491 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4495 1 a4495 1 If port is * or is omitted, d4499 2 a4500 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4502 2 a4503 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4506 2 a4507 2 The defaults of the query-source and query-source-v6 options d4514 3 a4516 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4520 1 a4520 1 named will use the corresponding system d4533 2 a4534 2 changed while named is running; the new range will automatically be applied when named d4537 2 a4538 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4544 1 a4544 1 where named runs may prohibit the use d4546 1 a4546 1 named running without a root privilege d4555 2 a4556 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4564 1 a4564 1 the use-queryport-pool d4570 2 a4571 2 query-source or query-source-v6 options; d4574 2 a4575 2d4874 4 a4877 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4880 1 a4880 1 See the section called “Query Address” about how the d4890 1 a4890 1 from named will be in one d4895 3 a4897 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4905 3 a4907 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4912 1 a4912 1
- use-queryport-pool
d4579 1 a4579 1- queryport-pool-ports
d4583 1 a4583 1- queryport-pool-updateinterval
d4591 1 a4591 1 The address specified in the query-source option d4607 2 a4608 2 See also transfer-source and notify-source. d4612 1 a4612 1d4621 2 a4622 2d4824 1 a4824 1
- also-notify
d4633 1 a4633 1 also-notify address to send d4640 1 a4640 1 masters lists can be used. d4643 2 a4644 2 If an also-notify list is given in a zone statement, d4646 2 a4647 2 the options also-notify statement. When a zone notify d4649 2 a4650 2 is set to no, the IP addresses in the global also-notify list will d4656 1 a4656 1- max-transfer-time-in
d4663 1 a4663 1- max-transfer-idle-in
d4670 1 a4670 1- max-transfer-time-out
d4677 1 a4677 1- max-transfer-idle-out
d4684 1 a4684 1- serial-query-rate
d4693 1 a4693 1 serial-query-rate option, an d4702 1 a4702 1 serial-query-rate also controls d4707 1 a4707 1- serial-queries
d4709 1 a4709 1 In BIND 8, the serial-queries d4714 1 a4714 1 serial queries and ignores the serial-queries option. d4716 1 a4716 1 as defined using the serial-query-rate option. d4718 1 a4718 1- transfer-format
d4721 3 a4723 3 one-answer and many-answers. The transfer-format option is used d4725 1 a4725 1 one-answer uses one DNS message per d4727 1 a4727 1 many-answers packs as many resource d4729 1 a4729 1 many-answers is more efficient, but is d4733 1 a4733 1 The many-answers format is also supported by d4735 3 a4737 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4740 1 a4740 1- transfers-in
d4744 1 a4744 1 Increasing transfers-in may d4749 1 a4749 1- transfers-out
d4756 1 a4756 1- transfers-per-ns
d4762 1 a4762 1 Increasing transfers-per-ns d4766 3 a4768 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4770 1 a4770 1- transfer-source
d4772 1 a4772 1transfer-source d4782 1 a4782 1 allow-transfer option for the d4785 1 a4785 1 transfer-source for all zones, d4788 3 a4790 3 transfer-source statement within the view or zone block in the configuration d4801 1 a4801 1
- transfer-source-v6
d4803 1 a4803 1 The same as transfer-source, d4806 1 a4806 1- alt-transfer-source
d4810 2 a4811 2 transfer-source fails and use-alt-transfer-source is a4815 1d4818 1 a4818 1 use-alt-transfer-source d4822 1 a4822 2
- alt-transfer-source-v6
d4827 2 a4828 2 transfer-source-v6 fails and use-alt-transfer-source is d4831 1 a4831 1- use-alt-transfer-source
d4834 1 a4834 1 specified this defaults to no d4836 1 a4836 1 yes (for BIND 8 d4839 1 a4839 1- notify-source
d4841 1 a4841 1notify-source d4845 3 a4847 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4850 3 a4852 3 notify-source statement within the zone or view block in the configuration d4863 1 a4863 1
- notify-source-v6
d4865 1 a4865 1 Like notify-source, d4870 1 a4870 1d7528 1 a7528 1 The view statement is a powerful d7537 1 a7537 1 Each view statement defines a view d7543 1 a7543 1 match-clients clause and its d7547 1 a7547 1 match-destinations clause. If not d7549 1 a7549 1 match-clients and match-destinations d7552 2 a7553 2 match-clients and match-destinations can also take keys which provide an d7556 1 a7556 1 as match-recursive-only, which d7559 1 a7559 1 The order of the view statements is d7562 1 a7562 1 view that it matches. d7565 1 a7565 1 Zones defined within a view d7567 1 a7567 1 only be accessible to clients that match the view. d7574 2 a7575 2 Many of the options given in the options statement can also be used within a view d7579 1 a7579 1 value is given, the value in the options statement d7582 1 a7582 1 in the view statement; these d7584 1 a7584 1 take precedence over those in the options statement. d7592 1 a7592 1 If there are no view statements in d7596 1 a7596 1 in class IN. Any zone statements d7600 1 a7600 1 this default view, and the options d7602 2 a7603 2 apply to the default view. If any explicit view statements are present, all zone d7605 1 a7605 1 occur inside view statements. d7609 1 a7609 1 using view statements: d7644 1 a7644 1
- coresize
d4942 1 a4942 1- datasize
d4955 2 a4956 2 max-cache-size and recursive-clients d4959 1 a4959 1- files
d4964 1 a4964 1- stacksize
d4971 1 a4971 1d4979 2 a4980 2
- max-ixfr-log-size
d4984 1 a4984 1 max-journal-size performs a d4987 1 a4987 1- max-journal-size
d4990 1 a4990 1 (see the section called “The journal file”). When the journal file d5000 1 a5000 1- host-statistics-max
d5006 1 a5006 1- recursive-clients
d5016 1 a5016 1 recursive-clients option may d5037 1 a5037 1- tcp-clients
d5044 1 a5044 1 clients-per-query, max-clients-per-query d5051 1 a5051 1 before dropping additional clients. named will attempt to d5058 1 a5058 1 If the number of queries exceed this value, named will d5066 1 a5066 1 If clients-per-query is set to zero, d5071 1 a5071 1 If max-clients-per-query is set to zero, d5073 1 a5073 1 recursive-clients. d5077 1 a5077 1 fetches-per-zone d5111 1 a5111 1 If fetches-per-zone is set to zero, d5117 1 a5117 1 running rndc recursing. The list d5130 1 a5130 1 built with configure --enable-fetchlimit.) d5134 1 a5134 1 fetches-per-server d5157 1 a5157 1 If fetches-per-server is set to zero, d5162 1 a5162 1 The fetches-per-server quota is d5169 1 a5169 1 threshold, then fetches-per-server d5172 2 a5173 2 fetches-per-server is increased. The fetch-quota-params options d5179 1 a5179 1 built with configure --enable-fetchlimit.) d5182 1 a5182 1- fetch-quota-params
d5214 1 a5214 1 built with configure --enable-fetchlimit.) d5217 1 a5217 1- reserved-sockets
d5222 1 a5222 1 interfaces named listens on, tcp-clients as well as d5233 1 a5233 1- max-cache-size
d5251 1 a5251 1- tcp-listen-queue
d5265 1 a5265 1d5376 2 a5377 2 (but see the rrset-order statement in the section called “RRset Ordering”). d5388 1 a5388 1 The sortlist statement (see below) d5390 1 a5390 1 an address_match_list and d5392 1 a5392 1 more specifically than the topology d5394 3 a5396 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5399 1 a5399 1 an IP prefix, an ACL name or a nested address_match_list) d5411 2 a5412 2 treated the same as the address_match_list in a topology statement. Each top d5477 1 a5477 1
- cleaning-interval
d5273 1 a5273 1 from the cache every cleaning-interval minutes. d5280 1 a5280 1- heartbeat-interval
d5283 1 a5283 1 for all zones marked as dialup whenever this d5290 1 a5290 1- interface-interval
d5293 1 a5293 1 every interface-interval d5301 1 a5301 1 listen-on configuration), and d5305 1 a5305 1- statistics-interval
d5309 1 a5309 1 every statistics-interval d5324 1 a5324 1d5484 1 a5484 1 The rrset-order statement permits d5487 2 a5488 2 See also the sortlist statement, the section called “The sortlist Statement”. d5491 1 a5491 1 An order_spec is defined as d5501 3 a5503 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5506 1 a5506 1 The legal values for ordering are: d5510 2 a5511 2d5516 1 a5516 1 fixed
d5527 1 a5527 1random
d5537 1 a5537 1cyclic
d5568 1 a5568 1 If multiple rrset-order statements d5578 1 a5578 1 rrset-order statement does not support d5585 1 a5585 1d5588 2 a5589 2
- lame-ttl
d5606 1 a5606 1- max-ncache-ttl
d5609 1 a5609 1 the server stores negative answers. max-ncache-ttl is d5613 2 a5614 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5618 1 a5618 1- max-cache-ttl
d5628 1 a5628 1- min-roots
d5643 1 a5643 1- sig-validity-interval
d5648 1 a5648 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5665 1 a5665 1 The sig-validity-interval d5671 1 a5671 1- sig-signing-nodes
d5678 1 a5678 1- sig-signing-signatures
d5685 1 a5685 1- sig-signing-type
d5698 1 a5698 1 named to track the current state of d5702 2 a5703 2 rndc signing -listzone. Once named has finished signing d5707 1 a5707 1 rndc signing -clearkeyid/algorithmzone. d5710 1 a5710 1 rndc signing -clear allzone. d5714 1 a5714 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5738 4 a5741 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5745 1 a5745 1- edns-udp-size
d5757 1 a5757 1 edns-udp-size to a non-default value d5763 1 a5763 1 When named first queries a remote d5768 1 a5768 1 If the initial response times out, named d5772 1 a5772 1 successes using plain DNS, named d5774 1 a5774 1 with that server. (Periodically, named d5781 1 a5781 1 named will advertise progressively d5784 1 a5784 1 edns-udp-size is reached. d5787 1 a5787 1 The default buffer sizes used by named d5789 1 a5789 1 edns-udp-size. (The values 1232 and d5795 1 a5795 1- max-udp-size
d5799 1 a5799 1 named will send in bytes. d5807 1 a5807 1 edns-udp-size. d5811 1 a5811 1 max-udp-size to a non-default d5816 1 a5816 1 buffer (edns-udp-size). d5823 1 a5823 1- masterfile-format
d5827 1 a5827 1 the section called “Additional File Formats”). d5833 2 a5834 2 named-compilezone tool, or dumped by named. d5838 1 a5838 1textis loaded, named d5841 1 a5841 1 check-names checks do not apply d5845 1 a5845 1 specified in the named configuration d5852 1 a5852 1 masterfile-format for all zones, d5854 3 a5856 3 by including a masterfile-format statement within the zone or view block in the configuration d5861 1 a5861 1 max-recursion-depth d5874 1 a5874 1 max-recursion-queries d5885 1 a5885 1- notify-delay
d5893 1 a5893 1 zones is controlled by serial-query-rate. d5896 1 a5896 1- max-rsa-exponent-size
d5903 1 a5903 1- prefetch
d5907 1 a5907 1 is to expire shortly, named can d5930 1 a5930 1 if it isn't, named will silently d5937 1 a5937 1d5944 1 a5944 1 CHAOS class. These zones are part d5946 1 a5946 1 built-in view (see the section called “view Statement Grammar”) of d5948 3 a5950 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5952 3 a5954 3 overridden: notify, recursion and allow-new-zones are d5956 1 a5956 1 rate-limit is set to allow d5961 1 a5961 1 below, or hide the built-in CHAOS d5963 1 a5963 1 defining an explicit view of class CHAOS d5966 2 a5967 2
- version
d5971 1 a5971 1 with type TXT, class CHAOS. d5973 1 a5973 1 Specifying version none d5976 1 a5976 1- hostname
d5980 1 a5980 1 with type TXT, class CHAOS. d5986 1 a5986 1 answering your queries. Specifying hostname none; d5989 1 a5989 1- server-id
d5994 1 a5994 1 TXT, class CHAOS. d5997 1 a5997 1 answering your queries. Specifying server-id none; d5999 1 a5999 1 Specifying server-id hostname; will cause named to d6001 1 a6001 1 The default server-id is none. d6005 1 a6005 1d6028 98 a6125 98d6409 1 a6409 1 response-policy option for the view or among the d6414 1 a6414 3 allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones. d6417 1 a6417 1 A response-policy option can support d6422 1 a6422 1 in a single response-policy option; more d6428 2 a6429 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a6151 1d6156 3 a6158 4
- empty-server
d6164 1 a6164 1- empty-contact
d6170 1 a6170 1- empty-zones-enable
d6175 1 a6175 1- disable-empty-zone
d6182 1 a6182 1d6186 1 a6186 1 The additional section cache, also called acache, d6191 1 a6191 1 Note that acache is an internal caching d6206 3 a6208 3 additional-from-cache to no is recommended, since the current implementation of acache d6213 1 a6213 1 One obvious disadvantage of acache is d6218 3 a6220 3 acache mechanism can be disabled by setting acache-enable to no. d6223 1 a6223 1 for acache by using max-acache-size. d6228 2 a6229 2 Without acache, cyclic order is effective for the additional d6234 1 a6234 1 setting of rrset-order. d6243 1 a6243 1 acache. d6245 2 a6246 2d6283 1 a6283 1 deny-answer-addresses option. d6288 1 a6288 1 deny-answer-aliases option, where d6292 1 a6292 1 with except-from, records whose query name d6296 1 a6296 1 corresponding zone, the deny-answer-aliases d6299 1 a6299 1 deny-answer-aliases, d6307 1 a6307 1 deny-answer-addresses option, only d6328 1 a6328 1 d6362 1 a6362 1 matches the except-from element, d6396 1 a6396 1
- RPZ-CLIENT-IP
d6436 1 a6436 1 rpz-client-ip relativized to the d6463 1 a6463 1- QNAME
d6471 1 a6471 1- RPZ-IP
d6476 1 a6476 1 subdomains of rpz-ip. d6478 1 a6478 1- RPZ-NSDNAME
d6484 1 a6484 1 rpz-nsdname relativized d6490 1 a6490 1- RPZ-NSIP
d6493 1 a6493 1 subdomains of rpz-nsip. d6495 2 a6496 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6507 1 a6507 1 DISABLED actions) must be chosen. d6511 3 a6513 3
- Choose the triggered record in the zone that appears first in the response-policy option. d6515 1 a6515 1
- Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP d6518 1 a6518 1
- Among NSDNAME triggers, prefer the d6521 1 a6521 1
- Among IP or NSIP triggers, prefer the trigger d6524 1 a6524 1
- Among triggers with the same prefix length, d6543 2 a6544 2 For example, while the TCP-only policy is commonly used with client-IP triggers, d6548 2 a6549 2
d6775 2 a6776 2 rate-limit clause in an options or view statement. d6803 1 a6803 1 the window option to any value from d6807 1 a6807 1 or more negative than window d6818 2 a6819 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6824 1 a6824 1 with responses-per-second d6829 2 a6830 2 nodata-per-second (default responses-per-second). d6834 2 a6835 2 They are limited by nxdomains-per-second (default base responses-per-second). d6842 2 a6843 2 referrals-per-second (default responses-per-second). d6857 1 a6857 1 responses-per-second value, d6859 1 a6859 1 errors-per-second. d6869 1 a6869 1 Setting slip to 2 (its default) causes every d6875 1 a6875 1 slip must be between 0 and 10. d6883 1 a6883 1 leaked at the slip rate. d6894 1 a6894 1 slip to 1, causing all rate-limited d6900 6 a6905 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6908 1 a6908 1 qps-scale 250; responses-per-second 20; and d6919 2 a6920 2 rate-limit statements in view statements instead of the global option d6922 2 a6923 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6926 1 a6926 1 with the exempt-clients clause. d6930 1 a6930 1 all-per-second phrase. d6932 3 a6934 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6939 2 a6940 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6942 1 a6942 1 An all-per-second limit should be d6950 1 a6950 1 records as it considers the STMP Mail From d6954 1 a6954 1 All-per-second is similar to the d6966 1 a6966 1 rate limit responses is set with max-table-size. d6972 1 a6972 1 min-table-size (default 500) d6974 1 a6974 1 Enable rate-limit category logging to monitor d6979 1 a6979 1 Use log-only yes to test rate limiting parameters d6984 1 a6984 1 RateDropped and QryDropped d6987 1 a6987 1 RateSlipped and RespTruncated. d6991 1 a6991 1
- PASSTHRU
d6552 1 a6552 1 by a CNAME whose target is rpz-passthru. d6557 1 a6557 1- DROP
d6560 1 a6560 1 by a CNAME whose target is rpz-drop. d6564 1 a6564 1- TCP-Only
d6567 1 a6567 1 by a CNAME whose target is rpz-tcp-only. d6572 1 a6572 1- NXDOMAIN
d6577 1 a6577 1- NODATA
d6584 1 a6584 1- Local Data
d6606 2 a6607 2 can be overridden with a policy clause in the response-policy option. d6612 2 a6613 2
- GIVEN
d6617 1 a6617 1- DISABLED
d6630 1 a6630 1 PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA d6635 1 a6635 1- CNAME domain
d6648 1 a6648 1 with a recursive-only no clause. d6660 1 a6660 1 break-dnssec yes clause. In that case, RPZ d6677 1 a6677 1 The qname-wait-recurse no option d6685 1 a6685 1 DNSSEC requests (DO=1) unless break-dnssec yes d6696 1 a6696 1 The max-policy-ttl clause changes that d6766 1 a6766 1 RPZRewrites statistics. d6769 1 a6769 1serverip_addr[/prefixlen]{ d7002 1 d7021 1 a7021 1d7023 1 a7023 1 server Statement Definition and d7026 1 a7026 1 The server statement defines d7035 1 a7035 1 The server statement can occur at d7037 1 a7037 1 configuration file or inside a view d7039 2 a7040 2 If a view statement contains one or more server statements, only d7043 1 a7043 1 If a view contains no server d7045 1 a7045 1 any top-level server statements are d7053 1 a7053 1 value of bogus is no. d7056 1 a7056 1 The provide-ixfr clause determines d7061 1 a7061 1 If set to yes, incremental transfer d7063 1 a7063 1 whenever possible. If set to no, d7067 1 a7067 1 of the provide-ixfr option in the d7072 1 a7072 1 The request-ixfr clause determines d7076 1 a7076 1 value of the request-ixfr option in d7087 3 a7089 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d7096 1 a7096 1 The edns clause determines whether d7098 1 a7098 1 with the remote server. The default is yes. d7101 2 a7102 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named d7111 1 a7111 1 server; named will not deviate from d7113 3 a7115 3 edns-udp-size in options or view statements, where it specifies a maximum value. The server statement d7117 1 a7117 1 options/view behavior in future releases.) d7120 2 a7121 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d7125 8 a7132 1 replies from named. d7135 3 a7137 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d7141 3 a7143 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d7145 1 a7145 1 by the options statement will be d7148 1 a7148 1transfers d7151 1 a7151 1 transfers clause is specified, the d7153 1 a7153 1 transfers-per-ns option. d7156 3 a7158 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d7170 2 a7171 2 The transfer-source and transfer-source-v6 clauses specify d7175 1 a7175 1 For an IPv4 remote server, only transfer-source can d7178 1 a7178 1 transfer-source-v6 can be d7181 3 a7183 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d7186 2 a7187 2 The notify-source and notify-source-v6 clauses specify the d7190 1 a7190 1 IPv4 remote server, only notify-source d7192 1 a7192 1 only notify-source-v6 can be specified. d7195 2 a7196 2 The query-source and query-source-v6 clauses specify the d7199 1 a7199 1 remote server, only query-source can d7201 1 a7201 1 only query-source-v6 can be specified. d7204 1 a7204 1 The request-nsid clause determines d7207 1 a7207 1 request-nsid set at the view or d7211 1 a7211 1 The request-sit clause determines d7214 1 a7214 1 request-sit set at the view or d7220 1 a7220 1
statistics-channels { d7230 1 a7230 1d7232 1 a7232 1 statistics-channels Statement Definition and d7235 1 a7235 1 The statistics-channels statement d7246 1 a7246 1 statistics-channels statement is d7251 4 a7254 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*d7259 1 a7259 1 use an ip_addr of::. d7264 1 a7264 1 ip_port. d7268 1 a7268 1 restricted by the optional allow clause. d7270 3 a7272 3 address_match_list. If no allow clause is present, named accepts connection d7279 2 a7280 2 If no statistics-channels statement is present, named will not open any communication channels. d7287 2 a7288 2 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is d7297 1 a7297 1 http://127.0.0.1:8888/xml/v2 for version 2 d7299 1 a7299 1 http://127.0.0.1:8888/xml/v3 for version 3. d7306 1 a7306 1 http://127.0.0.1:8888/xml/v3/status d7308 1 a7308 1 http://127.0.0.1:8888/xml/v3/server d7310 1 a7310 1 http://127.0.0.1:8888/xml/v3/zones d7312 1 a7312 1 http://127.0.0.1:8888/xml/v3/net d7314 1 a7314 1 http://127.0.0.1:8888/xml/v3/mem d7316 1 a7316 1 http://127.0.0.1:8888/xml/v3/tasks d7321 1 a7321 1 http://127.0.0.1:8888/json, d7323 1 a7323 1 http://127.0.0.1:8888/json/v1/status d7325 1 a7325 1 http://127.0.0.1:8888/json/v1/server d7327 1 a7327 1 http://127.0.0.1:8888/json/v1/zones d7329 1 a7329 1 http://127.0.0.1:8888/json/v1/net d7331 1 a7331 1 http://127.0.0.1:8888/json/v1/mem d7333 1 a7333 1 http://127.0.0.1:8888/json/v1/tasks d7337 1 a7337 1trusted-keys { d7346 1 a7346 1d7348 1 a7348 1 trusted-keys Statement Definition d7351 2 a7352 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d7363 1 a7363 1 trusted-keys are deemed to exist regardless d7365 1 a7365 1 trusted-keys only those keys are d7370 1 a7370 1 The trusted-keys statement can contain d7379 1 a7379 1 trusted-keys may be set at the top level d7386 1 a7386 1managed-keys { d7395 1 a7395 1d7397 1 a7397 1 managed-keys Statement Definition d7400 2 a7401 2 The managed-keys statement, like trusted-keys, defines DNSSEC d7403 1 a7403 1 managed-keys can be kept up to date d7411 1 a7411 1 trusted-keys statement would be d7415 1 a7415 1 trusted-keys statement with the new key. d7419 1 a7419 1 managed-keys statement instead, then the d7421 2 a7422 2 named would store the stand-by key, and when the original key was revoked, named d7429 1 a7429 1 A managed-keys statement contains a list of d7434 1 a7434 1 This means the managed-keys statement must d7440 2 a7441 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d7444 1 a7444 1 keys listed in a trusted-keys continue to be d7447 1 a7447 1 in a managed-keys statement is only trusted d7453 1 a7453 1 The first time named runs with a managed key d7456 1 a7456 1 using the key specified in the managed-keys d7461 2 a7462 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d7465 1 a7465 1 key specified in the managed-keys is not d7470 1 a7470 1 The next time named runs after a name d7472 1 a7472 1 managed-keys statement, the corresponding d7478 3 a7480 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d7492 1 a7492 1 seconds. So, whenever named is using d7496 1 a7496 1 named.) d7499 2 a7500 2 If the dnssec-validation option is set toauto, named d7502 1 a7502 1 root zone. Similarly, if the dnssec-lookaside d7504 1 a7504 1 named will automatically initialize d7507 2 a7508 2 maintenance process is built into named, and can be overridden from bindkeys-file. d7511 1 a7511 1viewview_named7524 1 a7524 1d7646 1 a7646 1 zone d7648 1 a7648 1zonezone_name[class] { d7658 2 a7659 3 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7719 1 d7804 1 a7804 1 [ zone-statisticsfull|terse|none; ] d7818 1 a7818 1 [ zone-statisticsfull|terse|none; ] d7846 1 a7846 1The type keyword is required for the zone configuration unless it is an in-view configuration. Its acceptable values include:
d7854 2 a7855 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7882 1 a7882 1 zone. The masters list d7997 2 a7998 2 server-addresses and server-names zone options. d8004 1 a8004 1 databases by rndc dumpdb -all. d8035 4 a8038 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d8042 1 a8042 1 name. If no forwarders d8044 1 a8044 1 an empty list for forwarders is given, then no d8047 1 a8047 1 any forwarders in the options statement. Thus d8050 1 a8050 1 global forward option d8092 1 a8092 1 per view. allow-query can be d8129 1 a8129 1 rndc reload d8132 1 a8132 1 rndc reload without specifying d8160 1 a8160 1 See caveats in root-delegation-only. d8167 1 a8167 1 d8189 1 a8189 1 d9121 1 a9121 1 in-view zone option provides an efficient d9144 1 a9144 1 An in-view option cannot refer to a view d9148 4 a9151 4 A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control d9163 1 a9163 1 An in-view zone cannot be used as a d9167 2 a9168 2 An in-view zone is not intended to reference a forward zone. d9173 1 a9173 1 d9197 1 a9197 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d9204 2 a9205 2
- allow-notify
d8196 1 a8196 1 allow-notify in the section called “Access Control”. d8198 1 a8198 1- allow-query
d8201 1 a8201 1 allow-query in the section called “Access Control”. d8203 1 a8203 1- allow-query-on
d8206 1 a8206 1 allow-query-on in the section called “Access Control”. d8208 1 a8208 1- allow-transfer
d8210 2 a8211 2 See the description of allow-transfer in the section called “Access Control”. d8213 1 a8213 1- allow-update
d8215 2 a8216 2 See the description of allow-update in the section called “Access Control”. d8218 1 a8218 1- update-policy
d8221 1 a8221 1 the section called “Dynamic Update Policies”. d8223 1 a8223 1- allow-update-forwarding
d8225 2 a8226 2 See the description of allow-update-forwarding in the section called “Access Control”. d8228 1 a8228 1- also-notify
d8230 1 a8230 1 Only meaningful if notify d8239 1 a8239 1 with also-notify. A port d8241 1 a8241 1 with each also-notify d8247 1 a8247 1 also-notify is not d8251 1 a8251 1- check-names
d8257 3 a8259 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d8261 1 a8261 1- check-mx
d8264 1 a8264 1 check-mx in the section called “Boolean Options”. d8266 1 a8266 1- check-spf
d8269 1 a8269 1 check-spf in the section called “Boolean Options”. d8271 1 a8271 1- check-wildcard
d8274 1 a8274 1 check-wildcard in the section called “Boolean Options”. d8276 1 a8276 1- check-integrity
d8279 1 a8279 1 check-integrity in the section called “Boolean Options”. d8281 1 a8281 1- check-sibling
d8284 1 a8284 1 check-sibling in the section called “Boolean Options”. d8286 1 a8286 1- zero-no-soa-ttl
d8289 1 a8289 1 zero-no-soa-ttl in the section called “Boolean Options”. d8291 1 a8291 1- update-check-ksk
d8294 1 a8294 1 update-check-ksk in the section called “Boolean Options”. d8296 1 a8296 1- dnssec-loadkeys-interval
d8299 2 a8300 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d8303 1 a8303 1- dnssec-update-mode
d8306 1 a8306 2 dnssec-update-mode in the section called “options Statement Definition and Usage”. d8308 1 a8308 1- dnssec-dnskey-kskonly
d8311 1 a8311 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d8313 1 a8313 6- try-tcp-refresh
See the description of try-tcp-refresh in the section called “Boolean Options”.
- database
d8317 1 a8317 1 zone data. The string following the database keyword d8339 1 a8339 1- dialup
d8342 1 a8342 1 dialup in the section called “Boolean Options”. d8344 1 a8344 1- delegation-only
d8353 1 a8353 1 See caveats in root-delegation-only. d8356 1 a8356 1- forward
d8359 1 a8359 1 list. The only value causes d8361 1 a8361 1 after trying the forwarders and getting no answer, while first would d8364 1 a8364 1- forwarders
d8367 1 a8367 1 If it is not specified in a zone of type forward, d8371 1 a8371 1- ixfr-base
d8383 1 a8383 1- ixfr-tmp-file
d8388 1 a8388 1- journal
d8392 1 a8392 1 This is applicable to master and slave zones. d8394 1 a8394 1- max-journal-size
d8397 1 a8397 1 max-journal-size in the section called “Server Resource Limits”. d8399 1 a8399 1- max-transfer-time-in
d8402 1 a8402 1 max-transfer-time-in in the section called “Zone Transfers”. d8404 1 a8404 1- max-transfer-idle-in
d8407 1 a8407 1 max-transfer-idle-in in the section called “Zone Transfers”. d8409 1 a8409 1- max-transfer-time-out
d8412 1 a8412 1 max-transfer-time-out in the section called “Zone Transfers”. d8414 1 a8414 1- max-transfer-idle-out
d8417 1 a8417 1 max-transfer-idle-out in the section called “Zone Transfers”. d8419 1 a8419 1- notify
d8422 1 a8422 1 notify in the section called “Boolean Options”. d8424 1 a8424 1- notify-delay
d8427 1 a8427 1 notify-delay in the section called “Tuning”. d8429 1 a8429 1- notify-to-soa
d8432 2 a8433 2 notify-to-soa in the section called “Boolean Options”. d8435 1 a8435 1- pubkey
d8444 1 a8444 1- zone-statistics
d8446 5 a8450 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d8452 1 a8452 1- server-addresses
d8466 1 a8466 1 in a server-addresses option, d8481 1 a8481 1- server-names
d8489 1 a8489 1 named needs to send queries to d8497 1 a8497 1 server-names option, but d8507 1 a8507 1 in a server-names option, d8524 1 a8524 1- sig-validity-interval
d8527 1 a8527 1 sig-validity-interval in the section called “Tuning”. d8529 1 a8529 1- sig-signing-nodes
d8532 1 a8532 1 sig-signing-nodes in the section called “Tuning”. d8534 1 a8534 1- sig-signing-signatures
d8537 1 a8537 1 sig-signing-signatures in the section called “Tuning”. d8539 1 a8539 1- sig-signing-type
d8542 1 a8542 1 sig-signing-type in the section called “Tuning”. d8544 1 a8544 1- transfer-source
d8547 1 a8547 1 transfer-source in the section called “Zone Transfers”. d8549 1 a8549 1- transfer-source-v6
d8552 1 a8552 1 transfer-source-v6 in the section called “Zone Transfers”. d8554 1 a8554 1- alt-transfer-source
d8557 1 a8557 1 alt-transfer-source in the section called “Zone Transfers”. d8559 1 a8559 1- alt-transfer-source-v6
d8562 1 a8562 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d8564 1 a8564 1- use-alt-transfer-source
d8567 1 a8567 1 use-alt-transfer-source in the section called “Zone Transfers”. d8569 1 a8569 1- notify-source
d8572 1 a8572 1 notify-source in the section called “Zone Transfers”. d8574 1 a8574 1- notify-source-v6
d8577 1 a8577 1 notify-source-v6 in the section called “Zone Transfers”. d8580 1 a8580 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d8583 1 a8583 1 See the description in the section called “Tuning”. d8585 1 a8585 1- ixfr-from-differences
d8588 2 a8589 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d8594 1 a8594 1- key-directory
d8597 2 a8598 1 key-directory in the section called “options Statement Definition and d8601 63 a8663 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8672 1 a8672 1- multi-master
d8674 2 a8675 2 See the description of multi-master in the section called “Boolean Options”. d8677 1 a8677 1- masterfile-format
d8679 2 a8680 2 See the description of masterfile-format in the section called “Tuning”. d8682 1 a8682 1- max-zone-ttl
d8684 3 a8686 2 See the description of max-zone-ttl in the section called “options Statement Definition and d8689 1 a8689 1- dnssec-secure-to-insecure
d8692 1 a8692 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8696 1 a8696 1d8702 2 a8703 2 allow-update and update-policy option, respectively. d8706 1 a8706 1 The allow-update clause works the d8712 1 a8712 1 The update-policy clause d8722 1 a8722 1 Rules are specified in the update-policy d8724 1 a8724 1 When the update-policy statement d8726 2 a8727 2 allow-update statement to be present. The update-policy statement d8732 1 a8732 1 There is a pre-defined update-policy d8734 1 a8734 1 update-policy local;. d8736 1 a8736 1 named to generate a TSIG session d8742 3 a8744 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8756 1 a8756 1 The command nsupdate -l sends update d8763 1 a8763 1 ( grant | deny )identitynametype[name] [types] d8818 2 a8819 2d8863 1 a8863 1 update-policy statement d8866 1 a8866 1 update-policy statement in d8886 1 a8886 1 is a valid expansion of the wildcard. d9059 1 a9059 1 This rule allows named d9111 1 a9111 1 d9283 2 a9284 2 a9368 12 AVC Application Visibility and Control record.
a9434 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a9812 12 NINFO
Contains zone status information.
a9982 12 RKEY
Resource key.
a10038 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a10090 24 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
d10196 2 a10197 2
d10286 1 a10286 1 d10328 3 a10330 3 d10446 3 a10448 3 d10489 1 a10489 1 d10529 5 a10533 5 d10672 1 a10672 1 d10764 2 a10765 2 d10797 1 a10797 1 The $ORIGIN lines in the examples d10805 1 a10805 1 d10817 2 a10818 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d10820 1 a10820 1 d10831 1 a10831 1 d10835 1 a10835 1 Syntax: $ORIGIN d10839 1 a10839 1 $ORIGIN d10842 2 a10843 2 is an implicit $ORIGIN <
d10864 1 a10864 1 Syntax: $INCLUDE d10872 3 a10874 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d10879 1 a10879 1 revert to the values they had prior to the $INCLUDE once d10887 1 a10887 1 an $INCLUDE, but it is silent d10896 1 a10896 1 d10900 1 a10900 1 Syntax: $TTL d10910 1 a10910 1zone_name>. d10845 2 a10846 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d10860 1 a10860 1$TTL d10915 1 a10915 1
d10919 1 a10919 1 Syntax: $GENERATE d10928 1 a10928 1$GENERATE d10931 1 a10931 1 iterator. $GENERATE can be used to d10973 2 a10974 2
d10979 1 a10979 1 range
d10993 1 a10993 1lhs
d10998 1 a10998 1 to be created. Any single $ d11000 1 a11000 1 symbols within the lhs string d11004 4 a11007 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d11012 4 a11015 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d11021 3 a11023 3 (d), octal (o), hexadecimal (x or X d11025 1 a11025 1 (n or N\ d11027 3 a11029 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d11041 1 a11041 1 $$ is still recognized as d11048 1 a11048 1ttl
d11056 2 a11057 2class and ttl can be d11064 1 a11064 1
class
d11072 2 a11073 2class and ttl can be d11080 1 a11080 1
type
d11090 1 a11090 1rhs
d11094 1 a11094 1 rhs, optionally, quoted string. d11101 1 a11101 1 The $GENERATE directive is a BIND extension d11108 1 a11108 1d11126 1 a11126 1 directly into memory via the mmap() d11134 1 a11134 1 file by the named-compilezone command. d11137 2 a11138 2 masterfile-format option) when named dumps the zone contents after d11144 1 a11144 1 named-compilezone command. All d11147 1 a11147 1 named-compilezone command again. d11150 1 a11150 1 Note that map format is extremely d11168 1 a11168 1d11959 2 a11960 2d11186 2 a11187 2d11287 5 a11291 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a11293 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d11297 1 a11297 1 by the statistics-file configuration option. d11299 1 a11299 1 when the statistics-channels statement d11301 1 a11301 1 (see the section called “statistics-channels Statement Grammar”.) d11303 3 a11305 3
d11310 1 a11310 1 +++ Statistics Dump +++ (973798949) d11322 1 a11322 1 ++ Name Server Statistics ++ d11336 1 a11336 1 --- Statistics Dump --- (973798949) d11339 1 a11339 1d11363 3 a11365 3d11387 1 a11387 1 Requestv4
d11390 1 a11390 1RQ
d11401 1 a11401 1Requestv6
d11404 1 a11404 1RQ
d11415 1 a11415 1ReqEdns0
d11418 1 a11418 1d11428 1 a11428 1
ReqBadEDNSVer
d11431 1 a11431 1d11441 1 a11441 1
ReqTSIG
d11444 1 a11444 1d11454 1 a11454 1
ReqSIG0
d11457 1 a11457 1d11467 1 a11467 1
ReqBadSIG
d11470 1 a11470 1d11480 1 a11480 1
ReqTCP
d11483 1 a11483 1RTCP
d11493 1 a11493 1AuthQryRej
d11496 1 a11496 1RUQ
d11506 1 a11506 1RecQryRej
d11509 1 a11509 1RURQ
d11519 1 a11519 1XfrRej
d11522 1 a11522 1RUXFR
d11532 1 a11532 1UpdateRej
d11535 1 a11535 1RUUpd
d11545 1 a11545 1Response
d11548 1 a11548 1SAns
d11558 1 a11558 1RespTruncated
d11561 1 a11561 1d11571 1 a11571 1
RespEDNS0
d11574 1 a11574 1d11584 1 a11584 1
RespTSIG
d11587 1 a11587 1d11597 1 a11597 1
RespSIG0
d11600 1 a11600 1d11610 1 a11610 1
QrySuccess
d11613 1 a11613 1d11621 1 a11621 1 success counter d11629 1 a11629 1
QryAuthAns
d11632 1 a11632 1d11642 1 a11642 1
QryNoauthAns
d11645 1 a11645 1SNaAns
d11655 1 a11655 1QryReferral
d11658 1 a11658 1d11664 1 a11664 1 referral counter d11672 1 a11672 1
QryNxrrset
d11675 1 a11675 1d11681 1 a11681 1 nxrrset counter d11689 1 a11689 1
QrySERVFAIL
d11692 1 a11692 1SFail
d11702 1 a11702 1QryFORMERR
d11705 1 a11705 1SFErr
d11715 1 a11715 1QryNXDOMAIN
d11718 1 a11718 1SNXD
d11724 1 a11724 1 nxdomain counter d11732 1 a11732 1QryRecursion
d11735 1 a11735 1RFwdQ
d11742 1 a11742 1 recursion counter d11750 1 a11750 1QryDuplicate
d11753 1 a11753 1RDupQ
d11762 1 a11762 1 duplicate counter d11770 1 a11770 1QryDropped
d11773 1 a11773 1d11783 1 a11783 1 clients-per-query d11785 1 a11785 1 max-clients-per-query d11788 1 a11788 1 clients-per-query.) d11790 1 a11790 1 dropped counter d11798 1 a11798 1
QryFailure
d11801 1 a11801 1d11807 1 a11807 1 failure counter d11813 2 a11814 2 AuthQryRej and RecQryRej d11823 1 a11823 1
XfrReqDone
d11826 1 a11826 1d11836 1 a11836 1
UpdateReqFwd
d11839 1 a11839 1d11849 1 a11849 1
UpdateRespFwd
d11852 1 a11852 1d11862 1 a11862 1
UpdateFwdFail
d11865 1 a11865 1d11875 1 a11875 1
UpdateDone
d11878 1 a11878 1d11888 1 a11888 1
UpdateFail
d11891 1 a11891 1d11901 1 a11901 1
UpdateBadPrereq
d11904 1 a11904 1d11914 1 a11914 1
RateDropped
d11917 1 a11917 1d11927 1 a11927 1
RateSlipped
d11930 1 a11930 1d11940 1 a11940 1
RPZRewrites
d11943 1 a11943 1d11954 1 a11954 1
d11977 1 a11977 1 NotifyOutv4
d11987 1 a11987 1NotifyOutv6
d11997 1 a11997 1NotifyInv4
d12007 1 a12007 1NotifyInv6
d12017 1 a12017 1NotifyRej
d12027 1 a12027 1SOAOutv4
d12037 1 a12037 1SOAOutv6
d12047 1 a12047 1AXFRReqv4
d12057 1 a12057 1AXFRReqv6
d12067 1 a12067 1IXFRReqv4
d12077 1 a12077 1IXFRReqv6
d12087 1 a12087 1XfrSuccess
d12097 1 a12097 1XfrFail
d12108 1 a12108 1 d12113 3 a12115 3d12137 1 a12137 1 Queryv4
d12140 1 a12140 1SFwdQ
d12150 1 a12150 1Queryv6
d12153 1 a12153 1SFwdQ
d12163 1 a12163 1Responsev4
d12166 1 a12166 1RR
d12176 1 a12176 1Responsev6
d12179 1 a12179 1RR
d12189 1 a12189 1NXDOMAIN
d12192 1 a12192 1RNXD
d12202 1 a12202 1SERVFAIL
d12205 1 a12205 1RFail
d12215 1 a12215 1FORMERR
d12218 1 a12218 1RFErr
d12228 1 a12228 1OtherError
d12231 1 a12231 1RErr
d12241 1 a12241 1EDNS0Fail
d12244 1 a12244 1d12254 1 a12254 1
Mismatch
d12257 1 a12257 1RDupR
d12266 1 a12266 1 the port option.) d12274 1 a12274 1Truncated
d12277 1 a12277 1d12287 1 a12287 1
Lame
d12290 1 a12290 1RLame
d12300 1 a12300 1Retry
d12303 1 a12303 1SDupQ
d12313 1 a12313 1QueryAbort
d12316 1 a12316 1d12326 1 a12326 1
QuerySockFail
d12329 1 a12329 1d12342 1 a12342 1
QueryTimeout
d12345 1 a12345 1d12355 1 a12355 1
GlueFetchv4
d12358 1 a12358 1SSysQ
d12368 1 a12368 1GlueFetchv6
d12371 1 a12371 1SSysQ
d12381 1 a12381 1GlueFetchv4Fail
d12384 1 a12384 1d12394 1 a12394 1
GlueFetchv6Fail
d12397 1 a12397 1d12407 1 a12407 1
ValAttempt
d12410 1 a12410 1d12420 1 a12420 1
ValOk
d12423 1 a12423 1d12433 1 a12433 1
ValNegOk
d12436 1 a12436 1d12446 1 a12446 1
ValFail
d12449 1 a12449 1d12459 1 a12459 1
QryRTTnn
d12462 1 a12462 1d12468 1 a12468 1 Each nn specifies the corresponding d12471 2 a12472 2 nn_1, nn_2, d12474 2 a12475 2 nn_m, the value of nn_i is the d12477 2 a12478 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d12480 1 a12480 1 nn_0 to be 0. d12482 1 a12482 1 nn_m+, which means the d12484 1 a12484 1 nn_m milliseconds. d12491 1 a12491 1 d12497 6 a12502 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d12504 1 a12504 1 In the following table <TYPE> d12511 2 a12512 2
d12529 1 a12529 1 <TYPE>Open
d12535 1 a12535 1 FDwatch type. d12541 1 a12541 1<TYPE>OpenFail
d12547 1 a12547 1 FDwatch type. d12553 1 a12553 1<TYPE>Close
d12563 1 a12563 1<TYPE>BindFail
d12573 1 a12573 1<TYPE>ConnFail
d12583 1 a12583 1<TYPE>Conn
d12593 1 a12593 1<TYPE>AcceptFail
d12599 2 a12600 2 UDP and FDwatch types. d12606 1 a12606 1<TYPE>Accept
d12612 2 a12613 2 UDP and FDwatch types. d12619 1 a12619 1<TYPE>SendErr
d12625 2 a12626 2 to SErr counter of BIND 8. d12632 1 a12632 1<TYPE>RecvErr
d12646 1 a12646 1 d12651 2 a12652 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d12656 2 a12657 2d1144 1 a1144 1 include Statement Grammar d1149 1 a1149 1 include Statement Definition and d1164 1 a1164 1 key Statement Grammar d1173 1 a1173 1 key Statement Definition and Usage d1220 1 a1220 1 logging Statement Grammar d1244 1 a1244 1 logging Statement Definition and d1278 1 a1278 1 The channel Phrase d1891 1 a1891 1 The query-errors Category d2119 1 a2119 1 lwres Statement Grammar d2135 1 a2135 1 lwres Statement Definition and Usage d2186 1 a2186 1 masters Statement Grammar d2194 1 a2194 1 masters Statement Definition and d2204 1 a2204 1 options Statement Grammar a2214 1 [ geoip-directory
- RFwdR,SFwdR
d12660 1 a12660 1 because BIND 9 does not adopt d12662 1 a12662 1 as BIND 8 did. d12664 1 a12664 1- RAXFR
d12668 1 a12668 1- RIQ
d12672 1 a12672 1- ROpts
d12675 1 a12675 1 because BIND 9 does not care d12700 1 a12700 1BIND 9.10.4-P3
@ 1.1.1.15.2.5.2.3 log @Pull up following revision(s) (requested by snj in ticket #1271): doc/3RDPARTY: 1.1374 via patch external/bsd/bind/Makefile.inc: up to 1.24 via patch external/bsd/bind/bin/delv/Makefile: up to 1.3 external/bsd/bind/bin/dig/Makefile: up to 1.2 external/bsd/bind/bin/dnssec/Makefile.inc: up to 1.2 external/bsd/bind/bin/host/Makefile: up to 1.2 external/bsd/bind/bin/named/Makefile: up to 1.10 external/bsd/bind/bin/nslookup/Makefile: up to 1.3 external/bsd/bind/bin/nsupdate/Makefile: up to 1.3 external/bsd/bind/bin/rndc/Makefile: up to 1.2 external/bsd/bind/bin/tools/Makefile.inc: up to 1.2 external/bsd/bind/dist/CHANGES: up to 1.23 external/bsd/bind/dist/README: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.18 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.17 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.11 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.11 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.9 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/api: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.27 external/bsd/bind/dist/srcid: up to 1.17 external/bsd/bind/dist/version: up to 1.21 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch external/bsd/bind/lib/libbind9/Makefile: up to 1.3 Update BIND to 9.10.4-P4. Fixes CVE-2016-8864. @ text @d12848 1 a12848 1BIND 9.10.4-P4
@ 1.1.1.15.2.5.2.4 log @Pull up following revision(s) (requested by snj in ticket #1348): doc/3RDPARTY: 1.1397 via patch external/bsd/bind/Makefile.inc: up to 1.24 via patch external/bsd/bind/dist/CHANGES: up to 1.24 external/bsd/bind/dist/README: up to 1.12 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/flat/zkt-signer delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-ls delete external/bsd/bind/dist/contrib/zkt-1.1.2/examples/hierarchical/zkt-signer delete external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.19 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.12 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.12 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.10 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/api: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.21 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.28 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.21 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.20 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.12 external/bsd/bind/dist/srcid: up to 1.18 external/bsd/bind/dist/version: up to 1.22 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P5, fixing CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444. @ text @d12848 1 a12848 1BIND 9.10.4-P5
@ 1.1.1.15.2.5.2.5 log @Pull up following revision(s) (requested by snj in ticket #1363): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.25 via patch external/bsd/bind/dist/CHANGES: up to 1.25 external/bsd/bind/dist/README: up to 1.13 external/bsd/bind/dist/bin/named/query.c: up to 1.23 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/config.guess: up to 1.2 external/bsd/bind/dist/config.sub: up to 1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.guess: up to 1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/config.sub: up to 1.2 external/bsd/bind/dist/contrib/idn/idnkit-1.0-src/config.guess: up to 1.2 external/bsd/bind/dist/contrib/idn/idnkit-1.0-src/config.sub: up to 1.2 external/bsd/bind/dist/contrib/nslint-3.0a2/config.guess: up to 1.2 external/bsd/bind/dist/contrib/nslint-3.0a2/config.sub: up to 1.2 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.20 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.18 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.13 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.13 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.11 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.11 external/bsd/bind/dist/lib/dns/api: up to 1.13 external/bsd/bind/dist/lib/dns/message.c: up to 1.22 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.9 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.29 external/bsd/bind/dist/srcid: up to 1.19 external/bsd/bind/dist/unit/atf-src/admin/config.guess: up to 1.2 external/bsd/bind/dist/unit/atf-src/admin/config.sub: up to 1.2 external/bsd/bind/dist/version: up to 1.23 external/bsd/bind/include/isc/platform.h: up to 1.22 via patch Update BIND to 9.10.4-P6, fixing CVE-2017-3135. @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.1.1.15.2.5.2.6 log @Pull up following revision(s) (requested by spz in ticket #1404): doc/3RDPARTY: 1.1430 via patch external/bsd/bind/dist/CHANGES: up to 1.26 external/bsd/bind/dist/COPYRIGHT: up to 1.1.1.11 external/bsd/bind/dist/README: up to 1.14 external/bsd/bind/dist/bin/named/query.c: up to 1.24 external/bsd/bind/dist/bin/tests/system/dname/ans3/ans.pl: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dname/ns1/root.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.13 external/bsd/bind/dist/bind.keys: up to 1.1.1.6 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.4 external/bsd/bind/dist/configure: up to 1.7 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.19 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.14 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.14 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.12 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.12 external/bsd/bind/dist/lib/dns/api: up to 1.14 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.10 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.30 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.5 external/bsd/bind/dist/lib/isc/lex.c: up to 1.8 external/bsd/bind/dist/srcid: up to 1.20 external/bsd/bind/dist/version: up to 1.24 Update BIND to 9.10.4-P8. @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.1.1.15.2.5.2.7 log @Pull up following revision(s) (requested by spz in ticket #1436): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.27 external/bsd/bind/dist/FAQ.xml: up to 1.1.1.12 external/bsd/bind/dist/Makefile.in: up to 1.4 external/bsd/bind/dist/README: up to 1.15 external/bsd/bind/dist/acconfig.h: up to 1.10 external/bsd/bind/dist/bin/check/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkconf.8: up to 1.8 external/bsd/bind/dist/bin/check/named-checkconf.c: up to 1.14 external/bsd/bind/dist/bin/check/named-checkconf.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/check/named-checkconf.html: up to 1.1.1.10 external/bsd/bind/dist/bin/check/named-checkzone.8: up to 1.9 external/bsd/bind/dist/bin/check/named-checkzone.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/check/named-checkzone.html: up to 1.1.1.11 external/bsd/bind/dist/bin/check/win32/checkconf.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkconf.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checktool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checktool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/check/win32/checkzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/check/win32/checkzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/confgen/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/confgen/ddns-confgen.8: up to 1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/ddns-confgen.html: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/keygen.c: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.8: up to 1.8 external/bsd/bind/dist/bin/confgen/rndc-confgen.c: up to 1.9 external/bsd/bind/dist/bin/confgen/rndc-confgen.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/confgen/rndc-confgen.html: up to 1.1.1.8 external/bsd/bind/dist/bin/delv/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.1: up to 1.1.1.5 external/bsd/bind/dist/bin/delv/delv.c: up to 1.6 external/bsd/bind/dist/bin/delv/delv.docbook: up to 1.1.1.3 external/bsd/bind/dist/bin/delv/delv.html: up to 1.1.1.4 external/bsd/bind/dist/bin/delv/win32/delv.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/delv/win32/delv.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/dig.1: up to 1.13 external/bsd/bind/dist/bin/dig/dig.c: up to 1.13 external/bsd/bind/dist/bin/dig/dig.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dig.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dig/dighost.c: up to 1.19 external/bsd/bind/dist/bin/dig/host.1: up to 1.7 external/bsd/bind/dist/bin/dig/host.c: up to 1.12 external/bsd/bind/dist/bin/dig/host.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/dig/host.html: up to 1.1.1.8 external/bsd/bind/dist/bin/dig/include/dig/dig.h: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.c: up to 1.13 external/bsd/bind/dist/bin/dig/nslookup.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dig/nslookup.html: up to 1.1.1.11 external/bsd/bind/dist/bin/dig/win32/dig.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dig.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/dighost.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/dighost.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/host.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/host.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dig/win32/nslookup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dig/win32/nslookup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.docbook: up to 1.1.1.11 external/bsd/bind/dist/bin/dnssec/dnssec-dsfromkey.html: up to 1.1.1.12 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.8: up to 1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-importkey.html: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keyfromlabel.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.8: up to 1.11 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.docbook: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-keygen.html: up to 1.1.1.14 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.8: up to 1.8 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.docbook: up to 1.1.1.9 external/bsd/bind/dist/bin/dnssec/dnssec-revoke.html: up to 1.1.1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-settime.c: up to 1.15 external/bsd/bind/dist/bin/dnssec/dnssec-settime.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-settime.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.8: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.c: up to 1.18 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.docbook: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-signzone.html: up to 1.1.1.13 external/bsd/bind/dist/bin/dnssec/dnssec-verify.8: up to 1.7 external/bsd/bind/dist/bin/dnssec/dnssec-verify.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/dnssec/dnssec-verify.html: up to 1.1.1.7 external/bsd/bind/dist/bin/dnssec/dnssectool.c: up to 1.10 external/bsd/bind/dist/bin/dnssec/dnssectool.h: up to 1.8 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dnssectool.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/dsfromkey.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/importkey.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/importkey.vcxproj.in: up to 1.1.1.5 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keyfromlabel.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/keygen.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/keygen.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/revoke.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/revoke.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/settime.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/settime.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/signzone.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/signzone.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/dnssec/win32/verify.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/dnssec/win32/verify.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/named/Makefile.in: up to 1.1.1.14 external/bsd/bind/dist/bin/named/client.c: up to 1.17 external/bsd/bind/dist/bin/named/config.c: up to 1.14 external/bsd/bind/dist/bin/named/control.c: up to 1.12 external/bsd/bind/dist/bin/named/geoip.c: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/config.h: up to 1.6 external/bsd/bind/dist/bin/named/include/named/globals.h: up to 1.10 external/bsd/bind/dist/bin/named/include/named/seccomp.h: up to 1.1.1.4 external/bsd/bind/dist/bin/named/include/named/server.h: up to 1.12 external/bsd/bind/dist/bin/named/logconf.c: up to 1.9 external/bsd/bind/dist/bin/named/lwresd.8: up to 1.7 external/bsd/bind/dist/bin/named/lwresd.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/named/lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/bin/named/lwsearch.c: up to 1.5 external/bsd/bind/dist/bin/named/main.c: up to 1.21 external/bsd/bind/dist/bin/named/named.8: up to 1.10 external/bsd/bind/dist/bin/named/named.conf.5: up to 1.15 external/bsd/bind/dist/bin/named/named.conf.docbook: up to 1.14 external/bsd/bind/dist/bin/named/named.conf.html: up to 1.15 external/bsd/bind/dist/bin/named/named.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/named/named.html: up to 1.1.1.11 external/bsd/bind/dist/bin/named/query.c: up to 1.25 external/bsd/bind/dist/bin/named/server.c: up to 1.22 external/bsd/bind/dist/bin/named/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/named/unix/os.c: up to 1.10 external/bsd/bind/dist/bin/named/update.c: up to 1.13 external/bsd/bind/dist/bin/named/xfrout.c: up to 1.13 external/bsd/bind/dist/bin/named/zoneconf.c: up to 1.10 external/bsd/bind/dist/bin/nsupdate/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/nsupdate/nsupdate.1: up to 1.9 external/bsd/bind/dist/bin/nsupdate/nsupdate.c: up to 1.16 external/bsd/bind/dist/bin/nsupdate/nsupdate.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/nsupdate/nsupdate.html: up to 1.1.1.12 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/nsupdate/win32/nsupdate.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1q-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.1t-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2f-patch delete external/bsd/bind/dist/bin/pkcs11/openssl-1.0.2h-patch: up to 1.1.1.1 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-destroy.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.8: up to 1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/pkcs11/pkcs11-keygen.html: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.8: up to 1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/pkcs11/pkcs11-list.html: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.8: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.c: up to 1.1.1.6 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.docbook: up to 1.1.1.5 external/bsd/bind/dist/bin/pkcs11/pkcs11-tokens.html: up to 1.1.1.3 external/bsd/bind/dist/bin/pkcs11/win32/pk11destroy.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/pkcs11/win32/pk11tokens.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/python/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-checkds.8: up to 1.7 external/bsd/bind/dist/bin/python/dnssec-checkds.docbook: up to 1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.html: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-checkds.py.in: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.8: up to 1.1.1.8 external/bsd/bind/dist/bin/python/dnssec-coverage.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/python/dnssec-coverage.html: up to 1.1.1.5 external/bsd/bind/dist/bin/python/dnssec-coverage.py.in: up to 1.1.1.8 external/bsd/bind/dist/bin/python/isc/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/__init__.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/checkds.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/coverage.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/dnskey.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/eventlist.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keydict.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyevent.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/keyzone.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/dnskey_test.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.key: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/tests/testdata/Kexample.com.+007+35529.private: up to 1.1.1.1 external/bsd/bind/dist/bin/python/isc/utils.py.in: up to 1.1.1.1 external/bsd/bind/dist/bin/python/setup.py: up to 1.1.1.1 external/bsd/bind/dist/bin/rndc/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.8: up to 1.10 external/bsd/bind/dist/bin/rndc/rndc.c: up to 1.15 external/bsd/bind/dist/bin/rndc/rndc.conf.5: up to 1.8 external/bsd/bind/dist/bin/rndc/rndc.conf.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/rndc/rndc.conf.html: up to 1.1.1.9 external/bsd/bind/dist/bin/rndc/rndc.docbook: up to 1.1.1.10 external/bsd/bind/dist/bin/rndc/rndc.html: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/atomic/t_atomic.c: up to 1.7 external/bsd/bind/dist/bin/tests/byname_test.c: up to 1.9 external/bsd/bind/dist/bin/tests/db/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/db/win32/t_db.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/db/win32/t_db.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/dst/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/dst/t_dst.c: up to 1.11 external/bsd/bind/dist/bin/tests/hash_test.c: up to 1.8 external/bsd/bind/dist/bin/tests/hashes/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/hashes/t_hashes.c: up to 1.6 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/hashes/win32/t_hashes.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/master/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/master/win32/t_master.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/master/win32/t_master.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/mdig.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/pkcs11/README: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/create.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/find.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/genrsa.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/login.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/privrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/pubrsa.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/random.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/session.c: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sha1.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/sign.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/pkcs11/benchmarks/verify.c: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/rdata_test.c: up to 1.10 external/bsd/bind/dist/bin/tests/resolver/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.mak.in: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/resolver/win32/t_resolver.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/Makefile.in: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/acl/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/additional/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/addzone/ns2/hints.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/ns2/redirect.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/addzone/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/allow_query/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/autosign/ns1/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/ns2/keygen.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/autosign/ns3/keygen.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/autosign/tests.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/builtin/Makefile.in delete external/bsd/bind/dist/bin/tests/system/builtin/gethostname.c delete external/bsd/bind/dist/bin/tests/system/builtin/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/cacheclean/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/case/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/checkconf/bad-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-acl.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-slip.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rate-limit-window.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-rpz-zone.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/bad-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-acl.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/checkconf/good-options-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good-view-also-notify.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkconf/good.conf: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/checkconf/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/checkds/dig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/checkds/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/checknames/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/checkzone/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/checkzone/zones/crashzone.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/conf.sh.in: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/conf.sh.win32: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/coverage/03-ksk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/04-zsk-unpublished/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/05-ksk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/06-zsk-unpub-active/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/07-ksk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/08-zsk-ttl/expect: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/coverage/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/coverage/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/database/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dialup/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/digcomp.pl: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/digdelv/clean.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/ns2/example.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/digdelv/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dlv/ns3/sign.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/dlv/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/dlvauto/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlz/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/dlzexternal/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dlzexternal/dlopen.c delete external/bsd/bind/dist/bin/tests/system/dlzexternal/prereq.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dlzexternal/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dname/ns2/example.db: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dname/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/dns64/ns1/example.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dns64/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/dns64/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/dnssec/ns1/sign.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/dnssec/ns2/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns3/sign.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dnssec/ns6/named.args: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dnssec/tests.sh: up to 1.1.1.18 external/bsd/bind/dist/bin/tests/system/dscp/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/dsdigest/ns2/sign.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/dsdigest/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/ecdsa/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/ednscompliance/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/emptyzones/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/feature-test.c: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/fetchlimit/Makefile.in delete external/bsd/bind/dist/bin/tests/system/fetchlimit/fetchlimit.c delete external/bsd/bind/dist/bin/tests/system/fetchlimit/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/fetchlimit/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/filter-aaaa/Makefile.in delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/filter-aaaa.c delete external/bsd/bind/dist/bin/tests/system/filter-aaaa/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/filter-aaaa/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/formerr/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/forward/tests.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/geoip/Makefile.in delete external/bsd/bind/dist/bin/tests/system/geoip/geoip.c delete external/bsd/bind/dist/bin/tests/system/geoip/prereq.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/geoip/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/glue/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/gost/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/ifconfig.bat: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ifconfig.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/inline/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/integrity/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/mx-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/ns1/srv-cname.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/integrity/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/ixfr/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/legacy/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/limits/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/logfileconfig/clean.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.unlimited: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/ns1/named.versconf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/logfileconfig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/lwresd/clean.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/lwresd/lwresd1/nosearch.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/lwresd/lwtest.c: up to 1.10 external/bsd/bind/dist/bin/tests/system/lwresd/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/masterfile/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/masterformat/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/metadata/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/notify/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/notify/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/nslookup/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/nsupdate/clean.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/named.conf: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/nsupdate/ns1/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/named.conf: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/nsupdate/ns2/sample.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/named.conf: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/nsupdate/ns3/too-big.test.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/nsupdate/setup.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/nsupdate/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/pending/ns1/sign.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/pending/ns2/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/pending/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/pkcs11ssl/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/reclimit/ans2/ans.pl: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/reclimit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/redirect/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/resolver/clean.sh: up to 1.1.1.11 external/bsd/bind/dist/bin/tests/system/resolver/ns4/root.db: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns5/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/ns6/ds.example.net.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/resolver/ns6/example.net.db.in: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/keygen.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/resolver/ns6/named.conf: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/resolver/tests.sh: up to 1.1.1.15 external/bsd/bind/dist/bin/tests/system/rndc/tests.sh: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/rpz/Makefile.in delete external/bsd/bind/dist/bin/tests/system/rpz/rpz.c delete external/bsd/bind/dist/bin/tests/system/rpz/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/rpz/tests.sh: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/db.clientip21: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/rpzrecurse/prereq.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/rpzrecurse/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrchecker/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrl/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rrl/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rrsetorder/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/rsabigexponent/clean.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/rsabigexponent/ns1/sign.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/prereq.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/rsabigexponent/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/run.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/sit/tests.sh: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/smartsign/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/sortlist/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/spf/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/start.pl: up to 1.1.1.14 external/bsd/bind/dist/bin/tests/system/staticstub/ns3/sign.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/staticstub/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/statistics/Makefile.in delete external/bsd/bind/dist/bin/tests/system/statistics/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/statistics/xmlstats.c delete external/bsd/bind/dist/bin/tests/system/statschannel/ns2/named.conf: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/statschannel/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/stop.pl: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/stress/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/stub/tests.sh: up to 1.5 external/bsd/bind/dist/bin/tests/system/tcp/clean.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns1/root.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/example.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns2/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns3/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/ns4/named.conf: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tcp/tests.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tkey/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/bin/tests/system/tkey/keycreate.c: up to 1.9 external/bsd/bind/dist/bin/tests/system/tkey/keydelete.c: up to 1.8 external/bsd/bind/dist/bin/tests/system/tkey/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/tsig/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsig/setup.sh: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/tsig/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/tsiggss/Makefile.in delete external/bsd/bind/dist/bin/tests/system/tsiggss/gssapi_krb.c delete external/bsd/bind/dist/bin/tests/system/tsiggss/prereq.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/tsiggss/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/unknown/tests.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/setup.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/upforwd/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/v6synth/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/verify/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/verify/zones/unsigned.db: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/views/tests.sh: up to 1.1.1.7 external/bsd/bind/dist/bin/tests/system/wildcard/ns1/sign.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/wildcard/tests.sh: up to 1.1.1.2 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/bigkey.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/feature-test.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keycreate.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/keydelete.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/win32/lwtest.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/clean.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/system/xfer/ns1/axfr-too-big.db: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/ixfr-too-big.db.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/xfer/ns1/named.conf: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/xfer/ns6/named.conf: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/xfer/setup.sh: up to 1.1.1.9 external/bsd/bind/dist/bin/tests/system/xfer/tests.sh: up to 1.1.1.12 external/bsd/bind/dist/bin/tests/system/xferquota/ns1/named.conf: up to 1.1.1.4 external/bsd/bind/dist/bin/tests/system/xferquota/tests.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zero/ans5/ans.pl: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/system/zero/ns1/root.db: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zero/tests.sh: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/system/zonechecks/clean.sh: up to 1.1.1.6 external/bsd/bind/dist/bin/tests/system/zonechecks/setup.sh: up to 1.1.1.5 external/bsd/bind/dist/bin/tests/system/zonechecks/tests.sh: up to 1.1.1.8 external/bsd/bind/dist/bin/tests/timers/win32/t_timers.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tests/win32/makejournal.dsp.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.dsw: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.mak.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.filters.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.in: up to 1.1.1.1 external/bsd/bind/dist/bin/tests/win32/makejournal.vcxproj.user: up to 1.1.1.1 external/bsd/bind/dist/bin/tools/Makefile.in: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/arpaname.1: up to 1.7 external/bsd/bind/dist/bin/tools/arpaname.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/arpaname.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.8: up to 1.8 external/bsd/bind/dist/bin/tools/genrandom.docbook: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/genrandom.html: up to 1.1.1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.8: up to 1.8 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.c: up to 1.9 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.docbook: up to 1.1.1.7 external/bsd/bind/dist/bin/tools/isc-hmac-fixup.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-journalprint.8: up to 1.7 external/bsd/bind/dist/bin/tools/named-journalprint.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-journalprint.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/named-rrchecker.1: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/named-rrchecker.docbook: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/named-rrchecker.html: up to 1.1.1.5 external/bsd/bind/dist/bin/tools/nsec3hash.8: up to 1.7 external/bsd/bind/dist/bin/tools/nsec3hash.docbook: up to 1.1.1.6 external/bsd/bind/dist/bin/tools/nsec3hash.html: up to 1.1.1.8 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/ischmacfixup.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/tools/win32/nsec3hash.dsp.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.mak.in: up to 1.1.1.3 external/bsd/bind/dist/bin/tools/win32/nsec3hash.vcxproj.in: up to 1.1.1.4 external/bsd/bind/dist/bin/win32/BINDInstall/BINDInstallDlg.cpp: up to 1.1.1.12 external/bsd/bind/dist/bind.keys: up to 1.1.1.7 external/bsd/bind/dist/bind.keys.h: up to 1.1.1.5 external/bsd/bind/dist/config.h.in: up to 1.14 external/bsd/bind/dist/configure: up to 1.8 external/bsd/bind/dist/configure.in: up to 1.10 external/bsd/bind/dist/contrib/dlz/modules/filesystem/dlz_filesystem_dynamic.c: up to 1.1.1.5 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure: up to 1.1.1.2 external/bsd/bind/dist/contrib/dnsperf-2.1.0.0-1/configure.in: up to 1.1.1.2 external/bsd/bind/dist/contrib/queryperf/utils/gen-data-queryperf.py: up to 1.1.1.4 external/bsd/bind/dist/contrib/sdb/ldap/zone2ldap.c: up to 1.6 external/bsd/bind/dist/doc/arm/Bv9ARM-book.xml: up to 1.1.1.21 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.22 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.27 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.24 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.15 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.20 external/bsd/bind/dist/doc/arm/dlz.xml: up to 1.1.1.4 external/bsd/bind/dist/doc/arm/dnssec.xml: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/libdns.xml: up to 1.1.1.6 external/bsd/bind/dist/doc/arm/logging-categories.xml: up to 1.1.1.2 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.7 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.15 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.15 external/bsd/bind/dist/doc/arm/managed-keys.xml: up to 1.1.1.5 external/bsd/bind/dist/doc/arm/notes-wrapper.xml: up to 1.1.1.3 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.13 external/bsd/bind/dist/doc/arm/pkcs11.xml: up to 1.1.1.10 external/bsd/bind/dist/doc/misc/options: up to 1.9 external/bsd/bind/dist/doc/misc/sort-options.pl: up to 1.1.1.5 external/bsd/bind/dist/doc/xsl/copyright.xsl: up to 1.1.1.6 external/bsd/bind/dist/doc/xsl/isc-docbook-chunk.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/doc/xsl/isc-docbook-html.xsl.in: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.1: up to 1.7 external/bsd/bind/dist/isc-config.sh.docbook: up to 1.1.1.7 external/bsd/bind/dist/isc-config.sh.html: up to 1.1.1.9 external/bsd/bind/dist/lib/Atffile: up to 1.1.1.3 external/bsd/bind/dist/lib/bind9/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/bind9/api: up to 1.1.1.19 external/bsd/bind/dist/lib/bind9/check.c: up to 1.15 external/bsd/bind/dist/lib/bind9/include/bind9/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/dns/acl.c: up to 1.8 external/bsd/bind/dist/lib/dns/adb.c: up to 1.13 external/bsd/bind/dist/lib/dns/api: up to 1.15 external/bsd/bind/dist/lib/dns/client.c: up to 1.13 external/bsd/bind/dist/lib/dns/db.c: up to 1.9 external/bsd/bind/dist/lib/dns/dbtable.c: up to 1.6 external/bsd/bind/dist/lib/dns/dispatch.c: up to 1.12 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.13 external/bsd/bind/dist/lib/dns/dst_api.c: up to 1.14 external/bsd/bind/dist/lib/dns/dst_gost.h: up to 1.1.1.4 external/bsd/bind/dist/lib/dns/dst_internal.h: up to 1.11 external/bsd/bind/dist/lib/dns/dst_openssl.h: up to 1.10 external/bsd/bind/dist/lib/dns/dst_parse.c: up to 1.10 external/bsd/bind/dist/lib/dns/ecdb.c: up to 1.10 external/bsd/bind/dist/lib/dns/gssapictx.c: up to 1.10 external/bsd/bind/dist/lib/dns/hmac_link.c: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/Makefile.in: up to 1.1.1.10 external/bsd/bind/dist/lib/dns/include/dns/db.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/events.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/keytable.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/masterdump.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/message.h: up to 1.11 external/bsd/bind/dist/lib/dns/include/dns/peer.h: up to 1.6 external/bsd/bind/dist/lib/dns/include/dns/rbt.h: up to 1.13 external/bsd/bind/dist/lib/dns/include/dns/rdata.h: up to 1.10 external/bsd/bind/dist/lib/dns/include/dns/rdataslab.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/result.h: up to 1.8 external/bsd/bind/dist/lib/dns/include/dns/rrl.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/tsig.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dns/types.h: up to 1.9 external/bsd/bind/dist/lib/dns/include/dns/view.h: up to 1.12 external/bsd/bind/dist/lib/dns/include/dns/zone.h: up to 1.18 external/bsd/bind/dist/lib/dns/include/dns/zt.h: up to 1.5 external/bsd/bind/dist/lib/dns/include/dst/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/include/dst/gssapi.h: up to 1.6 external/bsd/bind/dist/lib/dns/iptable.c: up to 1.6 external/bsd/bind/dist/lib/dns/keytable.c: up to 1.12 external/bsd/bind/dist/lib/dns/masterdump.c: up to 1.12 external/bsd/bind/dist/lib/dns/message.c: up to 1.23 external/bsd/bind/dist/lib/dns/name.c: up to 1.14 external/bsd/bind/dist/lib/dns/ncache.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssl_link.c: up to 1.14 external/bsd/bind/dist/lib/dns/openssldh_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/openssldsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/opensslecdsa_link.c: up to 1.11 external/bsd/bind/dist/lib/dns/opensslgost_link.c: up to 1.12 external/bsd/bind/dist/lib/dns/opensslrsa_link.c: up to 1.13 external/bsd/bind/dist/lib/dns/peer.c: up to 1.8 external/bsd/bind/dist/lib/dns/pkcs11dh_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11dsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11ecdsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11gost_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/pkcs11rsa_link.c: up to 1.1.1.7 external/bsd/bind/dist/lib/dns/rbt.c: up to 1.13 external/bsd/bind/dist/lib/dns/rbtdb.c: up to 1.24 external/bsd/bind/dist/lib/dns/rcode.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdata.c: up to 1.15 external/bsd/bind/dist/lib/dns/rdata/generic/opt_41.c: up to 1.12 external/bsd/bind/dist/lib/dns/rdata/in_1/wks_11.c: up to 1.8 external/bsd/bind/dist/lib/dns/rdataset.c: up to 1.11 external/bsd/bind/dist/lib/dns/rdataslab.c: up to 1.12 external/bsd/bind/dist/lib/dns/request.c: up to 1.11 external/bsd/bind/dist/lib/dns/resolver.c: up to 1.31 external/bsd/bind/dist/lib/dns/result.c: up to 1.8 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.12 external/bsd/bind/dist/lib/dns/rpz.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdb.c: up to 1.11 external/bsd/bind/dist/lib/dns/sdlz.c: up to 1.11 external/bsd/bind/dist/lib/dns/spnego.c: up to 1.11 external/bsd/bind/dist/lib/dns/tests/Krsa.+005+29235.key: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/Makefile.in: up to 1.9 external/bsd/bind/dist/lib/dns/tests/acl_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tests/dh_test.c: up to 1.1.1.2 external/bsd/bind/dist/lib/dns/tests/nsec3_test.c: up to 1.1.1.6 external/bsd/bind/dist/lib/dns/tests/rsa_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/dns/tkey.c: up to 1.12 external/bsd/bind/dist/lib/dns/tsec.c: up to 1.5 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.10 external/bsd/bind/dist/lib/dns/view.c: up to 1.13 external/bsd/bind/dist/lib/dns/win32/libdns.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/dns/xfrin.c: up to 1.14 external/bsd/bind/dist/lib/dns/zone.c: up to 1.17 external/bsd/bind/dist/lib/dns/zt.c: up to 1.9 external/bsd/bind/dist/lib/irs/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/irs/api: up to 1.1.1.10 external/bsd/bind/dist/lib/irs/getaddrinfo.c: up to 1.9 external/bsd/bind/dist/lib/irs/include/irs/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/irs/resconf.c: up to 1.10 external/bsd/bind/dist/lib/irs/tests/Atffile: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/Makefile.in: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/resconf_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/domain.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/nameserver-v6.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-debug.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-ndots.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options-unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/options.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/port.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/resolv.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/search.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/sortlist-v4.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/timeout.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/irs/tests/testdata/unknown.conf: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/Makefile.in: up to 1.1.1.15 external/bsd/bind/dist/lib/isc/aes.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/alpha/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/api: up to 1.1.1.22 external/bsd/bind/dist/lib/isc/backtrace-emptytbl.c: up to 1.5 external/bsd/bind/dist/lib/isc/hash.c: up to 1.11 external/bsd/bind/dist/lib/isc/hmacmd5.c: up to 1.10 external/bsd/bind/dist/lib/isc/hmacsha.c: up to 1.11 external/bsd/bind/dist/lib/isc/ia64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/include/isc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/backtrace.h: up to 1.5 external/bsd/bind/dist/lib/isc/include/isc/errno.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/isc/event.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/hmacmd5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/hmacsha.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/lex.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/md5.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/netaddr.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/platform.h.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/include/isc/sha1.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sha2.h: up to 1.6 external/bsd/bind/dist/lib/isc/include/isc/sockaddr.h: up to 1.7 external/bsd/bind/dist/lib/isc/include/isc/socket.h: up to 1.11 external/bsd/bind/dist/lib/isc/include/isc/types.h: up to 1.9 external/bsd/bind/dist/lib/isc/include/pk11/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pk11/README.site: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pk11/pk11.h: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/include/pk11/site.h: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/include/pkcs11/Makefile.in: up to 1.1.1.3 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11f.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/include/pkcs11/pkcs11t.h: up to 1.1.1.4 external/bsd/bind/dist/lib/isc/lex.c: up to 1.9 external/bsd/bind/dist/lib/isc/log.c: up to 1.9 external/bsd/bind/dist/lib/isc/md5.c: up to 1.9 external/bsd/bind/dist/lib/isc/mips/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/mips/include/isc/atomic.h: up to 1.6 external/bsd/bind/dist/lib/isc/netaddr.c: up to 1.9 external/bsd/bind/dist/lib/isc/noatomic/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/nothreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/pk11.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/powerpc/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/print.c: up to 1.7 external/bsd/bind/dist/lib/isc/pthreads/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/radix.c: up to 1.9 external/bsd/bind/dist/lib/isc/random.c: up to 1.6 external/bsd/bind/dist/lib/isc/ratelimiter.c: up to 1.7 external/bsd/bind/dist/lib/isc/sha1.c: up to 1.9 external/bsd/bind/dist/lib/isc/sha2.c: up to 1.11 external/bsd/bind/dist/lib/isc/task.c: up to 1.14 external/bsd/bind/dist/lib/isc/tests/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isc/tests/errno_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/hash_test.c: up to 1.1.1.10 external/bsd/bind/dist/lib/isc/tests/netaddr_test.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/tests/print_test.c: up to 1.1.1.7 external/bsd/bind/dist/lib/isc/unix/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/dir.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/unix/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/unix/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/unix/file.c: up to 1.12 external/bsd/bind/dist/lib/isc/unix/include/isc/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/unix/include/isc/net.h: up to 1.7 external/bsd/bind/dist/lib/isc/unix/include/isc/offset.h: up to 1.6 external/bsd/bind/dist/lib/isc/unix/include/pkcs11/Makefile.in: up to 1.1.1.2 external/bsd/bind/dist/lib/isc/unix/net.c: up to 1.11 external/bsd/bind/dist/lib/isc/unix/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/unix/socket.c: up to 1.21 external/bsd/bind/dist/lib/isc/unix/stdio.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/Makefile.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/app.c: up to 1.7 external/bsd/bind/dist/lib/isc/win32/condition.c: up to 1.5 external/bsd/bind/dist/lib/isc/win32/errno.c: up to 1.1.1.1 external/bsd/bind/dist/lib/isc/win32/errno2result.c: up to 1.6 external/bsd/bind/dist/lib/isc/win32/errno2result.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/include/isc/ipv6.h: up to 1.7 external/bsd/bind/dist/lib/isc/win32/include/isc/offset.h: up to 1.5 external/bsd/bind/dist/lib/isc/win32/interfaceiter.c: up to 1.8 external/bsd/bind/dist/lib/isc/win32/libisc.def.in: up to 1.1.1.9 external/bsd/bind/dist/lib/isc/win32/libisc.dsp.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.mak.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.filters.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/win32/libisc.vcxproj.in: up to 1.1.1.8 external/bsd/bind/dist/lib/isc/win32/pk11_api.c: up to 1.1.1.5 external/bsd/bind/dist/lib/isc/win32/socket.c: up to 1.13 external/bsd/bind/dist/lib/isc/win32/stdio.c: up to 1.6 external/bsd/bind/dist/lib/isc/x86_32/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isc/x86_64/include/isc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/Makefile.in: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/api: up to 1.1.1.12 external/bsd/bind/dist/lib/isccc/cc.c: up to 1.12 external/bsd/bind/dist/lib/isccc/include/isccc/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/isccc/win32/libisccc.def: up to 1.1.1.2 external/bsd/bind/dist/lib/isccfg/Makefile.in: up to 1.1.1.13 external/bsd/bind/dist/lib/isccfg/aclconf.c: up to 1.10 external/bsd/bind/dist/lib/isccfg/api: up to 1.1.1.19 external/bsd/bind/dist/lib/isccfg/include/isccfg/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/isccfg/include/isccfg/grammar.h: up to 1.7 external/bsd/bind/dist/lib/isccfg/namedconf.c: up to 1.14 external/bsd/bind/dist/lib/isccfg/parser.c: up to 1.12 external/bsd/bind/dist/lib/isccfg/win32/libisccfg.def: up to 1.1.1.9 external/bsd/bind/dist/lib/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/api: up to 1.1.1.15 external/bsd/bind/dist/lib/lwres/include/lwres/Makefile.in: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/lwres_grbn.c: up to 1.6 external/bsd/bind/dist/lib/lwres/man/Makefile.in: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_buffer.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_config.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_config.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_config.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_context.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_context.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_context.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gabn.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gai_strerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getaddrinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gethostent.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getipnode.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getnameinfo.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_getrrsetbyname.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_gnba.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_hstrerror.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_inetntop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_noop.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_noop.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_packet.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_packet.docbook: up to 1.1.1.6 external/bsd/bind/dist/lib/lwres/man/lwres_packet.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.3: up to 1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.docbook: up to 1.1.1.7 external/bsd/bind/dist/lib/lwres/man/lwres_resutil.html: up to 1.1.1.12 external/bsd/bind/dist/lib/lwres/unix/include/lwres/Makefile.in: up to 1.1.1.5 external/bsd/bind/dist/lib/lwres/win32/liblwres.def: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/Makefile.in: up to 1.1.1.4 external/bsd/bind/dist/lib/samples/resolve.c: up to 1.1.1.6 external/bsd/bind/dist/lib/samples/sample-request.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/sample-update.c: up to 1.1.1.7 external/bsd/bind/dist/lib/samples/win32/async.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/async.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/nsprobe.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/nsprobe.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/request.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/request.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/resolve.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/resolve.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/samples/win32/update.dsp.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.mak.in: up to 1.1.1.2 external/bsd/bind/dist/lib/samples/win32/update.vcxproj.in: up to 1.1.1.3 external/bsd/bind/dist/lib/tests/t_api.c: up to 1.8 external/bsd/bind/dist/make/rules.in: up to 1.8 external/bsd/bind/dist/srcid: up to 1.21 external/bsd/bind/dist/util/bindkeys.pl: up to 1.1.1.2 external/bsd/bind/dist/version: up to 1.25 external/bsd/bind/dist/win32utils/Configure: up to 1.1.1.7 external/bsd/bind/dist/win32utils/bind9.sln.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/build.txt: up to 1.1.1.5 external/bsd/bind/dist/win32utils/legacy/BINDBuild.dsw.in: up to 1.5 external/bsd/bind/dist/win32utils/legacy/BuildAll.bat.in: up to 1.1.1.4 external/bsd/bind/dist/win32utils/legacy/BuildPost.bat.in: up to 1.1.1.3 external/bsd/bind/dist/win32utils/readme1st.txt: up to 1.1.1.8 external/bsd/bind/include/config.h: up to 1.21 external/bsd/bind/include/dns/code.h: up to 1.13 external/bsd/bind/include/dns/enumclass.h: up to 1.9 external/bsd/bind/include/dns/enumtype.h: up to 1.13 external/bsd/bind/include/dns/rdatastruct.h: up to 1.13 external/bsd/bind/include/isc/platform.h: up to 1.23 via patch external/bsd/bind/lib/libbind9/shlib_version: up to 1.17 external/bsd/bind/lib/libdns/Makefile: up to 1.14 external/bsd/bind/lib/libdns/shlib_version: up to 1.19 external/bsd/bind/lib/libirs/shlib_version: up to 1.6 external/bsd/bind/lib/libisc/Makefile: up to 1.8 external/bsd/bind/lib/libisc/shlib_version: up to 1.19 external/bsd/bind/lib/libisccc/shlib_version: up to 1.17 external/bsd/bind/lib/libisccfg/shlib_version: up to 1.17 external/bsd/bind/lib/liblwres/shlib_version: up to 1.17 Update BIND to 9.10.5-P1. @ text @a0 1 d2 1 a2 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d109 1 a109 2d119 1 a119 2
d125 1 a125 1
d128 1 a128 2d977 11 a987 14d132 1 a132 2
d500 2 a501 3
d504 1 a504 2d507 4 a510 5address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} ) d512 2 a513 3d516 1 a516 2d523 3 a525 4
- an IP address (IPv4 or IPv6)
a526 4 an IP prefix (in `/' notation)- d529 2 a530 4
- the name of an address match list defined with d532 2 a533 5
- a nested address match list enclosed in braces
d535 1 a535 2d541 1 a541 2
d548 1 a548 2
d555 1 a555 2
d560 1 a560 2
d579 1 a579 2
d595 3 a597 4
d600 1 a600 2d607 1 a607 2
d610 1 a610 2d622 2 a623 2
d626 1 a626 2d630 1 a630 1
d636 1 a636 1
d640 1 a640 1
d651 1 a651 2
d658 1 a658 1
d668 1 a668 1
d675 1 a675 2
d685 1 a685 2
d687 1 a687 1d693 5 a697 6
d700 1 a700 2d708 1 a708 2
d711 1 a711 3
d870 2 a871 4
d877 1 a877 2
d880 3 a882 4aclacl-name{address_match_list}; d884 2 a885 3d889 1 a889 2d894 1 a894 2
d897 1 a897 3
d957 2 a958 4
d964 1 a964 1
d971 1 a971 1
d987 1 a987 1
d1002 1 a1002 1
d1005 1 a1005 1
geoip country US; d1015 2 a1016 4d1019 9 a1027 9controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] }; d1029 2 a1030 4d1034 1 a1034 2d1041 1 a1041 2
d1054 1 a1054 2
d1058 1 a1058 2
d1068 1 a1068 2
d1077 1 a1077 2
d1086 1 a1086 2
d1100 1 a1100 2
d1113 1 a1113 2
d1134 1 a1134 2
d1139 2 a1140 3
d1143 3 a1145 4includefilename;d1148 1 a1148 2d1158 2 a1159 3
d1162 4 a1165 5keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1167 2 a1168 4d1171 1 a1171 2d1178 1 a1178 2
d1189 1 a1189 2
d1198 1 a1198 2
d1212 2 a1213 3
d1216 19 a1234 20logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... }; d1236 2 a1237 4d1240 1 a1240 2d1248 1 a1248 1
a1253 1 d1259 1 a1259 2
d1270 1 a1270 2
d1273 1 a1273 2d1277 1 a1277 2
d1288 1 a1288 2
d1293 1 a1293 2
d1301 1 a1301 2
d1324 1 a1324 2
d1340 1 a1340 2
a1343 1 d1350 1 a1350 2
d1372 1 a1372 1
d1375 1 a1375 1
d1384 1 a1384 1
d1396 1 a1396 2
d1405 1 a1405 2
a1418 1 d1424 1 a1424 2
d1431 1 a1431 1
d1449 1 a1449 2
d1452 1 a1452 2
a1457 1 d1485 1 a1485 2
d1493 1 a1493 2
d1503 1 a1503 2
d1509 2 a1510 3
d1513 1 a1513 2a1521 1 d1524 1 a1524 2
a1528 1 d1538 1 a1538 2
a1540 1 d1544 1 a1544 2
d1549 1 a1549 2
d1904 1 a1904 1
d1906 1 a1906 2d1909 1 a1909 2d1917 1 a1917 2
d1921 1 a1921 1
d1924 1 a1924 1
d1932 1 a1932 1
d1938 1 a1938 1
d1949 1 a1949 1
d1956 1 a1956 1
d1966 1 a1966 1
d1976 1 a1976 3
d2115 2 a2116 3
d2123 1 a2123 1
d2132 3 a2134 4
d2137 1 a2137 2d2141 7 a2147 10
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] }; d2149 2 a2150 3d2153 1 a2153 2d2161 1 a2161 2
d2172 1 a2172 2
d2183 1 a2183 2
d2191 1 a2191 2
d2200 2 a2201 2
a2203 1 d2205 2 a2206 5 mastersname[ portip_port] [ dscpip_dscp] { (masters_list; ) | (ip_addr[ portip_port] [ keykey] ; ) ... }; d2208 2 a2209 4d2213 1 a2213 2masters d2218 2 a2219 3
d2222 1 a2222 2d2226 255 a2480 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] } ; ] d2482 2 a2483 4d2487 1 a2487 2d879 1 a879 1 acl Statement Grammard2496 1 a2496 2
d2499 1 a2499 1
d2508 1 a2508 2
d2514 1 a2514 2
d2524 1 a2524 2
d2531 1 a2531 2
a2539 1 d2554 1 a2554 2
d2569 1 a2569 2
d2581 1 a2581 1 d2583 1 a2583 2
- d2598 1 a2598 2
d2596 1 a2596 2
- d2609 1 a2609 2
d2607 1 a2607 2
- d2621 1 a2621 1
d2618 1 a2618 2
d2626 1 a2626 1
d2635 1 a2635 1 d2637 1 a2637 2
- d2646 1 a2646 2
d2644 1 a2644 2
- d2653 1 a2653 2
d2651 1 a2651 2
- d2668 1 a2668 2
d2666 1 a2666 2
- d2686 1 a2686 2
d2684 1 a2684 2
- d2697 1 a2697 2
d2694 2 a2695 3 most cases, the
key_nameshould be the server's host name.- d2701 1 a2701 2
d2699 1 a2699 2
- d2708 1 a2708 2
d2706 1 a2706 2
- d2714 1 a2714 2
d2712 1 a2712 2
- d2728 1 a2728 2
d2726 1 a2726 2
- d2735 1 a2735 2
d2733 1 a2733 2
- d2744 1 a2744 2
d2742 1 a2742 2
- d2753 1 a2753 2
d2751 1 a2751 2
- d2761 1 a2761 2
d2759 1 a2759 2
- d2773 1 a2773 2
d2771 1 a2771 2
- d2778 1 a2778 2
d2776 1 a2776 2
- d2785 1 a2785 2
d2783 1 a2783 2
- d2795 1 a2795 2
d2793 1 a2793 2
- d2802 1 a2802 2
d2800 1 a2800 2
- d2821 1 a2821 2
d2819 1 a2819 2
- d2833 1 a2833 1
d2828 1 a2828 2
d2838 1 a2838 1
d2845 1 a2845 1
d2861 1 a2861 1
d2866 1 a2866 1
a2869 1 d2875 1 a2875 2 d2878 1 a2878 1
d2886 1 a2886 1
d2891 1 a2891 1 d2894 1 a2894 1
d2902 1 a2902 1
d2907 1 a2907 1 d2910 1 a2910 1
d2922 1 a2922 1
d2928 1 a2928 1
d2933 1 a2933 1
d2944 1 a2944 1
d2951 1 a2951 1
d2957 1 a2957 1 d2959 1 a2959 2
- d2972 1 a2972 1
d2969 1 a2969 2
d2980 1 a2980 1
d2984 1 a2984 1
d2994 1 a2994 1
d3000 1 a3000 1
d3007 1 a3007 1
d3016 1 a3016 1 defaults to ::ffff:0.0.0.0/96. d3018 1 a3018 1
d3026 1 a3026 1
d3032 1 a3032 1
d3051 1 a3051 1 d3053 1 a3053 2
- d3069 1 a3069 1
d3066 1 a3066 2
d3082 1 a3082 1
d3088 1 a3088 1
d3097 1 a3097 1 d3100 1 a3100 1
d3109 1 a3109 1
d3117 1 a3117 1
d3122 1 a3122 1
d3127 1 a3127 1 d3130 1 a3130 1
d3135 1 a3135 1
d3141 1 a3141 1
d3149 1 a3149 1 d3152 1 a3152 1
d3164 1 a3164 1
d3172 1 a3172 1
d3183 1 a3183 1 d3185 1 a3185 2
d3188 1 a3188 2d3191 1 a3191 1
d3197 1 a3197 1
d3202 1 a3202 1 d3204 1 a3204 2
- d3211 1 a3211 2
d3209 1 a3209 2
- d3222 1 a3222 2
d3220 1 a3220 2
- d3229 1 a3229 2
d3227 1 a3227 2
- d3238 1 a3238 1
d3235 1 a3235 2
d3253 1 a3253 1
d3260 1 a3260 1
d3272 1 a3272 1
d3282 1 a3282 1
d3297 1 a3297 3
d3448 2 a3449 4
d3453 1 a3453 2 d3455 1 a3455 2
- d3462 1 a3462 2
d3460 1 a3460 2
- d3473 1 a3473 2
d3471 1 a3471 2
- d3480 1 a3480 2
d3478 1 a3478 2
- d3490 1 a3490 2
d3488 1 a3488 2
- d3497 1 a3497 2
d3495 1 a3495 2
- d3507 1 a3507 2
d3505 1 a3505 2
- d3516 1 a3516 2
d3514 1 a3514 2
- d3525 1 a3525 1
d3522 1 a3522 2
d3536 1 a3536 1
d3545 1 a3545 1
d3554 1 a3554 1 d3556 1 a3556 2
- d3567 1 a3567 2
d3565 1 a3565 2
- d3585 1 a3585 2
d3583 1 a3583 2
- d3596 1 a3596 2
d3594 1 a3594 2
- d3614 1 a3614 2
d3612 1 a3612 2
- d3623 1 a3623 2
d3621 1 a3621 2
- d3634 1 a3634 1
d3631 1 a3631 2
d3640 1 a3640 1
d3642 1 a3642 1d3646 2 a3647 30
- trust-anchor-telemetry
- d3649 1 a3649 2
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is
yes.- d3655 1 a3655 2
d3653 1 a3653 2
- d3666 1 a3666 2
d3664 1 a3664 2
- d3673 1 a3673 2
d3671 1 a3671 2
- d3680 1 a3680 2
d3678 1 a3678 2
- d3696 1 a3696 2
d3691 1 a3691 2
d3703 1 a3703 2
d3723 1 a3723 2
d3733 1 a3733 2
d3742 1 a3742 2
d3752 1 a3752 2
d3770 1 a3770 2 d3773 1 a3773 1
d3778 1 a3778 1
d3787 1 a3787 1 d3790 1 a3790 1
d3804 1 a3804 1
d3812 1 a3812 1
d3818 1 a3818 1
d3826 1 a3826 1
d3833 1 a3833 1
d3838 1 a3838 1 d3840 1 a3840 2
- d3848 1 a3848 1
d3845 1 a3845 2
d3858 1 a3858 1
d3870 1 a3870 1
ixfr-from-differences d3879 1 a3879 1 d3881 1 a3881 2
- d3892 1 a3892 1
d3889 1 a3889 2
d3897 1 a3897 1
d3903 1 a3903 1
d3926 1 a3926 1
d3929 1 a3929 1 d3931 1 a3931 2
- d3941 1 a3941 1
d3938 1 a3938 2
d3955 1 a3955 1
d3957 1 a3957 1d3966 1 a3966 2d3963 2 a3964 2
- d3974 1 a3974 2
d3972 1 a3972 2
- d3983 1 a3983 1
d3980 1 a3980 2
d3996 1 a3996 1
d4000 1 a4000 1
check-names d4008 1 a4008 1 d4010 1 a4010 2
- d4018 1 a4018 2
d4016 1 a4016 2
- d4025 1 a4025 2
d4023 1 a4023 2
- d4036 1 a4036 1
d4033 1 a4033 2
d4049 1 a4049 1
d4059 1 a4059 1 d4061 1 a4061 2
- d4067 1 a4067 2
d4065 1 a4065 2
- d4073 1 a4073 2
d4071 1 a4071 2
- d4078 1 a4078 2
d4076 1 a4076 2
- d4086 1 a4086 2
d4084 1 a4084 2
- d4093 1 a4093 2
d4091 1 a4091 2
- d4100 1 a4100 1
d4097 1 a4097 2
d4105 1 a4105 1
d4116 1 a4116 1
d4124 1 a4124 1 d4127 1 a4127 1
d4137 1 a4137 1
d4142 1 a4142 1 d4144 1 a4144 2
- d4151 1 a4151 1
d4148 1 a4148 2
d4159 1 a4159 1
d4166 1 a4166 1
d4173 1 a4173 1 d4175 2 a4176 4
d4179 1 a4179 2d625 1 a625 1 Definition and Usaged4189 1 a4189 2
d4191 1 a4191 2
- d4203 1 a4203 2
d4201 1 a4201 2
- d4209 1 a4209 2
d4207 1 a4207 2
d4218 2 a4219 3
d4222 1 a4222 2d4229 1 a4229 2
d4231 1 a4231 2
- d4242 2 a4243 3
d4240 1 a4240 2
d4246 1 a4246 3d4251 1 a4251 2
d4253 1 a4253 2
- d4269 1 a4269 1
d4266 1 a4266 2
d4278 1 a4278 1
d4280 1 a4280 1d4288 1 a4288 1d4284 2 a4285 2
d4295 1 a4295 1
d4301 1 a4301 1
d4307 1 a4307 1
d4311 1 a4311 1
d4313 1 a4313 1d4320 1 a4320 2d4317 2 a4318 2
- d4331 1 a4331 2
d4329 1 a4329 2
- d4339 1 a4339 2
d4337 1 a4337 2
- d4350 1 a4350 2
d4348 1 a4348 2
- d4356 1 a4356 2
d4354 1 a4354 2
- d4366 1 a4366 1
d4363 1 a4363 2
d4383 1 a4383 1
d4391 1 a4391 1 d4393 1 a4393 2
- d4403 1 a4403 2
d4401 1 a4401 2
- d4413 1 a4413 2
d4411 1 a4411 2
- d4421 1 a4421 2
d4419 1 a4419 2
- d4428 1 a4428 1
d4425 1 a4425 2
d4436 1 a4436 1
d4444 1 a4444 1
d4456 1 a4456 1
d4461 1 a4461 1
d4476 1 a4476 1 d4478 1 a4478 2
- d4486 2 a4487 4
d4484 1 a4484 2
d4490 1 a4490 2d4499 1 a4499 1
a4503 1 d4507 1 a4507 2
d4512 1 a4512 2
d4516 1 a4516 2
d4522 1 a4522 2
d4537 1 a4537 2
d4546 1 a4546 2
a4550 1 d4554 1 a4554 2
d4560 1 a4560 2
a4562 1 d4565 2 a4566 4
d4569 1 a4569 2d609 1 a609 1 Syntaxd4578 1 a4578 2
d4589 1 a4589 2
a4593 1 d4597 1 a4597 2
a4606 1 d4610 1 a4610 2
d4626 1 a4626 2
d4638 1 a4638 2
a4642 1 d4646 1 a4646 2
d4658 1 a4658 2
d4660 1 a4660 2
- d4664 1 a4664 2
d4662 1 a4662 2
- d4668 1 a4668 2
d4666 1 a4666 2
- d4672 1 a4672 1
d4670 1 a4670 2
d4674 1 a4674 1d4680 2 a4681 2
d4683 1 a4683 1d4687 2 a4688 2
d4690 1 a4690 1d4694 3 a4696 4
d4699 1 a4699 2d4705 1 a4705 2
d4708 1 a4708 1
d4726 1 a4726 1
d4739 1 a4739 1 d4741 1 a4741 2
- d4748 1 a4748 2
d4746 1 a4746 2
- d4755 1 a4755 2
d4753 1 a4753 2
- d4762 1 a4762 2
d4760 1 a4760 2
- d4770 1 a4770 1
d4767 1 a4767 2
d4783 1 a4783 1
d4790 1 a4790 1 d4792 1 a4792 2
- d4803 1 a4803 3
d4801 1 a4801 2
- d4825 1 a4825 2
d4823 1 a4823 3
- d4834 1 a4834 2
d4832 1 a4832 2
- d4841 1 a4841 2
d4839 1 a4839 2
- d4856 1 a4856 1
d4853 1 a4853 2
transfer-source d4877 1 a4877 1
d4879 1 a4879 1d4886 1 a4886 2d4883 2 a4884 2
- d4892 1 a4892 1
d4889 1 a4889 2
d4898 1 a4898 1
d4909 1 a4909 1 d4911 1 a4911 2- d4918 1 a4918 2
d4916 1 a4916 2
- d4927 1 a4927 1
d4924 1 a4924 2
notify-source d4941 1 a4941 1
d4943 1 a4943 1d4950 1 a4950 2d4947 2 a4948 2
- d4955 2 a4956 4
d4953 1 a4953 2
d4959 1 a4959 2a4969 1 d4974 1 a4974 2
d4980 1 a4980 2
d4997 2 a4998 3
d5001 1 a5001 2d599 1 a599 1 Comment Syntaxd5014 1 a5014 2
d5022 1 a5022 2
d5024 1 a5024 2
- d5029 1 a5029 2
d5027 1 a5027 2
- d5046 1 a5046 2
d5044 1 a5044 2
- d5051 1 a5051 2
d5049 1 a5049 2
- d5056 2 a5057 4
d5054 1 a5054 2
d5060 1 a5060 2d5065 1 a5065 2
d5067 1 a5067 2
- d5074 1 a5074 2
d5072 1 a5072 2
d5085 1 a5085 9
- max-records
- d5087 1 a5087 2
The maximum number of records permitted in a zone. The default is zero which means unlimited.
- d5094 1 a5094 1
d5091 1 a5091 2
d5105 1 a5105 1
d5112 1 a5112 1
d5122 1 a5122 1 d5124 1 a5124 2
- d5133 1 a5133 1
d5128 1 a5128 2
These set the d5141 1 a5141 1
d5151 1 a5151 1
d5156 1 a5156 1
d5161 1 a5161 1 d5166 1 a5166 1
d5176 1 a5176 1
d5188 1 a5188 1
d5196 1 a5196 1
d5201 1 a5201 1
d5214 1 a5214 1
d5218 1 a5218 1 d5223 1 a5223 1
d5233 1 a5233 1
d5242 1 a5242 1
d5247 1 a5247 1
d5263 1 a5263 1
d5267 1 a5267 1 d5270 1 a5270 1
d5275 1 a5275 1
d5283 1 a5283 1
d5298 1 a5298 1
d5302 1 a5302 1 d5305 1 a5305 1
d5315 1 a5315 1
d5318 1 a5318 1 d5320 1 a5320 2
- d5338 1 a5338 2
d5336 1 a5336 2
- d5350 2 a5351 4
d5348 1 a5348 2
d5354 1 a5354 2d5409 2 a5410 4d5356 1 a5356 2
- d5367 1 a5367 2
d5365 1 a5365 2
- d5377 1 a5377 2
d5375 1 a5375 2
- d5393 1 a5393 1
d5390 1 a5390 2
d5402 1 a5402 1
d5406 2 a5407 2
d5413 1 a5413 2a5429 1 d5435 1 a5435 2
d5441 1 a5441 1
a5443 1 d5446 1 a5446 2
d5448 1 a5448 1d5452 3 a5454 4
d5457 1 a5457 2d5473 1 a5473 2
d5489 1 a5489 1
d5504 1 a5504 1
a5521 1 d5545 1 a5545 2
a5556 1 d5562 2 a5563 3
d5566 1 a5566 2d5576 1 a5576 2
d5580 1 a5580 1
d5586 1 a5586 1
d5591 1 a5591 1
d5594 1 a5594 2
d5638 2 a5639 3
a5641 1 d5647 1 a5647 2
d5653 1 a5653 1
d5657 1 a5657 1
d5660 1 a5660 2
d5662 1 a5662 1d5669 3 a5671 4
d5674 1 a5674 2d5677 1 a5677 1
d5685 1 a5685 2
d5691 1 a5691 2 d5693 1 a5693 2
- d5705 1 a5705 2
d5703 1 a5703 2
- d5716 1 a5716 1
d5713 1 a5713 2
d5722 1 a5722 1
d5724 1 a5724 1d5731 1 a5731 1d5727 2 a5728 2
d5745 1 a5745 1
d5750 1 a5750 1
d5756 1 a5756 1 d5758 1 a5758 2
- d5765 1 a5765 2
d5763 1 a5763 2
- d5773 1 a5773 1
d5770 1 a5770 2
d5778 1 a5778 1
d5782 1 a5782 1
d5798 1 a5798 1 d5803 1 a5803 1
d5813 1 a5813 1
d5822 1 a5822 1
d5830 1 a5830 1 d5833 1 a5833 1
d5841 1 a5841 1
d5848 1 a5848 1
d5853 1 a5853 1
d5864 1 a5864 1
d5872 1 a5872 1
d5880 1 a5880 1 d5883 1 a5883 1
d5890 1 a5890 1
d5895 1 a5895 1
d5904 1 a5904 1
d5908 1 a5908 1 d5911 1 a5911 1
Specifies d5922 1 a5922 1
d5936 1 a5936 1
d5945 1 a5945 1 d5949 1 a5949 2
- d5962 1 a5962 2
d5958 1 a5958 2
- d5973 1 a5973 1
d5970 1 a5970 2
d5977 1 a5977 1
d5981 1 a5981 1 d5983 1 a5983 2
- d5991 1 a5991 1
d5988 1 a5988 2
d5998 1 a5998 1
d6010 1 a6010 1
d6020 1 a6020 1 d6022 2 a6023 4
d6026 1 a6026 2d515 1 a515 1 Definition and Usaged6045 1 a6045 1
d6052 1 a6052 2
d6054 1 a6054 2
- d6063 1 a6063 2
d6061 1 a6061 2
- d6076 1 a6076 2
d6074 1 a6074 2
- d6090 2 a6091 4
d6088 1 a6088 2
d6094 1 a6094 2d6106 1 a6106 1
d6111 1 a6111 1
d6215 1 a6215 1
d6227 1 a6227 1
d6236 1 a6236 1
d6245 1 a6245 1d6247 1 a6247 2
- d6253 1 a6253 2
d6251 1 a6251 2
- d6259 1 a6259 2
d6257 1 a6257 2
- d6264 1 a6264 2
d6262 1 a6262 2
- d6269 2 a6270 3
d6267 1 a6267 2
d6273 1 a6273 3d6283 1 a6283 2
d6291 1 a6291 2
d6300 1 a6300 2
d6313 1 a6313 2
d6329 1 a6329 2
d6333 1 a6333 2
d6335 1 a6335 2
- d6340 1 a6340 2
d6338 1 a6338 2
- d6348 1 a6348 2
d6346 1 a6346 2
- d6360 2 a6361 4
d6358 1 a6358 2
d6364 1 a6364 2d6390 1 a6390 2
d6393 1 a6393 2
d6401 1 a6401 2
d6406 1 a6406 2
d6421 1 a6421 2
a6425 1 d6429 1 a6429 2
a6433 1 d6435 1 a6435 2
d6441 1 a6441 2
a6446 1 d6448 1 a6448 2
d6453 1 a6453 2
d6474 1 a6474 2
d6483 2 a6484 3
d6487 1 a6487 2d6495 1 a6495 2
d6506 1 a6506 2
d6515 1 a6515 2
d6521 1 a6521 1
d6536 1 a6536 2
d6552 1 a6552 1 d6554 1 a6554 2
- d6562 1 a6562 2
d6560 1 a6560 2
- d6569 1 a6569 2
d6567 1 a6567 2
- d6581 1 a6581 2
d6579 1 a6579 2
- d6592 1 a6592 2
d6588 1 a6588 2
d6621 1 a6621 2
d6628 1 a6628 2
d6640 1 a6640 2
- d6648 1 a6648 2
d6646 1 a6646 2
- d6655 1 a6655 2
d6653 1 a6653 2
- d6663 1 a6663 2
d6661 1 a6661 2
- d6668 1 a6668 2
d6666 1 a6666 2
- d6676 1 a6676 1
d6673 1 a6673 2
d6681 1 a6681 2
d6689 1 a6689 1 d6693 1 a6693 2
d6704 1 a6704 2
- d6708 1 a6708 2
The placeholder policy says "do not override but d6706 1 a6706 2
- d6722 1 a6722 2
d6718 1 a6718 2
- d6726 1 a6726 2
d6724 1 a6724 2
- d6733 1 a6733 2
d6729 1 a6729 2
d6744 1 a6744 2
d6755 1 a6755 2
d6782 1 a6782 2
d6789 1 a6789 2
d6793 1 a6793 1
d6797 1 a6797 1
d6839 1 a6839 1
d6854 1 a6854 2
d6858 2 a6859 3
d6862 1 a6862 2d6875 1 a6875 2
d6883 1 a6883 2
d6902 1 a6902 2
d6911 1 a6911 2
d6935 1 a6935 2
d6940 1 a6940 2
d6951 1 a6951 2
d6975 1 a6975 2
d6988 1 a6988 2
d7006 1 a7006 2
d7018 1 a7018 2
d7054 1 a7054 2
d7068 1 a7068 2
d7072 1 a7072 2
d7079 3 a7081 4
d7084 24 a7107 30server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ; d7109 2 a7110 4d7114 1 a7114 2d7123 1 a7123 2
d7138 1 a7138 2
d7144 1 a7144 1
d7160 1 a7160 2
d7170 1 a7170 2
d7184 1 a7184 2
d7189 1 a7189 2
d7208 1 a7208 2
d7216 1 a7216 9
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
d7230 1 a7230 2
transfers d7237 1 a7237 2
d7248 1 a7248 2
d7251 1 a7251 2
d7267 1 a7267 2
d7276 1 a7276 2
d7285 1 a7285 2
d7292 1 a7292 2
d7301 2 a7302 3
d7305 5 a7309 6statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... }; d7311 2 a7312 3d7316 1 a7316 2d7322 1 a7322 2
d7332 1 a7332 2
d7343 1 a7343 2
d7348 1 a7348 2
d7360 1 a7360 2
d7364 1 a7364 2
d7376 1 a7376 2
d7386 1 a7386 2
d7401 1 a7401 2
d7418 2 a7419 3
d7422 4 a7425 5trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ; d7427 2 a7428 3d7432 1 a7432 2d7443 1 a7443 1
d7451 1 a7451 1
d7460 1 a7460 1
d7467 2 a7468 3
d7471 4 a7474 5managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ; d7476 2 a7477 3d7481 1 a7481 2d7489 1 a7489 1
d7499 1 a7499 1
d7510 1 a7510 1
d7521 1 a7521 1
d7534 1 a7534 1
d7542 1 a7542 1
d7547 3 a7549 3 key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d7551 1 a7551 1
d7559 15 a7573 18
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in use, there will be a separate managed keys database for each view; the filename will be a hash of the view name followed by the suffix.mkeys.When the key database is changed, the zone is updated. As with any other dynamic zone, changes will be written into a journal file, e.g.,
managed-keys.bind.jnl. Changes are committed to the master file as soon as possible afterward; this will usually occur within 30 d7575 4 a7578 4 automatic key maintenance, the zone file and journal file can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.) d7580 1 a7580 1d7588 3 a7590 5 (Note: The ISC DLV service is expected to cease operation by the end of 2017.) In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d7592 2 a7593 3
d7596 8 a7603 8viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ; d7605 2 a7606 3d7609 1 a7609 2d7618 1 a7618 2
d7646 1 a7646 2
d7655 1 a7655 2
d7668 1 a7668 2
d7673 1 a7673 2
d7689 1 a7689 2
a7692 1 d7725 2 a7726 3
d7730 191 d7922 3 a7924 205zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ; d7927 2 a7928 3d7931 1 a7931 2d7934 1 a7934 2d7944 1 a7944 3
d8257 3 a8259 5
d8262 1 a8262 2d8267 1 a8267 1
d8276 1 a8276 1
d8280 2 a8281 3
d8284 1 a8284 2d8286 1 a8286 2
- d8291 1 a8291 2
d8289 1 a8289 2
- d8296 1 a8296 2
d8294 1 a8294 2
- d8301 1 a8301 2
d8299 1 a8299 2
- d8306 1 a8306 2
d8304 1 a8304 2
- d8311 1 a8311 2
d8309 1 a8309 2
- d8316 1 a8316 2
d8314 1 a8314 2
- d8321 1 a8321 2
d8319 1 a8319 2
- d8344 1 a8344 2
d8342 1 a8342 2
- d8354 1 a8354 2
d8352 1 a8352 2
- d8359 1 a8359 2
d8357 1 a8357 2
- d8364 1 a8364 2
d8362 1 a8362 2
- d8369 1 a8369 2
d8367 1 a8367 2
- d8374 1 a8374 2
d8372 1 a8372 2
- d8379 1 a8379 2
d8377 1 a8377 2
- d8384 1 a8384 2
d8382 1 a8382 2
- d8389 1 a8389 2
d8387 1 a8387 2
- d8395 1 a8395 2
d8393 1 a8393 2
- d8401 1 a8401 2
d8399 1 a8399 2
- d8406 1 a8406 2
d8404 1 a8404 2
- d8412 1 a8412 1
d8409 1 a8409 2
d8423 1 a8423 1
d8429 1 a8429 1
d8435 1 a8435 1 d8437 1 a8437 2
- d8443 1 a8443 1
d8440 1 a8440 2
d8449 1 a8449 1
d8452 1 a8452 1 d8454 1 a8454 2
- d8462 1 a8462 2
d8460 1 a8460 2
- d8469 1 a8469 2
d8467 1 a8467 2
- d8481 1 a8481 2
d8479 1 a8479 2
- d8486 1 a8486 2
d8484 1 a8484 2
- d8492 1 a8492 2
d8490 1 a8490 2
d8495 1 a8495 9
- max-records
- d8497 1 a8497 2
See the description of max-records in the section called “Server Resource Limits”.
- d8502 1 a8502 2
d8500 1 a8500 2
- d8507 1 a8507 2
d8505 1 a8505 2
- d8512 1 a8512 2
d8510 1 a8510 2
- d8517 1 a8517 2
d8515 1 a8515 2
- d8522 1 a8522 2
d8520 1 a8520 2
- d8527 1 a8527 2
d8525 1 a8525 2
- d8533 1 a8533 2
d8531 1 a8531 2
- d8542 1 a8542 2
d8540 1 a8540 2
- d8550 1 a8550 1
d8547 1 a8547 2
d8559 1 a8559 1
d8568 1 a8568 1
d8576 1 a8576 1 d8579 1 a8579 1
d8597 1 a8597 1
d8609 1 a8609 1
d8619 1 a8619 1 d8621 1 a8621 2
- d8626 1 a8626 2
d8624 1 a8624 2
- d8631 1 a8631 2
d8629 1 a8629 2
- d8636 1 a8636 2
d8634 1 a8634 2
- d8641 1 a8641 2
d8639 1 a8639 2
- d8646 1 a8646 2
d8644 1 a8644 2
- d8651 1 a8651 2
d8649 1 a8649 2
- d8656 1 a8656 2
d8654 1 a8654 2
- d8661 1 a8661 2
d8659 1 a8659 2
- d8666 1 a8666 2
d8664 1 a8664 2
- d8671 1 a8671 2
d8669 1 a8669 2
- d8678 1 a8678 2
d8674 1 a8674 2
- d8682 1 a8682 2
d8680 1 a8680 2
- d8691 1 a8691 2
d8689 1 a8689 2
- d8697 1 a8697 2
d8695 1 a8695 2
- d8704 1 a8704 2
d8702 1 a8702 2
- d8711 1 a8711 2
d8709 1 a8709 2
- d8720 1 a8720 2
d8718 1 a8718 2
- d8725 1 a8725 2
d8723 1 a8723 2
- d8730 1 a8730 2
d8728 1 a8728 2
- d8736 1 a8736 2
d8734 1 a8734 2
- d8741 2 a8742 3
d8739 1 a8739 2
d8745 1 a8745 2BIND 9 supports two alternative d8751 1 a8751 1
d8757 1 a8757 1
d8767 1 a8767 1
d8777 1 a8777 1
d8792 1 a8792 1
d8799 1 a8799 2
update-policy { grant local-ddns zonesub any; }; d8801 1 a8801 2d8805 1 a8805 2
a8807 1 d8811 1 a8811 2
d8820 1 a8820 1
d8826 1 a8826 1
d8843 1 a8843 1
d8850 1 a8850 1
d8862 1 a8862 2
d9142 2 a9143 4
d9147 1 a9147 2
d9156 2 a9157 3
d9160 1 a9160 2d9171 1 a9171 1
d9189 1 a9189 1d9193 1 a9193 1
d9201 1 a9201 1
d9208 1 a9208 1
d9212 1 a9212 1
d9216 4 a9219 5
d9222 1 a9222 2d9225 1 a9225 2d9232 1 a9232 1
d9235 1 a9235 2d9245 1 a9245 2
d9248 1 a9248 2
d9323 2 a9324 3
d9327 1 a9327 2
d10332 2 a10333 3
d10337 1 a10337 2
d10390 2 a10391 4
d10402 1 a10402 1
d10422 1 a10422 1
d10428 2 a10429 2
d10432 1 a10432 2d10445 1 a10445 1
d10451 1 a10451 1
d10462 1 a10462 1
d10466 1 a10466 1
d10469 1 a10469 2
d10573 2 a10574 3
d10580 1 a10580 1
d10584 1 a10584 1
d10587 1 a10587 2
d10625 2 a10626 3
d10630 3 a10632 4
d10635 1 a10635 2d10644 1 a10644 2
d10661 1 a10661 1
d10670 1 a10670 2
d10814 2 a10815 2d10807 1 a10807 2
d10818 1 a10818 2d10826 1 a10826 2
d10881 2 a10882 3
d10886 2 a10887 2
d10890 1 a10890 2d10905 1 a10905 2
d10936 2 a10937 3
d10939 1 a10939 1d10946 3 a10948 3
d10951 1 a10951 2d10959 1 a10959 1
d10963 1 a10963 1
d10966 1 a10966 2d10973 2 a10974 2
d10977 1 a10977 2d10982 1 a10982 1
$ORIGIN a10991 1 d10996 1 a10996 2
a10998 1 d11002 2 a11003 3
d11006 1 a11006 2d11013 1 a11013 1
d11020 1 a11020 1
d11025 1 a11025 1
d11027 1 a11027 1d11037 3 a11039 3
d11042 1 a11042 2d11048 1 a11048 1
d11053 1 a11053 1
$TTL d11056 3 a11058 3
d11061 1 a11061 2d11071 1 a11071 1
$GENERATE a11078 1 d11082 1 a11082 2
a11084 1 d11092 1 a11092 2
a11096 1 d11101 1 a11101 2
a11103 1 d11114 1 a11114 3
d11242 2 a11243 3
d11247 1 a11247 1
d11250 2 a11251 3
d11254 1 a11254 2d11259 1 a11259 1
d11265 1 a11265 1
d11273 1 a11273 1
d11284 1 a11284 1
d11292 1 a11292 1
d11309 3 a11311 4
d11314 1 a11314 2d12848 1 a12848 1d11323 1 a11323 2
d11327 1 a11327 3
d11426 2 a11427 4
d11437 1 a11437 2
d11441 1 a11441 2
d11451 1 a11451 2
d11454 1 a11454 2d11457 1 a11457 1
d11460 1 a11460 1
d11469 1 a11469 2
d11472 1 a11472 2
d11479 1 a11479 2
d11483 1 a11483 1
d11486 2 a11487 3
d11490 1 a11490 2d11506 1 a11506 2
d11509 1 a11509 3d12100 3 a12102 5
d12105 1 a12105 3d12254 3 a12256 5
d12259 1 a12259 3d12637 3 a12639 6
d12642 1 a12642 2d12657 1 a12657 3
d12792 3 a12794 5
d12797 1 a12797 2d12804 1 a12804 2
d12806 1 a12806 2
- d12813 1 a12813 2
d12811 1 a12811 2
- d12817 1 a12817 2
d12815 1 a12815 2
- d12821 1 a12821 2
d12819 1 a12819 2
- d12827 4 a12830 5
d12825 1 a12825 2
BIND 9.10.5-P1
@ 1.1.1.15.2.5.2.8 log @Pull up following revision(s) (requested by mrg in ticket #1489): doc/3RDPARTY: patch external/bsd/bind/Makefile.inc: up to 1.26 via patch external/bsd/bind/dist/CHANGES: up to 1.28 external/bsd/bind/dist/README: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch01.html: up to 1.1.1.26 external/bsd/bind/dist/doc/arm/Bv9ARM.ch02.html: up to 1.1.1.23 external/bsd/bind/dist/doc/arm/Bv9ARM.ch03.html: up to 1.1.1.28 external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch05.html: up to 1.1.1.29 external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.ch10.html: up to 1.1.1.25 external/bsd/bind/dist/doc/arm/Bv9ARM.ch11.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch12.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.ch13.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/Bv9ARM.html: up to 1.16 external/bsd/bind/dist/doc/arm/Bv9ARM.pdf: up to 1.21 external/bsd/bind/dist/doc/arm/man.arpaname.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.ddns-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.delv.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dig.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-settime.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.dnssec-verify.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.genrandom.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.host.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.lwresd.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named-checkconf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-checkzone.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-journalprint.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named-rrchecker.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.named.conf.html: up to 1.1.1.8 external/bsd/bind/dist/doc/arm/man.named.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsec3hash.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.nsupdate.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc-confgen.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.conf.html: up to 1.16 external/bsd/bind/dist/doc/arm/man.rndc.html: up to 1.16 external/bsd/bind/dist/doc/arm/notes.html: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.pdf: up to 1.1.1.14 external/bsd/bind/dist/doc/arm/notes.xml: up to 1.1.1.14 external/bsd/bind/dist/lib/dns/api: up to 1.16 external/bsd/bind/dist/lib/dns/dnssec.c: up to 1.14 external/bsd/bind/dist/lib/dns/message.c: up to 1.24 external/bsd/bind/dist/lib/dns/rootns.c: up to 1.13 external/bsd/bind/dist/lib/dns/tsig.c: up to 1.11 external/bsd/bind/dist/srcid: up to 1.22 external/bsd/bind/dist/version: up to 1.26 external/bsd/bind/include/isc/platform.h: up to 1.23 Update BIND to 9.10.5-P2. @ text @d13793 1 a13793 1BIND 9.10.5-P2
@ 1.1.1.16 log @Import bind 9.10.1-P1 @ text @d51 1 a51 1- Comment Syntax
d55 1 a55 1- acl Statement Grammar
d58 1 a58 1- controls Statement Grammar
d61 2 a62 2- include Statement Grammar
- include Statement Definition and d64 4 a67 4
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and d69 4 a72 4
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d74 1 a74 1
- options Statement Grammar
d81 1 a81 1- statistics-channels Statement Definition and d84 1 a84 1
- trusted-keys Statement Definition d86 1 a86 1
- managed-keys Statement Grammar
d90 1 a90 1- view Statement Definition and Usage
d93 1 a93 1- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d98 1 a98 1- Discussion of MX Records
d100 3 a102 3- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
d440 1 a440 1 See the explanations of particular parameters d506 1 a506 1 Syntaxvalueis the value to search for within the database. A string may be quoted if it contains spaces or other special characters. If this is an "asnum" search, then the leading "ASNNNN" string can be used, otherwise the full description must be used (e.g. "ASNNNN Example Company Name"). If this is a "country" search and the string is two characters long, then it must be a standard ISO-3166-1 two-letter country code, and if it is three characters long then it must be an ISO-3166-1 three-letter country code; otherwise it is the full name of the country. Similarly, if this is a "region" search and the string is two characters long, then it must be a standard two-letter state or province abbreviation; otherwise it is the full name of the state or province. d1020 1 a1020 1 controls Statement Grammarpath_name; ] d2276 1 a2276 1 [ check-spf (warn|ignore); ] d2424 2 a2425 1 [ responses-per-secondnumber; ] a2568 12geoip-directory d3529 1 a3529 4 will generate a random secret at startup. The shared secret is encoded as a hex string and needs to be 128 bits for AES128, 160 bits for SHA1 and 256 bits for SHA256. d3898 4 a3901 7 The use of the SPF record for publishing Sender Policy Framework is deprecated as the migration from using TXT records to SPF records was abandoned. Enabling this option also checks that a TXT Sender Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with d3924 5 a3928 5 If check-integrity is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is warn. d4038 1 a4038 1 Forwarding d4082 1 a4082 1 Dual-stack Servers d4315 1 a4315 1 due to incorrect use of case-sensitive comparisons. d4323 1 a4323 1 There are circumstances in which named d4328 1 a4328 1 "WWW.EXAMPLE.COM/AAAA"), then all responses for that d4350 1 a4350 1 Interfaces d4815 1 a4815 1 UDP Port Lists d4857 1 a4857 1 Operating System Resource Limits d5018 1 a5018 1 Periodic Task Intervals d5619 1 a5619 2 before dropping additional clients. named will attempt to d6034 1 a6034 1 Content Filtering d6157 1 a6157 1 Response Policy Zone (RPZ) Rewriting d6528 1 a6528 1 Response Rate Limiting d6581 4 a6584 2 with responses-per-second (default 0 or no limit). d6589 1 a6589 1 (default responses-per-second). d6602 1 a6602 1 (default responses-per-second). d6616 1 a6616 1 responses-per-second value, d6621 65 d6741 24 d6778 2 a6779 2 all-per-second phrase. This rate limiting is unlike the rate limiting provided by d6783 25 a6807 28 which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. Responses affected by an all-per-second limit are always dropped; the slip value has no effect. An all-per-second limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. For example, the receipt of a single mail message can prompt requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF records as it considers the STMP Mail From command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. All-per-second is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the DNS server itself. They usually should be discarded before the DNS server spends resources making TCP connections or parsing DNS requests, but that rate limiting must be done before the DNS server sees the requests. d7072 1 a7072 1 statistics-channels Statement Definition and d7188 1 a7188 1 trusted-keys Statement Definition d7228 1 a7228 1 managed-keys Statement Grammar d7366 1 a7366 1 view Statement Definition and Usage d7503 1 a7503 1 [ check-spf ( Specifies the directory containing GeoIP
.datdatabase files for GeoIP initialization. By default, this option is unset and the GeoIP support will use libGeoIP's built-in directory. (For details, see the section called “acl Statement Definition and Usage” about the geoip ACL.)warn|ignore); ] d7688 1 a7688 1 zone Statement Definition and Usage d7691 1 a7691 1 Zone Types d8009 1 a8009 1 Class d8031 1 a8031 1 Zone Options d8953 1 a8953 1 Multiple views a8994 4An in-view zone cannot be used as a response policy zone.
d9000 1 a9000 1 Zone File d9013 1 a9013 1 Resource Records d9750 1 a9750 1 Textual expression of RRs d9953 1 a9953 1 Discussion of MX Records d10195 2 a10196 1 servers can cache it. d10209 1 a10209 1 Inverse Mapping in IPv4 d10270 1 a10270 1 Other Zone File Directives d10285 1 a10285 1 The @@ (at-sign) d10296 1 a10296 1 The $ORIGIN Directive d10325 1 a10325 1 The $INCLUDE Directive d10361 1 a10361 1 The $TTL Directive d10380 1 a10380 1 BIND Master File Extension: the $GENERATE Directive d10823 1 a10823 1 Name Server Statistics Counters d11419 1 a11419 1 Zone Maintenance Statistics Counters d11573 1 a11573 1 Resolver Statistics Counters d11956 1 a11956 1 Socket I/O Statistics Counters d12111 1 a12111 1 Compatibility with BIND 8 Counters a12162 1BIND Version 9.10
@ 1.1.1.17 log @Import bind 9.10.1-P1 @ text @d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive a2413 1 [ max-recursion-depthnumber; ] d4059 1 a4059 1 Forwarding d4103 1 a4103 1 Dual-stack Servers d4371 1 a4371 1 Interfaces d4836 1 a4836 1 UDP Port Lists d4878 1 a4878 1 Operating System Resource Limits d5039 1 a5039 1 Periodic Task Intervals a5665 23max-recursion-depth Sets the maximum number of levels of recursion that are permitted at any one time while servicing a recursive query. Resolving a name may require looking up a name server address, which in turn requires resolving another name, etc; if the number of indirections exceeds this value, the recursive query is terminated and returns SERVFAIL. The default is 7.
max-recursion-queries d6056 1 a6056 1 Content Filtering d6179 1 a6179 1 Response Policy Zone (RPZ) Rewriting d6550 1 a6550 1 Response Rate Limiting d7006 1 a7006 1 statistics-channels Statement Definition and d7122 1 a7122 1 trusted-keys Statement Definition d7162 1 a7162 1 managed-keys Statement Grammar d7300 1 a7300 1 view Statement Definition and Usage d7622 1 a7622 1 zone Statement Definition and Usage d7625 1 a7625 1 Zone Types d7943 1 a7943 1 Class d7965 1 a7965 1 Zone Options d8887 1 a8887 1 Multiple views d8938 1 a8938 1 Zone File d8951 1 a8951 1 Resource Records d9688 1 a9688 1 Textual expression of RRs d9891 1 a9891 1 Discussion of MX Records d10146 1 a10146 1 Inverse Mapping in IPv4 d10207 1 a10207 1 Other Zone File Directives d10222 1 a10222 1 The @@ (at-sign) d10233 1 a10233 1 The $ORIGIN Directive d10262 1 a10262 1 The $INCLUDE Directive d10298 1 a10298 1 The $TTL Directive d10317 1 a10317 1 BIND Master File Extension: the $GENERATE Directive d10760 1 a10760 1 Name Server Statistics Counters d11356 1 a11356 1 Zone Maintenance Statistics Counters d11510 1 a11510 1 Resolver Statistics Counters d11893 1 a11893 1 Socket I/O Statistics Counters d12048 1 a12048 1 Compatibility with BIND 8 Counters @ 1.1.1.18 log @Import bind 9.10.2-P2 @ text @d2 1 a2 1 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") d51 1 a51 1 Sets the maximum number of iterative queries that may be sent while servicing a recursive query. If more queries are sent, the recursive query is terminated and returns SERVFAIL. The default is 50.
Comment Syntax d55 1 a55 1acl Statement Grammar d58 1 a58 1controls Statement Grammar d61 2 a62 2include Statement Grammar include Statement Definition and d64 4 a67 4 key Statement Grammar key Statement Definition and Usage logging Statement Grammar logging Statement Definition and d69 4 a72 4 lwres Statement Grammar lwres Statement Definition and Usage masters Statement Grammar masters Statement Definition and d74 1 a74 1 options Statement Grammar d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d506 1 a506 1 Syntax d515 1 a515 1 Definition and Usage d599 1 a599 1 Comment Syntax d609 1 a609 1 Syntax d625 1 a625 1 Definition and Usage d879 1 a879 1 acl Statement Grammar d895 5 d1023 1 a1023 1 controls Statement Grammar d1147 1 a1147 1 include Statement Grammar d1152 1 a1152 1 include Statement Definition and d1167 1 a1167 1 key Statement Grammar d1176 1 a1176 1 key Statement Definition and Usage d1223 1 a1223 1 logging Statement Grammar d1247 1 a1247 1 logging Statement Definition and d1281 1 a1281 1 The channel Phrase a1888 11d1894 1 a1894 1 The query-errors Category d2122 1 a2122 1 lwres Statement Grammar d2138 1 a2138 1 lwres Statement Definition and Usage d2189 1 a2189 1 masters Statement Grammar d2197 1 a2197 1 masters Statement Definition and d2207 1 a2207 1 options Statement Grammar a2414 1 [ max-recursion-queries cname
Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
number; ] d2446 10 a2455 12 zonezone_name[ policy(given | disabled | passthru | drop | nxdomain | nodata | cname domain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; [...] } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] a2770 7dscp d4060 1 a4060 1 Forwarding d4104 1 a4104 1 Dual-stack Servers d4372 1 a4372 1 Interfaces d4662 1 a4662 3 per second. The default is 20 per second. The lowest possible rate is one per second; when set to zero, it will be silently raised to one. d4837 1 a4837 1 UDP Port Lists d4879 1 a4879 1 Operating System Resource Limits d5040 1 a5040 1 Periodic Task Intervals d5521 1 a5521 1 Sets the maximum advertised EDNS UDP buffer size in d5687 2 a5688 4 is terminated and returns SERVFAIL. Queries to look up top level comains such as "com" and "net" and the DNS root zone are exempt from this limitation. The default is 75. d6080 1 a6080 1 Content Filtering d6203 1 a6203 1 Response Policy Zone (RPZ) Rewriting d6208 1 a6208 1 Responses can be changed to deny the existence of domains (NXDOMAIN), d6314 1 a6314 1 The global Differentiated Services Code Point (DSCP) value to classify outgoing DNS traffic on operating systems that support DSCP. Valid values are 0 through 63. It is not configured by default.
d6574 1 a6574 1 Response Rate Limiting d6904 8 a6911 17 The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted to the nearest value within it). This option is useful when you wish to advertise a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies. (Note: Currently, this sets a single UDP size for all packets sent to the server; named will not deviate from this value. This differs from the behavior of edns-udp-size in options or view statements, where it specifies a maximum value. The server statement behavior may be brought into conformance with the options/view behavior in future releases.) d7030 1 a7030 1 statistics-channels Statement Definition and d7146 1 a7146 1 trusted-keys Statement Definition d7186 1 a7186 1 managed-keys Statement Grammar d7324 1 a7324 1 view Statement Definition and Usage d7646 1 a7646 1 zone Statement Definition and Usage d7649 1 a7649 1 Zone Types d7967 1 a7967 1 Class d7989 1 a7989 1 Zone Options d8911 1 a8911 1 Multiple views d8962 1 a8962 1 Zone File d8975 1 a8975 1 Resource Records d9712 1 a9712 1 Textual expression of RRs d9915 1 a9915 1 Discussion of MX Records d10170 1 a10170 1 Inverse Mapping in IPv4 d10231 1 a10231 1 Other Zone File Directives d10246 1 a10246 1 The @@ (at-sign) d10257 1 a10257 1 The $ORIGIN Directive d10286 1 a10286 1 The $INCLUDE Directive d10322 1 a10322 1 The $TTL Directive d10341 1 a10341 1 BIND Master File Extension: the $GENERATE Directive d10784 1 a10784 1 Name Server Statistics Counters d11380 1 a11380 1 Zone Maintenance Statistics Counters d11534 1 a11534 1 Resolver Statistics Counters d11917 1 a11917 1 Socket I/O Statistics Counters d12072 1 a12072 1 Compatibility with BIND 8 Counters d12124 1 a12124 1d6327 1 a6327 1
- Among triggers with the same prefix length, d6331 1 a6331 1
BIND 9.10.2-P2
@ 1.1.1.19 log @Import bind 9.10.2-P3 @ text @d12153 1 a12153 1BIND 9.10.2-P3
@ 1.1.1.20 log @Import bind 9.10.2-P4 @ text @d12153 1 a12153 1BIND 9.10.2-P4
@ 1.1.1.21 log @Import bind 9.10.3-P2 @ text @d81 1 a81 1statistics-channels Statement Definition and d84 1 a84 1 trusted-keys Statement Definition d86 1 a86 1 managed-keys Statement Grammar d90 1 a90 1view Statement Definition and Usage d93 1 a93 1zone Statement Definition and Usage d95 1 a95 1Zone File d98 1 a98 1Discussion of MX Records d100 3 a102 3Inverse Mapping in IPv4 Other Zone File Directives BIND Master File Extension: the $GENERATE Directive d442 1 a442 1 for details on how they interpret its use. d461 1 a461 1defaultd790 1 a790 1 masters or d1164 2 a1165 2 algorithmalgorithm_id; secretsecret_string; d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2275 1 a2275 1ip_addr[portip_port] [dscpip_dscp]) ; d2323 1 a2323 1 [ address (ip6_addr|*) ] d2333 1 a2335 6 [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[(drop | fail)]; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ fetches-per-zonenumber[(drop | fail)]; ] d2418 2 d2734 1 a2734 1 and dnssec-validation for details. d2987 1 a2987 1 IPv4 addresses are to be mapped in the corresponding d3120 1 a3120 1 As of BIND 9.10, d3530 1 a3530 1 NSID (Name Server Identifier) option is sent with all d3744 1 a3744 1 and if the response does not include DNSSEC signatures, d3756 2 a3757 2 This mechanism can erroneously cause other servers to not give AAAA records to their clients. d3829 2 a3830 5 This indicates whether DNSSEC-related resource records are to be returned by named. If set tono, named will not return DNSSEC-related resource records unless specifically queried for. d3834 1 a3834 2d4076 1 a4076 1 Forwarding d4120 1 a4120 1 Dual-stack Servers d4388 1 a4388 1 Interfaces d4547 1 a4547 1 the use-queryport-pool d4684 1 a4684 1 queries are issued at, d4855 1 a4855 1 UDP Port Lists d4897 1 a4897 1 Operating System Resource Limits d4990 4 a4993 5 d3847 1 a3847 11
Note
Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if dnssec-validation is off.
a5007 174 The maximum number ("hard quota") of simultaneous recursive lookups the server will perform on behalf of clients. The default is d4996 2 a4997 2 bit of memory (on the order of 20 kilobytes), the value of the d4999 3 a5001 20 have to be decreased on hosts with limited memory.
recursive-clientsdefines a "hard quota" limit for pending recursive clients: when more clients than this are pending, new incoming requests will not be accepted, and for each incoming request a previous pending request will also be dropped.A "soft quota" is also set. When this lower quota is exceeded, incoming requests are accepted, but for each one, a pending request will be dropped. If
recursive-clientsis greater than 1000, the soft quota is set torecursive-clientsminus 100; otherwise it is set to 90% ofrecursive-clients.clients-per-query, max-clients-per-query These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
fetches-per-zone The maximum number of simultaneous iterative queries to any one domain that the server will permit before blocking new queries for data in or beneath that zone. This value should reflect how many fetches would normally be sent to any one zone in the time it would take to resolve them. It should be smaller than
recursive-clients.When many clients simultaneously query for the same name and type, the clients will all be attached to the same fetch, up to the
max-clients-per-querylimit, and only one iterative query will be sent. However, when clients are simultaneously querying for different names or types, multiple queries will be sent andmax-clients-per-queryis not effective as a limit.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries which exceed the fetch quota for a zone will be dropped with no response, or answered with SERVFAIL. The default isdrop.If fetches-per-zone is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The current list of active fetches can be dumped by running rndc recursing. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the
fetches-per-zonelimit. (Note: these counters are not cumulative over time; whenever the number of active fetches for a domain drops to zero, the counter for that domain is deleted, and the next time a fetch is sent to that domain, it is recreated with the counters set to zero.)(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
fetches-per-server The maximum number of simultaneous iterative queries that the server will allow to be sent to a single upstream name server before blocking additional queries. This value should reflect how many fetches would normally be sent to any one server in the time it would take to resolve them. It should be smaller than
recursive-clients.Optionally, this value may be followed by the keyword
droporfail, indicating whether queries will be dropped with no response, or answered with SERVFAIL, when all of the servers authoritative for a zone are found to have exceeded the per-server quota. The default isfail.If fetches-per-server is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero.
The fetches-per-server quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" threshold, then fetches-per-server is reduced for that server. If the timeout ratio drops below a "low" threshold, then fetches-per-server is increased. The fetch-quota-params options can be used to adjust the parameters for this calculation.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
fetch-quota-params d5036 1 a5036 1 Any positive values less than 2MB will be ignored d5051 1 a5051 1 be used; on most platforms this sets the listen queue d5058 1 a5058 1 Periodic Task Intervals d5652 34 d6100 1 a6100 1 Content Filtering d6223 1 a6223 1 Response Policy Zone (RPZ) Rewriting d6265 1 a6265 1 Sets the parameters to use for dynamic resizing of the
fetches-per-serverquota in response to detected congestion.The first argument is an integer value indicating how frequently to recalculate the moving average of the ratio of timeouts to responses for each server. The default is 100, meaning we recalculate the average ratio after every 100 queries have either been answered or timed out.
The remaining three arguments represent the "low" threshold (defaulting to a timeout ratio of 0.1), the "high" threshold (defaulting to a timeout ratio of 0.3), and the discount rate for the moving average (defaulting to 0.7). A higher discount rate causes recent events to weigh more heavily when calculating the moving average; a lower discount rate causes past events to weigh more heavily, smoothing out short-term blips in the timeout ratio. These arguments are all fixed-point numbers with precision of 1/100: at most two places after the decimal point are significant.
(Note: This option is only available when BIND is built with configure --enable-fetchlimit.)
prefixlength.B4.B3.B2.B1.rpz-client-ip. d6274 1 a6274 1prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-client-ip. d6276 3 a6278 5 representing 16 bits of the IPv6 address as in the standard text representation of IPv6 addresses, but reversed as in IP6.ARPA. (Note that this representation of IPv6 address is different from IP6.ARPA where each hex digit occupies a label.) d6283 1 a6283 1 The IPv6 prefix length must be between 1 and 128. d6594 1 a6594 1 Response Rate Limiting d6829 1 a6829 1 [ keys {key_id}; ] d6990 5 a6994 1 Only a single key per server is currently supported. d7035 1 a7035 1 option level. d7059 1 a7059 1 statistics-channels Statement Definition and d7116 2 a7117 2 included which can format the XML statistics into tables when viewed with a stylesheet-capable browser, and into d7123 1 a7123 1 can request d7125 1 a7125 1 of the statistics XML schema or d7175 1 a7175 1 trusted-keys Statement Definition d7215 1 a7215 1 managed-keys Statement Grammar d7227 1 a7227 1 The managed-keys statement, like d7273 1 a7273 1named.conf, an initializing key listed d7353 1 a7353 1 view Statement Definition and Usage d7644 1 a7644 1 [ server-names { [namelist] }; ] d7675 1 a7675 1 zone Statement Definition and Usage d7678 1 a7678 1 Zone Types d7849 1 a7849 1 glue A or AAAA RRs d7933 1 a7933 1 that point to the desired addresses: d7941 1 a7941 1 "*.ES." instead of "*.". To redirect all d7996 1 a7996 1 Class d8018 1 a8018 1 Zone Options d8451 1 a8451 1 active. d8482 1 a8482 1 When set to d8779 1 a8779 1 and converts it machine.realm allowing the machine d8794 1 a8794 1 This rule takes a Windows machine principal d8813 1 a8813 1 and converts it machine.realm allowing the machine d8828 1 a8828 1 This rule takes a Kerberos machine principal d8940 1 a8940 1 Multiple views a8982 7 Zone level acls (e.g. allow-query, allow-transfer) and other configuration details of the zone are all set in the view the referenced zone is defined in. Care need to be taken to ensure that acls are wide enough for all views referencing the zone.a8985 4
An in-view zone is not intended to reference a forward zone.
d8991 1 a8991 1 Zone File d9004 1 a9004 1 Resource Records a9172 52 ATMAATM Address.
CAA
Identifies which Certificate Authorities can issue certificates for this domain and what rules they need to follow when doing so. Defined in RFC 6844.
CDNSKEY
Identifies which DNSKEY records should be published as DS records in the parent zone.
CDS
Contains the set of DS records that should be published by the parent zone.
a9211 14 DLV
A DNS Look-aside Validation record which contains the records that are used as trust anchors for zones in a DLV namespace. Described in RFC 4431.
a9255 48 EID
End Point Identifier.
EUI48
A 48-bit EUI address. Described in RFC 7043.
EUI64
A 64-bit EUI address. Described in RFC 7043.
GID
Reserved.
a9280 13 HIP
Host Identity Protocol Address. Described in RFC 5205.
a9334 28 L32
Holds 32-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
L64
Holds 64-bit Locator values for Identifier-Locator Network Protocol. Described in RFC 6742.
a9347 85 LP
Identifier-Locator Network Protocol. Described in RFC 6742.
MB
Mail Box. Historical.
MD
Mail Destination. Historical.
MF
Mail Forwarder. Historical.
MG
Mail Group. Historical.
MINFO
Mail Information.
MR
Mail Rename. Historical.
a9374 26 NID
Holds values for Node Identifiers in Identifier-Locator Network Protocol. Described in RFC 6742.
NIMLOC
Nimrod Locator.
a9387 12 NSAP-PTR
Historical.
a9451 12 NULL
This is an opaque container.
a9470 12 OPENPGPKEY
Used to hold an OPENPGPKEY.
a9604 13 TLSA
Transport Layer Security Certificate Association. Described in RFC 6698.
a9616 48 UID
Reserved.
UINFO
Reserved.
UNSPEC
Reserved. Historical.
URI
Holds a URI. Described in RFC 7553.
d1564 7 a1570 4 d9741 1 a9741 1 Textual expression of RRs d9944 1 a9944 1 Discussion of MX Records d10199 1 a10199 1 Inverse Mapping in IPv4 d10260 1 a10260 1 Other Zone File Directives d10275 1 a10275 1 The @@ (at-sign) d10279 1 a10279 1 At the start of the zone file, it is the d10286 1 a10286 1 The $ORIGIN Directive d10315 1 a10315 1 The $INCLUDE Directive d10351 1 a10351 1 The $TTL Directive d10370 1 a10370 1 BIND Master File Extension: the $GENERATE Directive d10567 1 a10567 1 other formats. d10587 1 a10587 1 file by the named-compilezone command. d10609 1 a10609 1 While
rawformat uses d10813 1 a10813 1 Name Server Statistics Counters d11409 1 a11409 1 Zone Maintenance Statistics Counters d11563 1 a11563 1 Resolver Statistics Counters d11946 1 a11946 1 Socket I/O Statistics Counters d12101 1 a12101 1 Compatibility with BIND 8 Counters d12153 1 a12153 1BIND 9.10.3-P2
@ 1.1.1.22 log @Import bind 9.10.3-P3 @ text @d12700 1 a12700 1BIND 9.10.3-P3
@ 1.1.1.23 log @Import 9.10.3-P4: 4322. [security] Duplicate EDNS COOKIE options in a response could trigger an assertion failure. (CVE-2016-2088) [RT #41809] 4319. [security] Fix resolver assertion failure due to improper DNAME handling when parsing fetch reply messages. (CVE-2016-1286) [RT #41753] 4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666] @ text @d12700 1 a12700 1BIND 9.10.3-P4
@ 1.1.1.24 log @Import bind 9.10.4-P1 @ text @d17 1 d22 2 a23 2 d42 3 a44 3d47 2 a48 2d519 1 a519 1 the listen-on and sortlist d523 5 a527 5
- Configuration File Elements
d50 2 a51 2- Address Match Lists
- Comment Syntax
d53 1 a53 1- Configuration File Grammar
d55 2 a56 2- acl Statement Grammar
- acl Statement Definition and d58 2 a59 2
- controls Statement Grammar
- controls Statement Definition and d61 2 a62 10
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and d64 4 a67 2
- options Statement Grammar
- options Statement Definition and d69 10 a78 2
- server Statement Grammar
- server Statement Definition and d80 2 a81 2
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and d83 2 a84 2
- trusted-keys Statement Grammar
- trusted-keys Statement Definition d86 2 a87 2
- managed-keys Statement Grammar
- managed-keys Statement Definition d89 3 a91 3
- view Statement Grammar
- view Statement Definition and Usage
- zone d93 1 a93 1
- zone Statement Definition and Usage
d95 1 a95 1- Zone File
d97 7 a103 12- Types of Resource Records and When to Use Them
- Discussion of MX Records
- Setting TTLs
- Inverse Mapping in IPv4
- Other Zone File Directives
- BIND Master File Extension: the $GENERATE Directive
- Additional File Formats
BIND9 Statistics
- The Statistics File
- Statistics Counters
d105 2 d125 1 a125 1d134 2 a135 2d513 1 a513 1d147 1 a147 1 defined by the acl statement. d163 1 a163 1 the section called “Address Match Lists”. d218 2 a219 2 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67. d244 1 a244 1 An IPv6 address, such as 2001:db8::1234. d256 3 a258 3 address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. d324 4 a327 4 For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240. d435 1 a435 1 (such as max-journal-size) may d501 1 a501 1 d607 1 a607 1 d623 1 a623 1 d697 1 a697 1
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key d530 2 a531 2
- the name of an address match list defined with the acl statement d533 1 a533 1
- a nested address match list enclosed in braces
d557 2 a558 2 used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated. d564 12 a575 12 allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the d588 1 a588 1 1.2.3/24; ! 1.2.3.13; d591 1 a591 1 element. Using ! 1.2.3.13; 1.2.3/24 fixes d597 1 a597 1d713 2 a714 2d719 1 a719 1 acl
d730 1 a730 1controls
d735 1 a735 1 by the rndc utility. d741 1 a741 1include
d751 1 a751 1key
d762 1 a762 1logging
d773 1 a773 1lwres
d777 2 a778 2 configures named to also act as a light-weight resolver daemon (lwresd). d784 1 a784 1masters
d790 2 a791 2 masters or also-notify lists. d797 1 a797 1options
d808 1 a808 1server
d819 1 a819 1statistics-channels
d824 1 a824 1 named statistics. d830 1 a830 1trusted-keys
d840 1 a840 1managed-keys
d851 1 a851 1view
d861 1 a861 1zone
d872 2 a873 2 The logging and options statements may only occur once d877 1 a877 1acl acl-name { d885 1 a885 1d887 1 a887 1 acl Statement Definition and d890 1 a890 1 The acl statement assigns a symbolic d899 2 a900 2d905 1 a905 1 any
d915 1 a915 1none
d925 1 a925 1localhost
d931 1 a931 1 added or removed, the localhost d938 1 a938 1localnets
d945 1 a945 1 the localnets d950 1 a950 1 In such a case, localnets d952 1 a952 1 IPv6 addresses, just like localhost. d962 1 a962 1 geoip [dbdatabase]fieldvalued1016 1 a1016 1controls { d1030 1 a1030 1d1032 1 a1032 1 controls Statement Definition and d1035 1 a1035 1 The controls statement declares control d1038 1 a1038 1 used by the rndc utility to send d1042 4 a1045 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*(asterisk) is d1049 2 a1050 2 use an ip_addr of::. If you will only use rndc on the local host, d1056 1 a1056 1 "*" cannot be used for ip_port. d1060 2 a1061 2 restricted by the allow and keys clauses. d1063 3 a1065 3 address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list d1069 1 a1069 1 A unix control channel is a UNIX domain d1071 2 a1072 2 Access to the socket is specified by the perm, owner and group clauses. d1074 1 a1074 1 (perm) are applied to the parent directory d1079 3 a1081 3 channel is the key_list, which contains a list of key_ids. Each key_id in the key_list d1083 2 a1084 2 See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc. d1087 2 a1088 2 If no controls statement is present, named will set up a default d1091 3 a1093 3 In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key d1104 1 a1104 1 messages and thus did not have a keys clause. d1108 2 a1109 2 and still have rndc work the same way ndc worked in BIND 8, simply by executing the d1125 1 a1125 1 named is running as) can access it. d1128 1 a1128 1 rndc commands, then you need to create d1136 2 a1137 2 controls statement: controls { };. d1140 1 a1140 1included1145 1 a1145 1 d1150 3 a1152 3 The include statement inserts the specified file at the point where the include statement is encountered. The include d1160 1 a1160 1filename;keykey_id{ d1169 1 a1169 1 d1173 2 a1174 2 The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) d1176 2 a1177 1 (see the section called “controls Statement Definition and d1181 1 a1181 1 The key statement can occur at the d1183 2 a1184 2 of the configuration file or inside a view statement. Keys defined in top-level key d1186 3 a1188 2 a controls statement (see the section called “controls Statement Definition and d1195 1 a1195 1 be used in a server d1216 1 a1216 1logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize_spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice| d1229 3 a1231 3 [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] d1233 1 a1233 1 [ categorycategory_name{ d1240 1 a1240 1 d1245 1 a1245 1 The logging statement configures a d1247 1 a1247 1 variety of logging options for the name server. Its channel phrase d1249 1 a1249 1 a name that can then be used with the category phrase d1253 1 a1253 1 Only one logging statement is used to d1255 1 a1255 1 as many channels and categories as are wanted. If there is no logging statement, d1267 1 a1267 1 established as soon as the logging d1274 1 a1274 1 d1287 2 a1288 2 info), and whether to include a named-generated time stamp, the d1293 1 a1293 1 The null destination clause d1298 1 a1298 1 The file destination clause directs d1306 1 a1306 1 If you use the versions log file d1308 1 a1308 1 named will retain that many backup d1318 1 a1318 1 You can say versions unlimited to d1321 1 a1321 1 If a size option is associated with d1329 1 a1329 1 The size option for files is used d1331 2 a1332 2 growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option d1336 1 a1336 1 versions option, no more data will d1345 2 a1346 2 Example usage of the size and versions options: d1355 1 a1355 1 The syslog destination clause d1358 9 a1366 9 syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities d1369 1 a1369 1 How syslog will handle messages d1371 3 a1373 3 this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, d1380 1 a1380 1 The severity clause works like syslog's d1382 1 a1382 1 straight to a file rather than using syslog. d1389 1 a1389 1 If you are using syslog, then the syslog.conf priorities d1391 7 a1397 7 defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would d1401 1 a1401 1 The stderr destination clause d1414 1 a1414 1 level is set either by starting the named server d1416 1 a1416 1 or by running rndc trace. d1418 1 a1418 1 can be set to zero, and debugging mode turned off, by running rndc d1431 1 a1431 1 level. Channels with dynamic d1436 1 a1436 1 If print-time has been turned on, d1438 2 a1439 2 the date and time will be logged. print-time may be specified for a syslog channel, d1441 1 a1441 1 pointless since syslog also logs d1443 1 a1443 1 time. If print-category is d1445 2 a1446 2 category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may d1450 1 a1450 1 three print- options d1458 1 a1458 1 named's default logging as follows. d1460 1 a1460 1 used is described in the section called “The category Phrase”. d1490 1 a1490 1 The default_debug channel has the d1500 1 a1500 1 is created only after named has d1502 1 a1502 1 new UID, and any debug output generated while named is d1514 1 a1514 1 d1522 1 a1522 1 in that category will be sent to the default category d1543 1 a1543 1 To discard all messages in a category, specify the null channel: d1555 2 a1556 2d1561 2 a1562 2 client
Processing of client requests.
d1574 2 a1575 2cname
d1577 5 a1581 5Logs nameservers that are skipped due to them being a CNAME rather than A / AAAA records.
d1585 2 a1586 2config
d1588 6 a1593 4Configuration file parsing and processing.
d1597 2 a1598 2database
d1600 4 a1603 6Messages relating to the databases used internally by the name server to store zone and cache data.
d1607 2 a1608 2default
d1610 4 a1613 7The default category defines the logging options for those categories where no specific configuration has been defined.
d1617 2 a1618 2delegation-only
d1620 6 a1625 8Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a forward, hint or stub zone declaration.
d1629 2 a1630 2dispatch
d1632 4 a1635 5Dispatching of incoming packets to the server modules where they are to be processed.
d1639 2 a1640 2dnssec
d1642 4 a1645 4DNSSEC and TSIG protocol processing.
d1649 2 a1650 2edns-disabled
d1652 4 a1655 28Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
d1659 2 a1660 2general
d1662 4 a1665 5The catch-all. Many things still aren't classified into categories, and they all end up here.
d1669 2 a1670 2lame-servers
d1672 9 a1680 6Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
d1684 2 a1685 2network
d1687 4 a1690 4Network operations.
d1694 2 a1695 2notify
d1697 4 a1700 4The NOTIFY protocol.
d1704 2 a1705 2queries
d1707 4 a1710 35Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C). After this the destination address the query was sent to is reported.
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE
client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)
d1714 2 a1715 2query-errors
d1717 35 a1751 5Information about queries that resulted in some failure.
d1755 2 a1756 2rate-limit
d1758 5 a1762 20The start, periodic, and final notices of the rate limiting of a stream of responses are logged at info severity in this category. These messages include a hash value of the domain name of the response and the name itself, except when there is insufficient memory to record the name for the final notice The final notice is normally delayed until about one minute after rate limit stops. A lack of memory can hurry the final notice, in which case it starts with an asterisk (*). Various internal events are logged at debug 1 level and higher.
Rate limiting of individual requests is logged in the query-errors category.
d1766 2 a1767 2resolver
d1769 5 a1773 6DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
d1777 2 a1778 2rpz
d1780 4 a1783 7Information about errors in response policy zone files, rewritten responses, and at the highest debug levels, mere rewriting attempts.
d1787 2 a1788 2security
d1790 6 a1795 4Approval and denial of requests.
d1799 2 a1800 2spill
d1802 8 a1809 6Logs queries that have been terminated, either by dropping or responding with SERVFAIL, as a result of a fetchlimit quota being exceeded.
d1813 2 a1814 2unmatched
d1816 28 a1843 9Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
d1847 2 a1848 2update
d1850 7 a1856 4Dynamic updates.
d1860 2 a1861 2update-security
d1863 20 a1882 4Approval and denial of update requests.
d1886 2 a1887 2xfer-in
d1889 5 a1893 14Zone transfers the server is receiving.
xfer-out
d1898 1 a1898 1 d1902 1 a1902 1 The query-errors category is d1907 1 a1907 1 with debug levels. d1970 2 a1971 2 Zone transfers the server is sending.
d2126 1 a2126 1 d2130 1 a2130 1 This is the grammar of the lwres d2133 1 a2133 1 lwres { d2142 1 a2142 1 d2146 1 a2146 1 The lwres statement configures the d2149 2 a2150 2 the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring d2154 1 a2154 1 The listen-on statement specifies a d2165 1 a2165 1 The view statement binds this d2176 1 a2176 1 The search statement is equivalent to d2178 1 a2178 1 search statement in d2184 1 a2184 1 The ndots statement is equivalent to d2186 1 a2186 1 ndots statement in d2193 1 a2193 1 d2197 1 a2197 1 mastersname[portip_port] [dscpip_dscp] { (masters_list| d2201 1 a2201 1d2203 1 a2203 1 masters Statement Definition and d2205 1 a2205 1d2215 1 a2215 1 This is the grammar of the options d2218 1 a2218 1masters d2207 2 a2208 2 multiple stub and slave zones in their masters or also-notify lists. d2211 1 a2211 1
options { a2258 2 [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] a2263 1 [ auto-dnssecallow|maintain|off; ] d2340 1 a2340 1 [ fetches-per-zonenumber[(drop | fail)]; ] d2357 3 a2359 2 [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr[portip_port] ) [keykeyname] ; ... }; ] d2376 1 a2376 2 [ max-zone-ttl (unlimited|number; ] [ serial-update-methodincrement|unixtime|date; ] d2404 1 a2404 1 [ suffixIPv6-address; ] a2466 1 [ automatic-interface-scanyes_or_no] d2471 1 a2471 1d2473 1 a2473 1 options Statement Definition and d2476 1 a2476 1 The options statement sets up global d2480 1 a2480 1 once in a configuration file. If there is no options d2484 2 a2485 2d4145 2 a4146 2
- attach-cache
d2497 2 a2498 2 The attach-cache option may also be specified in view d2500 1 a2500 1 global attach-cache option. d2505 1 a2505 1 When the named server configures d2516 1 a2516 1 the attach-cache as a global d2525 1 a2525 1 attach-cache option as a view A (or d2548 8 a2555 8 check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size, and zero-no-soa-ttl. d2570 1 a2570 1- directory
d2585 1 a2585 1- geoip-directory
d2592 2 a2593 1 (For details, see the section called “acl Statement Definition and d2595 1 a2595 1 geoip ACL.) d2597 1 a2597 1- key-directory
d2608 1 a2608 1- managed-keys-directory
d2616 1 a2616 1 If named is not configured to use views, d2625 1 a2625 1- named-xfer
d2629 1 a2629 1 the pathname to the named-xfer d2631 1 a2631 1 named-xfer program is needed; d2634 1 a2634 1- tkey-gssapi-keytab
d2641 1 a2641 1- tkey-gssapi-credential
d2652 1 a2652 1 To use GSS-TSIG, tkey-domain must d2656 1 a2656 1- tkey-domain
d2659 2 a2660 2 generated with TKEY. When a client requests a TKEY exchange, d2667 1 a2667 1 In most cases, the domainname d2674 1 a2674 1- tkey-dhkey
d2679 1 a2679 1 of TKEY. The server must be d2685 1 a2685 1- cache-file
d2689 1 a2689 1- dump-file
d2693 1 a2693 1 rndc dumpdb. d2696 1 a2696 1- memstatistics-file
d2702 1 a2702 1- pid-file
d2709 1 a2709 1 name server. Specifying pid-file none disables the d2711 1 a2711 1 existing one will be removed. Note that none d2716 1 a2716 1- recursing-file
d2720 1 a2720 1 to do so with rndc recursing. d2723 1 a2723 1- statistics-file
d2726 1 a2726 1 to when instructed to do so using rndc stats. d2730 1 a2730 1 in the section called “The Statistics File”. d2732 1 a2732 1- bindkeys-file
d2735 3 a2737 3 keys provided by named. See the discussion of dnssec-lookaside and dnssec-validation for details. d2741 1 a2741 1- secroots-file
d2745 1 a2745 1 rndc secroots. d2749 1 a2749 1- session-keyfile
d2752 2 a2753 2 session key generated by named for use by nsupdate -l. If not specified, the d2755 1 a2755 1 (See the section called “Dynamic Update Policies”, and in d2757 1 a2757 1 update-policy statement's d2761 1 a2761 1- session-keyname
d2766 1 a2766 1- session-keyalg
d2773 1 a2773 1- port
d2783 1 a2783 1- dscp
d2790 1 a2790 1- random-device
d2804 1 a2804 1 random-device option takes d2809 1 a2809 1- preferred-glue
d2814 1 a2814 3 The default is to prefer A records when responding to queries that arrived via IPv4 and AAAA when responding to queries that arrived via IPv6. d2817 1 a2817 1 root-delegation-only d2863 1 a2863 1- disable-algorithms
d2868 1 a2868 1 Multiple disable-algorithms d2870 1 a2870 1 Only the best match disable-algorithms d2875 1 a2875 1 by the disable-algorithms will be treated d2879 1 a2879 1- disable-ds-digests
d2884 1 a2884 1 Multiple disable-ds-digests d2886 1 a2886 1 Only the best match disable-ds-digests d2891 1 a2891 1 by the disable-ds-digests will be treated d2895 1 a2895 1- dnssec-lookaside
d2898 1 a2898 1 When set, dnssec-lookaside provides the d2902 1 a2902 1 dnssec-lookaside, and the normal DNSSEC d2910 1 a2910 1 If dnssec-lookaside is set to d2916 1 a2916 1 If dnssec-lookaside is set to d2923 2 a2924 2 named will load that key at startup if dnssec-lookaside is set to d2929 1 a2929 1 from https://www.isc.org/solutions/dlv/. d2934 2 a2935 2 named. Relying on this is not recommended, however, as it requires named d2939 1 a2939 1 NOTE: named only loads certain specific d2945 1 a2945 1- dnssec-must-be-secure
d2949 1 a2949 1 then named will only accept answers if d2953 3 a2955 3 trusted-keys or managed-keys statement, or dnssec-lookaside must be active. d2957 1 a2957 1- dns64
d2960 1 a2960 1 This directive instructs named to d2964 1 a2964 1 dns64 defines one DNS64 prefix. d2975 2 a2976 2 CNAMEs. dns64-server and dns64-contact can be used to specify d2982 2 a2983 2 Each dns64 supports an optional clients ACL that determines which d2988 2 a2989 2 Each dns64 supports an optional mapped ACL that selects which d2998 1 a2998 1 exclude ACL allows specification d3002 1 a3002 1 name owns. If not defined, exclude d3006 1 a3006 1 A optional suffix can also d3014 2 a3015 2 If recursive-only is set to yes the DNS64 synthesis will d3017 1 a3017 1 is no. d3020 2 a3021 2 If break-dnssec is set to yes the DNS64 synthesis will d3024 1 a3024 1 is set to no (the default), the DO d3039 1 a3039 16- dnssec-loadkeys-interval
When a zone is configured with auto-dnssec maintain; its key repository must be checked periodically to see if any new keys have been added or any existing keys' timing metadata has been updated (see dnssec-keygen(8) and dnssec-settime(8)). The dnssec-loadkeys-interval option sets the frequency of automatic repository checks, in minutes. The default is
60(1 hour), the minimum is1(1 minute), and the maximum is1440(24 hours); any higher value is silently reduced.- dnssec-update-mode
d3046 2 a3047 2 the section called “Dynamic Update Policies”), and if named has access to the d3049 1 a3049 1 named will automatically sign all new d3056 1 a3056 1 then named will sign all new or d3061 1 a3061 1 With either of these settings, named d3064 1 a3064 1 named. (A planned third option, d3070 1 a3070 1- max-zone-ttl
a3093 27The default value is
unlimited. Amax-zone-ttlof zero is treated asunlimited.- serial-update-method
Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.
With the default setting of serial-update-method increment;, the SOA serial number will be incremented by one each time the zone is updated.
When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.
d3095 1 a3095 1- zone-statistics
d3101 3 a3103 3 zone-statistics terse or zone-statistics none in the zone statement). d3111 2 a3112 2 statistics-channel or using rndc stats, which d3114 2 a3115 2 in the statistics-file. See also the section called “The Statistics File”. d3119 1 a3119 1 of BIND 9, the zone-statistics d3130 1 a3130 1d3133 2 a3134 2d4104 2 a4105 2
- automatic-interface-scan
d3144 1 a3144 1 automatic-interface-scan to be d3148 1 a3148 1- allow-new-zones
d3151 2 a3152 2 added at runtime via rndc addzone or deleted via rndc delzone. d3155 1 a3155 1- auth-nxdomain
d3157 1 a3157 1 Ifyes, then the AA bit d3166 1 a3166 1- deallocate-on-exit
d3173 1 a3173 1- memstatistics
d3176 1 a3176 1 memstatistics-file at exit. d3181 1 a3181 1- dialup
d3193 1 a3193 1 happens in a short interval, once every heartbeat-interval and d3199 4 a3202 4 The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup d3215 1 a3215 1 notify and also-notify. d3223 1 a3223 1 heartbeat-interval expires in d3236 1 a3236 1 when the heartbeat-interval d3244 4 a3247 4d3274 1 a3274 1 no (default)
d3294 1 a3294 1yes
d3314 1 a3314 1notify
d3334 1 a3334 1refresh
d3354 1 a3354 1passive
d3374 1 a3374 1notify-passive
d3396 1 a3396 1 dialup. d3399 1 a3399 1- fake-iquery
d3406 1 a3406 1- fetch-glue
d3417 1 a3417 1- flush-zones-on-shutdown
d3422 1 a3422 1 flush-zones-on-shutdownno. d3424 1 a3424 1- has-old-clients
d3430 3 a3432 3 has-old-clientsyes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead. d3434 1 a3434 1- host-statistics
d3441 1 a3441 1- maintain-ixfr-base
d3449 1 a3449 1 transfers, use provide-ixfrno. d3451 1 a3451 1- minimal-responses
d3460 1 a3460 1- multiple-cnames
d3468 1 a3468 1- notify
d3474 1 a3474 1 changes, see the section called “Notify”. The messages are d3479 1 a3479 1 also-notify option. d3487 1 a3487 1 servers explicitly listed using also-notify. d3491 2 a3492 2 The notify option may also be specified in the zone d3494 1 a3494 1 in which case it overrides the options notify statement. d3500 1 a3500 1- notify-to-soa
d3511 1 a3511 1- recursion
d3522 1 a3522 1 Note that setting recursion no does not prevent d3528 1 d3530 1 a3530 1- request-nsid
d3537 2 a3538 2 the resolver category at level info. d3541 1 a3541 1- request-sit
d3557 1 a3557 1 the nosit-udp-size option. d3559 1 a3559 10- nosit-udp-size
Sets the maximum size of UDP responses that will be sent to queries without a valid source identity token. A value below 128 will be silently raised to 128. The default value is 4096, but the max-udp-size option may further limit the response size.
- sit-secret
d3569 1 a3569 1- rfc2308-type1
d3585 1 a3585 1- use-id-pool
d3591 1 a3591 1- use-ixfr
d3596 3 a3598 2 the information on the provide-ixfr option in the section called “server Statement Definition and d3601 1 a3601 1 the section called “Incremental Zone Transfers (IXFR)”. d3603 1 a3603 1- provide-ixfr
d3606 3 a3608 2 provide-ixfr in the section called “server Statement Definition and d3611 1 a3611 1- request-ixfr
d3614 3 a3616 2 request-ixfr in the section called “server Statement Definition and d3619 1 a3619 1- treat-cr-as-space
d3623 1 a3623 1 the server treat carriage return ("\r") characters the same way d3627 2 a3628 2 on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines d3633 1 a3633 1 additional-from-auth, additional-from-cache d3668 1 a3668 1 Setting these options to no d3676 1 a3676 1 them to no without also d3678 1 a3678 1 recursion no will cause the d3683 1 a3683 1 Specifying additional-from-cache no actually d3703 1 a3703 1 referrals when additional-from-cache no d3711 1 a3711 1- match-mapped-addresses
d3724 1 a3724 1 named now solves this problem d3728 1 a3728 1- filter-aaaa-on-v4
d3739 3 a3741 3 The filter-aaaa-on-v4 option may also be specified in view statements to override the global filter-aaaa-on-v4 d3746 1 a3746 1 the DNS client is at an IPv4 address, in filter-aaaa, d3779 1 a3779 1- filter-aaaa-on-v6
d3781 1 a3781 1 Identical to filter-aaaa-on-v4, d3786 1 a3786 1- ixfr-from-differences
d3810 3 a3812 3ixfr-from-differences also accepts master and slave at the view and options d3814 3 a3816 3 ixfr-from-differences to be enabled for all master or slave zones respectively. d3820 1 a3820 1
- multi-master
d3824 1 a3824 1 addresses refer to different machines. Ifyes, named will d3826 1 a3826 1 when the serial number on the master is less than what named d3830 1 a3830 41- auto-dnssec
Zones configured for dynamic DNS may use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:
auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign
zonename.auto-dnssec maintain; includes the above, but also automatically adjusts the zone's DNSSEC keys on schedule, according to the keys' timing metadata (see dnssec-keygen(8) and dnssec-settime(8)). The command rndc sign
zonenamecauses named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeyszonenamecauses named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used. The recheck interval is defined by dnssec-loadkeys-interval.)The default setting is auto-dnssec off.
- dnssec-enable
d3833 1 a3833 1 records are to be returned by named. d3835 1 a3835 1 named will not return DNSSEC-related d3839 1 a3839 1- dnssec-validation
d3842 2 a3843 2 Enable DNSSEC validation in named. Note dnssec-enable also needs to be d3851 2 a3852 2 a trusted-keys or managed-keys statement. The default d3861 1 a3861 1 dnssec-validation is off. d3865 1 a3865 1- dnssec-accept-expired
d3870 1 a3870 1 leaves named vulnerable to d3873 1 a3873 1- querylog
d3875 1 a3875 1 Specify whether query logging should be started when named d3877 1 a3877 1 If querylog is not specified, d3879 1 a3879 1 is determined by the presence of the logging category queries. d3881 1 a3881 1- check-names
d3890 5 a3894 5 master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore. d3900 1 a3900 1check-names d3909 1 a3909 1
- check-dup-records
d3913 3 a3915 3 default is to warn. Other possible values are fail and ignore. d3917 1 a3917 1- check-mx
d3920 3 a3922 3 The default is to warn. Other possible values are fail and ignore. d3924 1 a3924 1- check-wildcard
d3931 1 a3931 1 affects master zones. The default (yes) is to check d3934 1 a3934 1- check-integrity
d3943 1 a3943 1 named-checkzone). d3946 2 a3947 2 checks use named-checkzone). The default is yes. d3957 1 a3957 1 check-spf. d3960 1 a3960 1- check-mx-cname
d3962 1 a3962 1 If check-integrity is set then d3964 1 a3964 1 to CNAMES. The default is to warn. d3966 1 a3966 1- check-srv-cname
d3968 1 a3968 1 If check-integrity is set then d3970 1 a3970 1 to CNAMES. The default is to warn. d3972 1 a3972 1- check-sibling
d3975 1 a3975 1 sibling glue exists. The default is yes. d3977 1 a3977 1- check-spf
d3979 1 a3979 1 If check-integrity is set then d3983 1 a3983 1 warn. d3985 1 a3985 1- zero-no-soa-ttl
d3990 1 a3990 1 The default is yes. d3992 1 a3992 1- zero-no-soa-ttl-cache
d3996 1 a3996 1 The default is no. d3998 1 a3998 1- update-check-ksk
d4013 1 a4013 1 similar to the dnssec-signzone -z d4025 1 a4025 1- dnssec-dnskey-kskonly
d4028 1 a4028 1 When this option and update-check-ksk d4035 1 a4035 1 dnssec-signzone -x command line option. d4038 2 a4039 2 The default is no. If update-check-ksk is set to d4043 16 a4058 1- try-tcp-refresh
d4062 1 a4062 1 yes. d4064 1 a4064 1- dnssec-secure-to-insecure
d4069 2 a4070 2 of the DNSKEY records. The default is no. If set to yes, and if the DNSKEY RRset d4083 1 a4083 1 auto-dnssec maintain and the d4086 1 a4086 1 next time named is started. d4091 1 a4091 1
- forward
d4117 1 a4117 1- forwarders
d4129 3 a4131 2 or have a different forward only/first behavior, or not forward at all, see the section called “zone d4135 1 a4135 1d4918 2 a4919 2 example, 1G can be used instead of 1073741824 to specify a limit of d4921 1 a4921 1 gigabyte. unlimited requests d4923 1 a4923 1 maximum available amount. default d4926 1 a4926 1 of size_spec in the section called “Configuration File Elements”. d4936 2 a4937 2
- dual-stack-servers
d4153 1 a4153 1 stacked, then the dual-stack-servers have no effect unless d4155 1 a4155 1 (e.g. named -4). d4159 1 a4159 1d4164 1 a4164 1 of the requesting system. See the section called “Address Match Lists” for d4167 2 a4168 2d4408 1 a4408 1 from may be specified using the listen-on option. listen-on takes d4416 1 a4416 1 Multiple listen-on statements are d4429 1 a4429 1 If no listen-on is specified, the d4433 1 a4433 1 The listen-on-v6 option is used to d4444 1 a4444 1 listen-on-v6 option, d4459 1 a4459 1 IPv4 addresses specified in listen-on-v6 d4463 1 a4463 1 Multiple listen-on-v6 options can d4482 1 a4482 1
- allow-notify
d4173 1 a4173 1 allow-notify may also be d4175 1 a4175 1 zone statement, in which case d4177 1 a4177 1 options allow-notify d4183 1 a4183 1- allow-query
d4187 2 a4188 2 DNS questions. allow-query may also be specified in the zone d4190 1 a4190 1 options allow-query statement. d4197 1 a4197 1 allow-query-cache is now d4202 1 a4202 1- allow-query-on
d4212 1 a4212 1 Note that allow-query-on is only d4214 1 a4214 1 allow-query. A query must be d4218 2 a4219 2 allow-query-on may also be specified in the zone d4221 1 a4221 1 options allow-query-on statement. d4230 1 a4230 1 allow-query-cache is d4235 1 a4235 1- allow-query-cache
d4238 7 a4244 7 from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used. d4246 1 a4246 1- allow-query-cache-on
d4251 2 a4252 2 localnets and localhost. d4254 1 a4254 1- allow-recursion
d4258 3 a4260 3 allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query d4262 2 a4263 2 (localnets; localhost;) is used. d4265 1 a4265 1- allow-recursion-on
d4271 1 a4271 1- allow-update
d4278 1 a4278 1 the section called “Dynamic Update Security” for details. d4280 1 a4280 1- allow-update-forwarding
d4304 1 a4304 1 access control to attacks; see the section called “Dynamic Update Security” d4308 1 a4308 1- allow-v6-synthesis
d4318 1 a4318 1- allow-transfer
d4321 2 a4322 2 receive zone transfers from the server. allow-transfer may also be specified in the zone d4324 1 a4324 1 case it overrides the options allow-transfer statement. d4328 1 a4328 1- blackhole
d4336 1 a4336 1- filter-aaaa
d4339 1 a4339 1 filter-aaaa-on-v4 d4342 1 a4342 1- no-case-compress
d4347 1 a4347 1 used when named needs to work with d4354 1 a4354 1 none: case-insensitive compression d4378 1 a4378 1 There are circumstances in which named d4393 1 a4393 1- resolver-query-timeout
d4403 1 a4403 1d4487 1 a4487 1 query other name servers. query-source specifies d4489 3 a4491 3 IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) d4495 1 a4495 1 If port is * or is omitted, d4499 2 a4500 2 the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) d4502 2 a4503 2 the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively. d4506 2 a4507 2 The defaults of the query-source and query-source-v6 options d4514 3 a4516 3 If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating d4520 1 a4520 1 named will use the corresponding system d4533 2 a4534 2 changed while named is running; the new range will automatically be applied when named d4537 2 a4538 2 configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the d4544 1 a4544 1 where named runs may prohibit the use d4546 1 a4546 1 named running without a root privilege d4555 2 a4556 2 The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options d4564 1 a4564 1 the use-queryport-pool d4570 2 a4571 2 query-source or query-source-v6 options; d4574 2 a4575 2d4874 4 a4877 4 use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports d4880 1 a4880 1 See the section called “Query Address” about how the d4890 1 a4890 1 from named will be in one d4895 3 a4897 3 avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a d4905 3 a4907 3 use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that d4912 1 a4912 1
- use-queryport-pool
d4579 1 a4579 1- queryport-pool-ports
d4583 1 a4583 1- queryport-pool-updateinterval
d4591 1 a4591 1 The address specified in the query-source option d4607 2 a4608 2 See also transfer-source and notify-source. d4612 1 a4612 1d4621 2 a4622 2d4824 1 a4824 1
- also-notify
d4633 1 a4633 1 also-notify address to send d4640 1 a4640 1 masters lists can be used. d4643 2 a4644 2 If an also-notify list is given in a zone statement, d4646 2 a4647 2 the options also-notify statement. When a zone notify d4649 2 a4650 2 is set to no, the IP addresses in the global also-notify list will d4656 1 a4656 1- max-transfer-time-in
d4663 1 a4663 1- max-transfer-idle-in
d4670 1 a4670 1- max-transfer-time-out
d4677 1 a4677 1- max-transfer-idle-out
d4684 1 a4684 1- serial-query-rate
d4693 1 a4693 1 serial-query-rate option, an d4702 1 a4702 1 serial-query-rate also controls d4707 1 a4707 1- serial-queries
d4709 1 a4709 1 In BIND 8, the serial-queries d4714 1 a4714 1 serial queries and ignores the serial-queries option. d4716 1 a4716 1 as defined using the serial-query-rate option. d4718 1 a4718 1- transfer-format
d4721 3 a4723 3 one-answer and many-answers. The transfer-format option is used d4725 1 a4725 1 one-answer uses one DNS message per d4727 1 a4727 1 many-answers packs as many resource d4729 1 a4729 1 many-answers is more efficient, but is d4733 1 a4733 1 The many-answers format is also supported by d4735 3 a4737 3 The default is many-answers. transfer-format may be overridden on a per-server basis by using the server d4740 1 a4740 1- transfers-in
d4744 1 a4744 1 Increasing transfers-in may d4749 1 a4749 1- transfers-out
d4756 1 a4756 1- transfers-per-ns
d4762 1 a4762 1 Increasing transfers-per-ns d4766 3 a4768 3 the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement. d4770 1 a4770 1- transfer-source
d4772 1 a4772 1transfer-source d4782 1 a4782 1 allow-transfer option for the d4785 1 a4785 1 transfer-source for all zones, d4788 3 a4790 3 transfer-source statement within the view or zone block in the configuration d4801 1 a4801 1
- transfer-source-v6
d4803 1 a4803 1 The same as transfer-source, d4806 1 a4806 1- alt-transfer-source
d4810 2 a4811 2 transfer-source fails and use-alt-transfer-source is a4815 1d4818 1 a4818 1 use-alt-transfer-source d4822 1 a4822 2
- alt-transfer-source-v6
d4827 2 a4828 2 transfer-source-v6 fails and use-alt-transfer-source is d4831 1 a4831 1- use-alt-transfer-source
d4834 1 a4834 1 specified this defaults to no d4836 1 a4836 1 yes (for BIND 8 d4839 1 a4839 1- notify-source
d4841 1 a4841 1notify-source d4845 3 a4847 3 server's masters zone clause or in an allow-notify clause. This statement sets the notify-source d4850 3 a4852 3 notify-source statement within the zone or view block in the configuration d4863 1 a4863 1
- notify-source-v6
d4865 1 a4865 1 Like notify-source, d4870 1 a4870 1d7528 1 a7528 1 The view statement is a powerful d7537 1 a7537 1 Each view statement defines a view d7543 1 a7543 1 match-clients clause and its d7547 1 a7547 1 match-destinations clause. If not d7549 1 a7549 1 match-clients and match-destinations d7552 2 a7553 2 match-clients and match-destinations can also take keys which provide an d7556 1 a7556 1 as match-recursive-only, which d7559 1 a7559 1 The order of the view statements is d7562 1 a7562 1 view that it matches. d7565 1 a7565 1 Zones defined within a view d7567 1 a7567 1 only be accessible to clients that match the view. d7574 2 a7575 2 Many of the options given in the options statement can also be used within a view d7579 1 a7579 1 value is given, the value in the options statement d7582 1 a7582 1 in the view statement; these d7584 1 a7584 1 take precedence over those in the options statement. d7592 1 a7592 1 If there are no view statements in d7596 1 a7596 1 in class IN. Any zone statements d7600 1 a7600 1 this default view, and the options d7602 2 a7603 2 apply to the default view. If any explicit view statements are present, all zone d7605 1 a7605 1 occur inside view statements. d7609 1 a7609 1 using view statements: d7644 1 a7644 1
- coresize
d4942 1 a4942 1- datasize
d4955 2 a4956 2 max-cache-size and recursive-clients d4959 1 a4959 1- files
d4964 1 a4964 1- stacksize
d4971 1 a4971 1d4979 2 a4980 2
- max-ixfr-log-size
d4984 1 a4984 1 max-journal-size performs a d4987 1 a4987 1- max-journal-size
d4990 1 a4990 1 (see the section called “The journal file”). When the journal file d5000 1 a5000 1- host-statistics-max
d5006 1 a5006 1- recursive-clients
d5016 1 a5016 1 recursive-clients option may d5037 1 a5037 1- tcp-clients
d5044 1 a5044 1 clients-per-query, max-clients-per-query d5051 1 a5051 1 before dropping additional clients. named will attempt to d5058 1 a5058 1 If the number of queries exceed this value, named will d5066 1 a5066 1 If clients-per-query is set to zero, d5071 1 a5071 1 If max-clients-per-query is set to zero, d5073 1 a5073 1 recursive-clients. d5077 1 a5077 1 fetches-per-zone d5111 1 a5111 1 If fetches-per-zone is set to zero, d5117 1 a5117 1 running rndc recursing. The list d5130 1 a5130 1 built with configure --enable-fetchlimit.) d5134 1 a5134 1 fetches-per-server d5157 1 a5157 1 If fetches-per-server is set to zero, d5162 1 a5162 1 The fetches-per-server quota is d5169 1 a5169 1 threshold, then fetches-per-server d5172 2 a5173 2 fetches-per-server is increased. The fetch-quota-params options d5179 1 a5179 1 built with configure --enable-fetchlimit.) d5182 1 a5182 1- fetch-quota-params
d5214 1 a5214 1 built with configure --enable-fetchlimit.) d5217 1 a5217 1- reserved-sockets
d5222 1 a5222 1 interfaces named listens on, tcp-clients as well as d5233 1 a5233 1- max-cache-size
d5251 1 a5251 1- tcp-listen-queue
d5265 1 a5265 1d5376 2 a5377 2 (but see the rrset-order statement in the section called “RRset Ordering”). d5388 1 a5388 1 The sortlist statement (see below) d5390 1 a5390 1 an address_match_list and d5392 1 a5392 1 more specifically than the topology d5394 3 a5396 3 does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with d5399 1 a5399 1 an IP prefix, an ACL name or a nested address_match_list) d5411 2 a5412 2 treated the same as the address_match_list in a topology statement. Each top d5477 1 a5477 1
- cleaning-interval
d5273 1 a5273 1 from the cache every cleaning-interval minutes. d5280 1 a5280 1- heartbeat-interval
d5283 1 a5283 1 for all zones marked as dialup whenever this d5290 1 a5290 1- interface-interval
d5293 1 a5293 1 every interface-interval d5301 1 a5301 1 listen-on configuration), and d5305 1 a5305 1- statistics-interval
d5309 1 a5309 1 every statistics-interval d5324 1 a5324 1d5484 1 a5484 1 The rrset-order statement permits d5487 2 a5488 2 See also the sortlist statement, the section called “The sortlist Statement”. d5491 1 a5491 1 An order_spec is defined as d5501 3 a5503 3 If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk). d5506 1 a5506 1 The legal values for ordering are: d5510 2 a5511 2d5516 1 a5516 1 fixed
d5527 1 a5527 1random
d5537 1 a5537 1cyclic
d5568 1 a5568 1 If multiple rrset-order statements d5578 1 a5578 1 rrset-order statement does not support d5585 1 a5585 1d5588 2 a5589 2
- lame-ttl
d5606 1 a5606 1- max-ncache-ttl
d5609 1 a5609 1 the server stores negative answers. max-ncache-ttl is d5613 2 a5614 2 max-ncache-ttl is10800seconds (3 hours). max-ncache-ttl cannot exceed d5618 1 a5618 1- max-cache-ttl
d5628 1 a5628 1- min-roots
d5643 1 a5643 1- sig-validity-interval
d5648 1 a5648 1 result of dynamic updates (the section called “Dynamic Update”) will expire. There d5665 1 a5665 1 The sig-validity-interval d5671 1 a5671 1- sig-signing-nodes
d5678 1 a5678 1- sig-signing-signatures
d5685 1 a5685 1- sig-signing-type
d5698 1 a5698 1 named to track the current state of d5702 2 a5703 2 rndc signing -listzone. Once named has finished signing d5707 1 a5707 1 rndc signing -clearkeyid/algorithmzone. d5710 1 a5710 1 rndc signing -clear allzone. d5714 1 a5714 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d5738 4 a5741 4 min-refresh-time 300 seconds, max-refresh-time 2419200 seconds (4 weeks), min-retry-time 500 seconds, and max-retry-time 1209600 seconds d5745 1 a5745 1- edns-udp-size
d5757 1 a5757 1 edns-udp-size to a non-default value d5763 1 a5763 1 When named first queries a remote d5768 1 a5768 1 If the initial response times out, named d5772 1 a5772 1 successes using plain DNS, named d5774 1 a5774 1 with that server. (Periodically, named d5781 1 a5781 1 named will advertise progressively d5784 1 a5784 1 edns-udp-size is reached. d5787 1 a5787 1 The default buffer sizes used by named d5789 1 a5789 1 edns-udp-size. (The values 1232 and d5795 1 a5795 1- max-udp-size
d5799 1 a5799 1 named will send in bytes. d5807 1 a5807 1 edns-udp-size. d5811 1 a5811 1 max-udp-size to a non-default d5816 1 a5816 1 buffer (edns-udp-size). d5823 1 a5823 1- masterfile-format
d5827 1 a5827 1 the section called “Additional File Formats”). d5833 2 a5834 2 named-compilezone tool, or dumped by named. d5838 1 a5838 1textis loaded, named d5841 1 a5841 1 check-names checks do not apply d5845 1 a5845 1 specified in the named configuration d5852 1 a5852 1 masterfile-format for all zones, d5854 3 a5856 3 by including a masterfile-format statement within the zone or view block in the configuration d5861 1 a5861 1 max-recursion-depth d5874 1 a5874 1 max-recursion-queries d5885 1 a5885 1- notify-delay
d5893 1 a5893 1 zones is controlled by serial-query-rate. d5896 1 a5896 1- max-rsa-exponent-size
d5903 1 a5903 1- prefetch
d5907 1 a5907 1 is to expire shortly, named can d5930 1 a5930 1 if it isn't, named will silently d5937 1 a5937 1d5944 1 a5944 1 CHAOS class. These zones are part d5946 1 a5946 1 built-in view (see the section called “view Statement Grammar”) of d5948 3 a5950 3 CHAOS which is separate from the default view of class IN. Most global configuration options (allow-query, d5952 3 a5954 3 overridden: notify, recursion and allow-new-zones are d5956 1 a5956 1 rate-limit is set to allow d5961 1 a5961 1 below, or hide the built-in CHAOS d5963 1 a5963 1 defining an explicit view of class CHAOS d5966 2 a5967 2
- version
d5971 1 a5971 1 with type TXT, class CHAOS. d5973 1 a5973 1 Specifying version none d5976 1 a5976 1- hostname
d5980 1 a5980 1 with type TXT, class CHAOS. d5986 1 a5986 1 answering your queries. Specifying hostname none; d5989 1 a5989 1- server-id
d5994 1 a5994 1 TXT, class CHAOS. d5997 1 a5997 1 answering your queries. Specifying server-id none; d5999 1 a5999 1 Specifying server-id hostname; will cause named to d6001 1 a6001 1 The default server-id is none. d6005 1 a6005 1d6028 98 a6125 98d6409 1 a6409 1 response-policy option for the view or among the d6414 1 a6414 3 allow-query { localhost; };. Note that zones using masterfile-format map cannot be used as policy zones. d6417 1 a6417 1 A response-policy option can support d6422 1 a6422 1 in a single response-policy option; more d6428 2 a6429 2
- 10.IN-ADDR.ARPA
- 16.172.IN-ADDR.ARPA
- 17.172.IN-ADDR.ARPA
- 18.172.IN-ADDR.ARPA
- 19.172.IN-ADDR.ARPA
- 20.172.IN-ADDR.ARPA
- 21.172.IN-ADDR.ARPA
- 22.172.IN-ADDR.ARPA
- 23.172.IN-ADDR.ARPA
- 24.172.IN-ADDR.ARPA
- 25.172.IN-ADDR.ARPA
- 26.172.IN-ADDR.ARPA
- 27.172.IN-ADDR.ARPA
- 28.172.IN-ADDR.ARPA
- 29.172.IN-ADDR.ARPA
- 30.172.IN-ADDR.ARPA
- 31.172.IN-ADDR.ARPA
- 168.192.IN-ADDR.ARPA
- 64.100.IN-ADDR.ARPA
- 65.100.IN-ADDR.ARPA
- 66.100.IN-ADDR.ARPA
- 67.100.IN-ADDR.ARPA
- 68.100.IN-ADDR.ARPA
- 69.100.IN-ADDR.ARPA
- 70.100.IN-ADDR.ARPA
- 71.100.IN-ADDR.ARPA
- 72.100.IN-ADDR.ARPA
- 73.100.IN-ADDR.ARPA
- 74.100.IN-ADDR.ARPA
- 75.100.IN-ADDR.ARPA
- 76.100.IN-ADDR.ARPA
- 77.100.IN-ADDR.ARPA
- 78.100.IN-ADDR.ARPA
- 79.100.IN-ADDR.ARPA
- 80.100.IN-ADDR.ARPA
- 81.100.IN-ADDR.ARPA
- 82.100.IN-ADDR.ARPA
- 83.100.IN-ADDR.ARPA
- 84.100.IN-ADDR.ARPA
- 85.100.IN-ADDR.ARPA
- 86.100.IN-ADDR.ARPA
- 87.100.IN-ADDR.ARPA
- 88.100.IN-ADDR.ARPA
- 89.100.IN-ADDR.ARPA
- 90.100.IN-ADDR.ARPA
- 91.100.IN-ADDR.ARPA
- 92.100.IN-ADDR.ARPA
- 93.100.IN-ADDR.ARPA
- 94.100.IN-ADDR.ARPA
- 95.100.IN-ADDR.ARPA
- 96.100.IN-ADDR.ARPA
- 97.100.IN-ADDR.ARPA
- 98.100.IN-ADDR.ARPA
- 99.100.IN-ADDR.ARPA
- 100.100.IN-ADDR.ARPA
- 101.100.IN-ADDR.ARPA
- 102.100.IN-ADDR.ARPA
- 103.100.IN-ADDR.ARPA
- 104.100.IN-ADDR.ARPA
- 105.100.IN-ADDR.ARPA
- 106.100.IN-ADDR.ARPA
- 107.100.IN-ADDR.ARPA
- 108.100.IN-ADDR.ARPA
- 109.100.IN-ADDR.ARPA
- 110.100.IN-ADDR.ARPA
- 111.100.IN-ADDR.ARPA
- 112.100.IN-ADDR.ARPA
- 113.100.IN-ADDR.ARPA
- 114.100.IN-ADDR.ARPA
- 115.100.IN-ADDR.ARPA
- 116.100.IN-ADDR.ARPA
- 117.100.IN-ADDR.ARPA
- 118.100.IN-ADDR.ARPA
- 119.100.IN-ADDR.ARPA
- 120.100.IN-ADDR.ARPA
- 121.100.IN-ADDR.ARPA
- 122.100.IN-ADDR.ARPA
- 123.100.IN-ADDR.ARPA
- 124.100.IN-ADDR.ARPA
- 125.100.IN-ADDR.ARPA
- 126.100.IN-ADDR.ARPA
- 127.100.IN-ADDR.ARPA
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 100.51.198.IN-ADDR.ARPA
- 113.0.203.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 8.B.D.0.1.0.0.2.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
a6151 1d6156 3 a6158 4
- empty-server
d6164 1 a6164 1- empty-contact
d6170 1 a6170 1- empty-zones-enable
d6175 1 a6175 1- disable-empty-zone
d6182 1 a6182 1d6186 1 a6186 1 The additional section cache, also called acache, d6191 1 a6191 1 Note that acache is an internal caching d6206 3 a6208 3 additional-from-cache to no is recommended, since the current implementation of acache d6213 1 a6213 1 One obvious disadvantage of acache is d6218 3 a6220 3 acache mechanism can be disabled by setting acache-enable to no. d6223 1 a6223 1 for acache by using max-acache-size. d6228 2 a6229 2 Without acache, cyclic order is effective for the additional d6234 1 a6234 1 setting of rrset-order. d6243 1 a6243 1 acache. d6245 2 a6246 2d6283 1 a6283 1 deny-answer-addresses option. d6288 1 a6288 1 deny-answer-aliases option, where d6292 1 a6292 1 with except-from, records whose query name d6296 1 a6296 1 corresponding zone, the deny-answer-aliases d6299 1 a6299 1 deny-answer-aliases, d6307 1 a6307 1 deny-answer-addresses option, only d6328 1 a6328 1 d6362 1 a6362 1 matches the except-from element, d6396 1 a6396 1
- RPZ-CLIENT-IP
d6436 1 a6436 1 rpz-client-ip relativized to the d6463 1 a6463 1- QNAME
d6471 1 a6471 1- RPZ-IP
d6476 1 a6476 1 subdomains of rpz-ip. d6478 1 a6478 1- RPZ-NSDNAME
d6484 1 a6484 1 rpz-nsdname relativized d6490 1 a6490 1- RPZ-NSIP
d6493 1 a6493 1 subdomains of rpz-nsip. d6495 2 a6496 2 least min-ns-dots dots. The default value of min-ns-dots is 1 to d6507 1 a6507 1 DISABLED actions) must be chosen. d6511 3 a6513 3
- Choose the triggered record in the zone that appears first in the response-policy option. d6515 1 a6515 1
- Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP d6518 1 a6518 1
- Among NSDNAME triggers, prefer the d6521 1 a6521 1
- Among IP or NSIP triggers, prefer the trigger d6524 1 a6524 1
- Among triggers with the same prefix length, d6543 2 a6544 2 For example, while the TCP-only policy is commonly used with client-IP triggers, d6548 2 a6549 2
d6775 2 a6776 2 rate-limit clause in an options or view statement. d6803 1 a6803 1 the window option to any value from d6807 1 a6807 1 or more negative than window d6818 2 a6819 2 specified with ipv4-prefix-length (default 24) and ipv6-prefix-length (default 56). d6824 1 a6824 1 with responses-per-second d6829 2 a6830 2 nodata-per-second (default responses-per-second). d6834 2 a6835 2 They are limited by nxdomains-per-second (default base responses-per-second). d6842 2 a6843 2 referrals-per-second (default responses-per-second). d6857 1 a6857 1 responses-per-second value, d6859 1 a6859 1 errors-per-second. d6869 1 a6869 1 Setting slip to 2 (its default) causes every d6875 1 a6875 1 slip must be between 0 and 10. d6883 1 a6883 1 leaked at the slip rate. d6894 1 a6894 1 slip to 1, causing all rate-limited d6900 6 a6905 6 the qps-scale value, then the responses-per-second, errors-per-second, nxdomains-per-second and all-per-second values are reduced by the ratio of the current rate to the qps-scale value. d6908 1 a6908 1 qps-scale 250; responses-per-second 20; and d6919 2 a6920 2 rate-limit statements in view statements instead of the global option d6922 2 a6923 2 A rate-limit statement in a view replaces, rather than supplementing, a rate-limit d6926 1 a6926 1 with the exempt-clients clause. d6930 1 a6930 1 all-per-second phrase. d6932 3 a6934 3 responses-per-second, errors-per-second, and nxdomains-per-second on a DNS server d6939 2 a6940 2 Responses affected by an all-per-second limit are always dropped; the slip value has no d6942 1 a6942 1 An all-per-second limit should be d6950 1 a6950 1 records as it considers the STMP Mail From d6954 1 a6954 1 All-per-second is similar to the d6966 1 a6966 1 rate limit responses is set with max-table-size. d6972 1 a6972 1 min-table-size (default 500) d6974 1 a6974 1 Enable rate-limit category logging to monitor d6979 1 a6979 1 Use log-only yes to test rate limiting parameters d6984 1 a6984 1 RateDropped and QryDropped d6987 1 a6987 1 RateSlipped and RespTruncated. d6991 1 a6991 1
- PASSTHRU
d6552 1 a6552 1 by a CNAME whose target is rpz-passthru. d6557 1 a6557 1- DROP
d6560 1 a6560 1 by a CNAME whose target is rpz-drop. d6564 1 a6564 1- TCP-Only
d6567 1 a6567 1 by a CNAME whose target is rpz-tcp-only. d6572 1 a6572 1- NXDOMAIN
d6577 1 a6577 1- NODATA
d6584 1 a6584 1- Local Data
d6606 2 a6607 2 can be overridden with a policy clause in the response-policy option. d6612 2 a6613 2
- GIVEN
d6617 1 a6617 1- DISABLED
d6630 1 a6630 1 PASSTHRU, DROP, TCP-Only, NXDOMAIN, NODATA d6635 1 a6635 1- CNAME domain
d6648 1 a6648 1 with a recursive-only no clause. d6660 1 a6660 1 break-dnssec yes clause. In that case, RPZ d6677 1 a6677 1 The qname-wait-recurse no option d6685 1 a6685 1 DNSSEC requests (DO=1) unless break-dnssec yes d6696 1 a6696 1 The max-policy-ttl clause changes that d6766 1 a6766 1 RPZRewrites statistics. d6769 1 a6769 1serverip_addr[/prefixlen]{ d7002 1 d7021 1 a7021 1d7023 1 a7023 1 server Statement Definition and d7026 1 a7026 1 The server statement defines d7035 1 a7035 1 The server statement can occur at d7037 1 a7037 1 configuration file or inside a view d7039 2 a7040 2 If a view statement contains one or more server statements, only d7043 1 a7043 1 If a view contains no server d7045 1 a7045 1 any top-level server statements are d7053 1 a7053 1 value of bogus is no. d7056 1 a7056 1 The provide-ixfr clause determines d7061 1 a7061 1 If set to yes, incremental transfer d7063 1 a7063 1 whenever possible. If set to no, d7067 1 a7067 1 of the provide-ixfr option in the d7072 1 a7072 1 The request-ixfr clause determines d7076 1 a7076 1 value of the request-ixfr option in d7087 3 a7089 3 of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is d7096 1 a7096 1 The edns clause determines whether d7098 1 a7098 1 with the remote server. The default is yes. d7101 2 a7102 2 The edns-udp-size option sets the EDNS UDP size that is advertised by named d7111 1 a7111 1 server; named will not deviate from d7113 3 a7115 3 edns-udp-size in options or view statements, where it specifies a maximum value. The server statement d7117 1 a7117 1 options/view behavior in future releases.) d7120 2 a7121 2 The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid d7125 8 a7132 1 replies from named. d7135 3 a7137 3 The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is d7141 3 a7143 3 to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format d7145 1 a7145 1 by the options statement will be d7148 1 a7148 1transfers d7151 1 a7151 1 transfers clause is specified, the d7153 1 a7153 1 transfers-per-ns option. d7156 3 a7158 3 The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) d7170 2 a7171 2 The transfer-source and transfer-source-v6 clauses specify d7175 1 a7175 1 For an IPv4 remote server, only transfer-source can d7178 1 a7178 1 transfer-source-v6 can be d7181 3 a7183 3 transfer-source and transfer-source-v6 in the section called “Zone Transfers”. d7186 2 a7187 2 The notify-source and notify-source-v6 clauses specify the d7190 1 a7190 1 IPv4 remote server, only notify-source d7192 1 a7192 1 only notify-source-v6 can be specified. d7195 2 a7196 2 The query-source and query-source-v6 clauses specify the d7199 1 a7199 1 remote server, only query-source can d7201 1 a7201 1 only query-source-v6 can be specified. d7204 1 a7204 1 The request-nsid clause determines d7207 1 a7207 1 request-nsid set at the view or d7211 1 a7211 1 The request-sit clause determines d7214 1 a7214 1 request-sit set at the view or d7220 1 a7220 1
statistics-channels { d7230 1 a7230 1d7232 1 a7232 1 statistics-channels Statement Definition and d7235 1 a7235 1 The statistics-channels statement d7246 1 a7246 1 statistics-channels statement is d7251 4 a7254 4 An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of*d7259 1 a7259 1 use an ip_addr of::. d7264 1 a7264 1 ip_port. d7268 1 a7268 1 restricted by the optional allow clause. d7270 3 a7272 3 address_match_list. If no allow clause is present, named accepts connection d7279 2 a7280 2 If no statistics-channels statement is present, named will not open any communication channels. d7287 2 a7288 2 http://127.0.0.1:8888/ or http://127.0.0.1:8888/xml. A CSS file is d7297 1 a7297 1 http://127.0.0.1:8888/xml/v2 for version 2 d7299 1 a7299 1 http://127.0.0.1:8888/xml/v3 for version 3. d7306 1 a7306 1 http://127.0.0.1:8888/xml/v3/status d7308 1 a7308 1 http://127.0.0.1:8888/xml/v3/server d7310 1 a7310 1 http://127.0.0.1:8888/xml/v3/zones d7312 1 a7312 1 http://127.0.0.1:8888/xml/v3/net d7314 1 a7314 1 http://127.0.0.1:8888/xml/v3/mem d7316 1 a7316 1 http://127.0.0.1:8888/xml/v3/tasks d7321 1 a7321 1 http://127.0.0.1:8888/json, d7323 1 a7323 1 http://127.0.0.1:8888/json/v1/status d7325 1 a7325 1 http://127.0.0.1:8888/json/v1/server d7327 1 a7327 1 http://127.0.0.1:8888/json/v1/zones d7329 1 a7329 1 http://127.0.0.1:8888/json/v1/net d7331 1 a7331 1 http://127.0.0.1:8888/json/v1/mem d7333 1 a7333 1 http://127.0.0.1:8888/json/v1/tasks d7337 1 a7337 1trusted-keys { d7346 1 a7346 1d7348 1 a7348 1 trusted-keys Statement Definition d7351 2 a7352 2 The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the d7363 1 a7363 1 trusted-keys are deemed to exist regardless d7365 1 a7365 1 trusted-keys only those keys are d7370 1 a7370 1 The trusted-keys statement can contain d7379 1 a7379 1 trusted-keys may be set at the top level d7386 1 a7386 1managed-keys { d7395 1 a7395 1d7397 1 a7397 1 managed-keys Statement Definition d7400 2 a7401 2 The managed-keys statement, like trusted-keys, defines DNSSEC d7403 1 a7403 1 managed-keys can be kept up to date d7411 1 a7411 1 trusted-keys statement would be d7415 1 a7415 1 trusted-keys statement with the new key. d7419 1 a7419 1 managed-keys statement instead, then the d7421 2 a7422 2 named would store the stand-by key, and when the original key was revoked, named d7429 1 a7429 1 A managed-keys statement contains a list of d7434 1 a7434 1 This means the managed-keys statement must d7440 2 a7441 2 Consequently, a managed-keys statement appears similar to a trusted-keys, differing d7444 1 a7444 1 keys listed in a trusted-keys continue to be d7447 1 a7447 1 in a managed-keys statement is only trusted d7453 1 a7453 1 The first time named runs with a managed key d7456 1 a7456 1 using the key specified in the managed-keys d7461 2 a7462 2 From that point on, whenever named runs, it sees the managed-keys statement, checks to d7465 1 a7465 1 key specified in the managed-keys is not d7470 1 a7470 1 The next time named runs after a name d7472 1 a7472 1 managed-keys statement, the corresponding d7478 3 a7480 3 named only maintains a single managed keys database; consequently, unlike trusted-keys, managed-keys may only be set at the top d7492 1 a7492 1 seconds. So, whenever named is using d7496 1 a7496 1 named.) d7499 2 a7500 2 If the dnssec-validation option is set toauto, named d7502 1 a7502 1 root zone. Similarly, if the dnssec-lookaside d7504 1 a7504 1 named will automatically initialize d7507 2 a7508 2 maintenance process is built into named, and can be overridden from bindkeys-file. d7511 1 a7511 1viewview_named7524 1 a7524 1d7646 1 a7646 1 zone d7648 1 a7648 1zonezone_name[class] { d7658 2 a7659 3 [ also-notify [portip_port] [dscpip_dscp] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] d7719 1 d7804 1 a7804 1 [ zone-statisticsfull|terse|none; ] d7818 1 a7818 1 [ zone-statisticsfull|terse|none; ] d7846 1 a7846 1The type keyword is required for the zone configuration unless it is an in-view configuration. Its acceptable values include:
d7854 2 a7855 2delegation-only,forward,hint,master,redirect,slave,static-stub, andstub.d7882 1 a7882 1 zone. The masters list d7997 2 a7998 2 server-addresses and server-names zone options. d8004 1 a8004 1 databases by rndc dumpdb -all. d8035 4 a8038 4 forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders d8042 1 a8042 1 name. If no forwarders d8044 1 a8044 1 an empty list for forwarders is given, then no d8047 1 a8047 1 any forwarders in the options statement. Thus d8050 1 a8050 1 global forward option d8092 1 a8092 1 per view. allow-query can be d8129 1 a8129 1 rndc reload d8132 1 a8132 1 rndc reload without specifying d8160 1 a8160 1 See caveats in root-delegation-only. d8167 1 a8167 1 d8189 1 a8189 1 d9121 1 a9121 1 in-view zone option provides an efficient d9144 1 a9144 1 An in-view option cannot refer to a view d9148 4 a9151 4 A zone statement which uses the in-view option may not use any other options with the exception of forward and forwarders. (These options control d9163 1 a9163 1 An in-view zone cannot be used as a d9167 2 a9168 2 An in-view zone is not intended to reference a forward zone. d9173 1 a9173 1 d9197 1 a9197 1 that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”. d9204 2 a9205 2
- allow-notify
d8196 1 a8196 1 allow-notify in the section called “Access Control”. d8198 1 a8198 1- allow-query
d8201 1 a8201 1 allow-query in the section called “Access Control”. d8203 1 a8203 1- allow-query-on
d8206 1 a8206 1 allow-query-on in the section called “Access Control”. d8208 1 a8208 1- allow-transfer
d8210 2 a8211 2 See the description of allow-transfer in the section called “Access Control”. d8213 1 a8213 1- allow-update
d8215 2 a8216 2 See the description of allow-update in the section called “Access Control”. d8218 1 a8218 1- update-policy
d8221 1 a8221 1 the section called “Dynamic Update Policies”. d8223 1 a8223 1- allow-update-forwarding
d8225 2 a8226 2 See the description of allow-update-forwarding in the section called “Access Control”. d8228 1 a8228 1- also-notify
d8230 1 a8230 1 Only meaningful if notify d8239 1 a8239 1 with also-notify. A port d8241 1 a8241 1 with each also-notify d8247 1 a8247 1 also-notify is not d8251 1 a8251 1- check-names
d8257 3 a8259 3 network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones. d8261 1 a8261 1- check-mx
d8264 1 a8264 1 check-mx in the section called “Boolean Options”. d8266 1 a8266 1- check-spf
d8269 1 a8269 1 check-spf in the section called “Boolean Options”. d8271 1 a8271 1- check-wildcard
d8274 1 a8274 1 check-wildcard in the section called “Boolean Options”. d8276 1 a8276 1- check-integrity
d8279 1 a8279 1 check-integrity in the section called “Boolean Options”. d8281 1 a8281 1- check-sibling
d8284 1 a8284 1 check-sibling in the section called “Boolean Options”. d8286 1 a8286 1- zero-no-soa-ttl
d8289 1 a8289 1 zero-no-soa-ttl in the section called “Boolean Options”. d8291 1 a8291 1- update-check-ksk
d8294 1 a8294 1 update-check-ksk in the section called “Boolean Options”. d8296 1 a8296 1- dnssec-loadkeys-interval
d8299 2 a8300 1 dnssec-loadkeys-interval in the section called “options Statement Definition and d8303 1 a8303 1- dnssec-update-mode
d8306 1 a8306 2 dnssec-update-mode in the section called “options Statement Definition and Usage”. d8308 1 a8308 1- dnssec-dnskey-kskonly
d8311 1 a8311 1 dnssec-dnskey-kskonly in the section called “Boolean Options”. d8313 1 a8313 6- try-tcp-refresh
See the description of try-tcp-refresh in the section called “Boolean Options”.
- database
d8317 1 a8317 1 zone data. The string following the database keyword d8339 1 a8339 1- dialup
d8342 1 a8342 1 dialup in the section called “Boolean Options”. d8344 1 a8344 1- delegation-only
d8353 1 a8353 1 See caveats in root-delegation-only. d8356 1 a8356 1- forward
d8359 1 a8359 1 list. The only value causes d8361 1 a8361 1 after trying the forwarders and getting no answer, while first would d8364 1 a8364 1- forwarders
d8367 1 a8367 1 If it is not specified in a zone of type forward, d8371 1 a8371 1- ixfr-base
d8383 1 a8383 1- ixfr-tmp-file
d8388 1 a8388 1- journal
d8392 1 a8392 1 This is applicable to master and slave zones. d8394 1 a8394 1- max-journal-size
d8397 1 a8397 1 max-journal-size in the section called “Server Resource Limits”. d8399 1 a8399 1- max-transfer-time-in
d8402 1 a8402 1 max-transfer-time-in in the section called “Zone Transfers”. d8404 1 a8404 1- max-transfer-idle-in
d8407 1 a8407 1 max-transfer-idle-in in the section called “Zone Transfers”. d8409 1 a8409 1- max-transfer-time-out
d8412 1 a8412 1 max-transfer-time-out in the section called “Zone Transfers”. d8414 1 a8414 1- max-transfer-idle-out
d8417 1 a8417 1 max-transfer-idle-out in the section called “Zone Transfers”. d8419 1 a8419 1- notify
d8422 1 a8422 1 notify in the section called “Boolean Options”. d8424 1 a8424 1- notify-delay
d8427 1 a8427 1 notify-delay in the section called “Tuning”. d8429 1 a8429 1- notify-to-soa
d8432 2 a8433 2 notify-to-soa in the section called “Boolean Options”. d8435 1 a8435 1- pubkey
d8444 1 a8444 1- zone-statistics
d8446 5 a8450 4 See the description of zone-statistics in the section called “options Statement Definition and Usage”. d8452 1 a8452 1- server-addresses
d8466 1 a8466 1 in a server-addresses option, d8481 1 a8481 1- server-names
d8489 1 a8489 1 named needs to send queries to d8497 1 a8497 1 server-names option, but d8507 1 a8507 1 in a server-names option, d8524 1 a8524 1- sig-validity-interval
d8527 1 a8527 1 sig-validity-interval in the section called “Tuning”. d8529 1 a8529 1- sig-signing-nodes
d8532 1 a8532 1 sig-signing-nodes in the section called “Tuning”. d8534 1 a8534 1- sig-signing-signatures
d8537 1 a8537 1 sig-signing-signatures in the section called “Tuning”. d8539 1 a8539 1- sig-signing-type
d8542 1 a8542 1 sig-signing-type in the section called “Tuning”. d8544 1 a8544 1- transfer-source
d8547 1 a8547 1 transfer-source in the section called “Zone Transfers”. d8549 1 a8549 1- transfer-source-v6
d8552 1 a8552 1 transfer-source-v6 in the section called “Zone Transfers”. d8554 1 a8554 1- alt-transfer-source
d8557 1 a8557 1 alt-transfer-source in the section called “Zone Transfers”. d8559 1 a8559 1- alt-transfer-source-v6
d8562 1 a8562 1 alt-transfer-source-v6 in the section called “Zone Transfers”. d8564 1 a8564 1- use-alt-transfer-source
d8567 1 a8567 1 use-alt-transfer-source in the section called “Zone Transfers”. d8569 1 a8569 1- notify-source
d8572 1 a8572 1 notify-source in the section called “Zone Transfers”. d8574 1 a8574 1- notify-source-v6
d8577 1 a8577 1 notify-source-v6 in the section called “Zone Transfers”. d8580 1 a8580 1 min-refresh-time, max-refresh-time, min-retry-time, max-retry-time d8583 1 a8583 1 See the description in the section called “Tuning”. d8585 1 a8585 1- ixfr-from-differences
d8588 2 a8589 2 ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences d8594 1 a8594 1- key-directory
d8597 2 a8598 1 key-directory in the section called “options Statement Definition and d8601 63 a8663 15- auto-dnssec
See the description of auto-dnssec in the section called “options Statement Definition and Usage”.
- serial-update-method
See the description of serial-update-method in the section called “options Statement Definition and Usage”.
- inline-signing
d8672 1 a8672 1- multi-master
d8674 2 a8675 2 See the description of multi-master in the section called “Boolean Options”. d8677 1 a8677 1- masterfile-format
d8679 2 a8680 2 See the description of masterfile-format in the section called “Tuning”. d8682 1 a8682 1- max-zone-ttl
d8684 3 a8686 2 See the description of max-zone-ttl in the section called “options Statement Definition and d8689 1 a8689 1- dnssec-secure-to-insecure
d8692 1 a8692 1 dnssec-secure-to-insecure in the section called “Boolean Options”. d8696 1 a8696 1d8702 2 a8703 2 allow-update and update-policy option, respectively. d8706 1 a8706 1 The allow-update clause works the d8712 1 a8712 1 The update-policy clause d8722 1 a8722 1 Rules are specified in the update-policy d8724 1 a8724 1 When the update-policy statement d8726 2 a8727 2 allow-update statement to be present. The update-policy statement d8732 1 a8732 1 There is a pre-defined update-policy d8734 1 a8734 1 update-policy local;. d8736 1 a8736 1 named to generate a TSIG session d8742 3 a8744 3 session-keyfile, session-keyname and session-keyalg options, respectively). d8756 1 a8756 1 The command nsupdate -l sends update d8763 1 a8763 1 ( grant | deny )identitynametype[name] [types] d8818 2 a8819 2d8863 1 a8863 1 update-policy statement d8866 1 a8866 1 update-policy statement in d8886 1 a8886 1 is a valid expansion of the wildcard. d9059 1 a9059 1 This rule allows named d9111 1 a9111 1 d9283 2 a9284 2 a9368 12 AVC Application Visibility and Control record.
a9434 13 CSYNC
Child-to-Parent Synchronization in DNS as described in RFC 7477.
a9812 12 NINFO
Contains zone status information.
a9982 12 RKEY
Resource key.
a10038 24 SINK
The kitchen sink record.
SMIMEA
The S/MIME Security Certificate Association.
a10090 24 TA
Trust Anchor. Experimental.
TALINK
Trust Anchor Link. Experimental.
d10196 2 a10197 2
d10286 1 a10286 1 d10328 3 a10330 3 d10446 3 a10448 3 d10489 1 a10489 1 d10529 5 a10533 5 d10672 1 a10672 1 d10764 2 a10765 2 d10797 1 a10797 1 The $ORIGIN lines in the examples d10805 1 a10805 1 d10817 2 a10818 2 Master File Directives include $ORIGIN, $INCLUDE, and $TTL. d10820 1 a10820 1 d10831 1 a10831 1 d10835 1 a10835 1 Syntax: $ORIGIN d10839 1 a10839 1 $ORIGIN d10842 2 a10843 2 is an implicit $ORIGIN <
d10864 1 a10864 1 Syntax: $INCLUDE d10872 3 a10874 3 if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is d10879 1 a10879 1 revert to the values they had prior to the $INCLUDE once d10887 1 a10887 1 an $INCLUDE, but it is silent d10896 1 a10896 1 d10900 1 a10900 1 Syntax: $TTL d10910 1 a10910 1zone_name>. d10845 2 a10846 2 The current $ORIGIN is appended to the domain specified in the $ORIGIN d10860 1 a10860 1$TTL d10915 1 a10915 1
d10919 1 a10919 1 Syntax: $GENERATE d10928 1 a10928 1$GENERATE d10931 1 a10931 1 iterator. $GENERATE can be used to d10973 2 a10974 2
d10979 1 a10979 1 range
d10993 1 a10993 1lhs
d10998 1 a10998 1 to be created. Any single $ d11000 1 a11000 1 symbols within the lhs string d11004 4 a11007 4 $ using a backslash \, e.g. \$. The $ may optionally be followed d11012 4 a11015 4 { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} d11021 3 a11023 3 (d), octal (o), hexadecimal (x or X d11025 1 a11025 1 (n or N\ d11027 3 a11029 3 ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended d11041 1 a11041 1 $$ is still recognized as d11048 1 a11048 1ttl
d11056 2 a11057 2class and ttl can be d11064 1 a11064 1
class
d11072 2 a11073 2class and ttl can be d11080 1 a11080 1
type
d11090 1 a11090 1rhs
d11094 1 a11094 1 rhs, optionally, quoted string. d11101 1 a11101 1 The $GENERATE directive is a BIND extension d11108 1 a11108 1d11126 1 a11126 1 directly into memory via the mmap() d11134 1 a11134 1 file by the named-compilezone command. d11137 2 a11138 2 masterfile-format option) when named dumps the zone contents after d11144 1 a11144 1 named-compilezone command. All d11147 1 a11147 1 named-compilezone command again. d11150 1 a11150 1 Note that map format is extremely d11168 1 a11168 1d11959 2 a11960 2d11186 2 a11187 2d11287 5 a11291 6 zone-statistics is set to full(oryesfor backward compatibility. See the description of zone-statistics in the section called “options Statement Definition and Usage” for further details. a11293 4 These statistics counters are shown with their zone and view names. The view name is omitted when the server is not configured with explicit views.d11297 1 a11297 1 by the statistics-file configuration option. d11299 1 a11299 1 when the statistics-channels statement d11301 1 a11301 1 (see the section called “statistics-channels Statement Grammar”.) d11303 3 a11305 3
d11310 1 a11310 1 +++ Statistics Dump +++ (973798949) d11322 1 a11322 1 ++ Name Server Statistics ++ d11336 1 a11336 1 --- Statistics Dump --- (973798949) d11339 1 a11339 1d11363 3 a11365 3d11387 1 a11387 1 Requestv4
d11390 1 a11390 1RQ
d11401 1 a11401 1Requestv6
d11404 1 a11404 1RQ
d11415 1 a11415 1ReqEdns0
d11418 1 a11418 1d11428 1 a11428 1
ReqBadEDNSVer
d11431 1 a11431 1d11441 1 a11441 1
ReqTSIG
d11444 1 a11444 1d11454 1 a11454 1
ReqSIG0
d11457 1 a11457 1d11467 1 a11467 1
ReqBadSIG
d11470 1 a11470 1d11480 1 a11480 1
ReqTCP
d11483 1 a11483 1RTCP
d11493 1 a11493 1AuthQryRej
d11496 1 a11496 1RUQ
d11506 1 a11506 1RecQryRej
d11509 1 a11509 1RURQ
d11519 1 a11519 1XfrRej
d11522 1 a11522 1RUXFR
d11532 1 a11532 1UpdateRej
d11535 1 a11535 1RUUpd
d11545 1 a11545 1Response
d11548 1 a11548 1SAns
d11558 1 a11558 1RespTruncated
d11561 1 a11561 1d11571 1 a11571 1
RespEDNS0
d11574 1 a11574 1d11584 1 a11584 1
RespTSIG
d11587 1 a11587 1d11597 1 a11597 1
RespSIG0
d11600 1 a11600 1d11610 1 a11610 1
QrySuccess
d11613 1 a11613 1d11621 1 a11621 1 success counter d11629 1 a11629 1
QryAuthAns
d11632 1 a11632 1d11642 1 a11642 1
QryNoauthAns
d11645 1 a11645 1SNaAns
d11655 1 a11655 1QryReferral
d11658 1 a11658 1d11664 1 a11664 1 referral counter d11672 1 a11672 1
QryNxrrset
d11675 1 a11675 1d11681 1 a11681 1 nxrrset counter d11689 1 a11689 1
QrySERVFAIL
d11692 1 a11692 1SFail
d11702 1 a11702 1QryFORMERR
d11705 1 a11705 1SFErr
d11715 1 a11715 1QryNXDOMAIN
d11718 1 a11718 1SNXD
d11724 1 a11724 1 nxdomain counter d11732 1 a11732 1QryRecursion
d11735 1 a11735 1RFwdQ
d11742 1 a11742 1 recursion counter d11750 1 a11750 1QryDuplicate
d11753 1 a11753 1RDupQ
d11762 1 a11762 1 duplicate counter d11770 1 a11770 1QryDropped
d11773 1 a11773 1d11783 1 a11783 1 clients-per-query d11785 1 a11785 1 max-clients-per-query d11788 1 a11788 1 clients-per-query.) d11790 1 a11790 1 dropped counter d11798 1 a11798 1
QryFailure
d11801 1 a11801 1d11807 1 a11807 1 failure counter d11813 2 a11814 2 AuthQryRej and RecQryRej d11823 1 a11823 1
XfrReqDone
d11826 1 a11826 1d11836 1 a11836 1
UpdateReqFwd
d11839 1 a11839 1d11849 1 a11849 1
UpdateRespFwd
d11852 1 a11852 1d11862 1 a11862 1
UpdateFwdFail
d11865 1 a11865 1d11875 1 a11875 1
UpdateDone
d11878 1 a11878 1d11888 1 a11888 1
UpdateFail
d11891 1 a11891 1d11901 1 a11901 1
UpdateBadPrereq
d11904 1 a11904 1d11914 1 a11914 1
RateDropped
d11917 1 a11917 1d11927 1 a11927 1
RateSlipped
d11930 1 a11930 1d11940 1 a11940 1
RPZRewrites
d11943 1 a11943 1d11954 1 a11954 1
d11977 1 a11977 1 NotifyOutv4
d11987 1 a11987 1NotifyOutv6
d11997 1 a11997 1NotifyInv4
d12007 1 a12007 1NotifyInv6
d12017 1 a12017 1NotifyRej
d12027 1 a12027 1SOAOutv4
d12037 1 a12037 1SOAOutv6
d12047 1 a12047 1AXFRReqv4
d12057 1 a12057 1AXFRReqv6
d12067 1 a12067 1IXFRReqv4
d12077 1 a12077 1IXFRReqv6
d12087 1 a12087 1XfrSuccess
d12097 1 a12097 1XfrFail
d12108 1 a12108 1 d12113 3 a12115 3d12137 1 a12137 1 Queryv4
d12140 1 a12140 1SFwdQ
d12150 1 a12150 1Queryv6
d12153 1 a12153 1SFwdQ
d12163 1 a12163 1Responsev4
d12166 1 a12166 1RR
d12176 1 a12176 1Responsev6
d12179 1 a12179 1RR
d12189 1 a12189 1NXDOMAIN
d12192 1 a12192 1RNXD
d12202 1 a12202 1SERVFAIL
d12205 1 a12205 1RFail
d12215 1 a12215 1FORMERR
d12218 1 a12218 1RFErr
d12228 1 a12228 1OtherError
d12231 1 a12231 1RErr
d12241 1 a12241 1EDNS0Fail
d12244 1 a12244 1d12254 1 a12254 1
Mismatch
d12257 1 a12257 1RDupR
d12266 1 a12266 1 the port option.) d12274 1 a12274 1Truncated
d12277 1 a12277 1d12287 1 a12287 1
Lame
d12290 1 a12290 1RLame
d12300 1 a12300 1Retry
d12303 1 a12303 1SDupQ
d12313 1 a12313 1QueryAbort
d12316 1 a12316 1d12326 1 a12326 1
QuerySockFail
d12329 1 a12329 1d12342 1 a12342 1
QueryTimeout
d12345 1 a12345 1d12355 1 a12355 1
GlueFetchv4
d12358 1 a12358 1SSysQ
d12368 1 a12368 1GlueFetchv6
d12371 1 a12371 1SSysQ
d12381 1 a12381 1GlueFetchv4Fail
d12384 1 a12384 1d12394 1 a12394 1
GlueFetchv6Fail
d12397 1 a12397 1d12407 1 a12407 1
ValAttempt
d12410 1 a12410 1d12420 1 a12420 1
ValOk
d12423 1 a12423 1d12433 1 a12433 1
ValNegOk
d12436 1 a12436 1d12446 1 a12446 1
ValFail
d12449 1 a12449 1d12459 1 a12459 1
QryRTTnn
d12462 1 a12462 1d12468 1 a12468 1 Each nn specifies the corresponding d12471 2 a12472 2 nn_1, nn_2, d12474 2 a12475 2 nn_m, the value of nn_i is the d12477 2 a12478 2 nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. d12480 1 a12480 1 nn_0 to be 0. d12482 1 a12482 1 nn_m+, which means the d12484 1 a12484 1 nn_m milliseconds. d12491 1 a12491 1 d12497 6 a12502 6 UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the d12504 1 a12504 1 In the following table <TYPE> d12511 2 a12512 2
d12529 1 a12529 1 <TYPE>Open
d12535 1 a12535 1 FDwatch type. d12541 1 a12541 1<TYPE>OpenFail
d12547 1 a12547 1 FDwatch type. d12553 1 a12553 1<TYPE>Close
d12563 1 a12563 1<TYPE>BindFail
d12573 1 a12573 1<TYPE>ConnFail
d12583 1 a12583 1<TYPE>Conn
d12593 1 a12593 1<TYPE>AcceptFail
d12599 2 a12600 2 UDP and FDwatch types. d12606 1 a12606 1<TYPE>Accept
d12612 2 a12613 2 UDP and FDwatch types. d12619 1 a12619 1<TYPE>SendErr
d12625 2 a12626 2 to SErr counter of BIND 8. d12632 1 a12632 1<TYPE>RecvErr
d12646 1 a12646 1 d12651 2 a12652 2 in BIND 8 are also supported in BIND 9 as shown in the above tables. d12656 2 a12657 2
- RFwdR,SFwdR
d12660 1 a12660 1 because BIND 9 does not adopt d12662 1 a12662 1 as BIND 8 did. d12664 1 a12664 1- RAXFR
d12668 1 a12668 1- RIQ
d12672 1 a12672 1- ROpts
d12675 1 a12675 1 because BIND 9 does not care d12700 1 a12700 1BIND 9.10.4-P1
@ 1.1.1.25 log @Import bind 9.10.4-P3 @ text @d12848 1 a12848 1BIND 9.10.4-P3
@ 1.1.1.26 log @bind-9.10.4-P4 4489. [security] It was possible to trigger assertions when processing a response. (CVE-2016-8864) [RT #43465] @ text @d12848 1 a12848 1BIND 9.10.4-P4
@ 1.1.1.27 log @Import bind 9.10.4-P5 @ text @d12848 1 a12848 1BIND 9.10.4-P5
@ 1.1.1.28 log @Import bind 9.10.4-P6 @ text @d12848 1 a12848 1BIND 9.10.4-P6
@ 1.1.1.29 log @ --- 9.10.4-P8 released --- 4582. [security] 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) [RT #44924] 4580. [bug] 4578 introduced a regression when handling CNAME to referral below the current domain. [RT #44850] --- 9.10.4-P7 released --- 4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734] 4575. [security] DNS64 with "break-dnssec yes;" can result in an assertion failure. (CVE-2017-3136) [RT #44653] 4564. [maint] Update the built in managed keys to include the upcoming root KSK. [RT #44579] @ text @d12848 1 a12848 1BIND 9.10.4-P8
@ 1.1.1.30 log @Import bind 9.10.5-P1 @ text @a0 1 d2 1 a2 1 - Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") d17 1 a17 1 d109 1 a109 2d119 1 a119 2
d125 1 a125 1
d128 1 a128 2d132 1 a132 2
d500 2 a501 3
d504 1 a504 2d507 4 a510 5address_match_list=address_match_list_element; ...address_match_list_element= [ ! ] (ip_address|ip_prefix| keykey_id|acl_name| {address_match_list} ) d512 2 a513 3d516 1 a516 2d523 3 a525 4
- an IP address (IPv4 or IPv6)
a526 4 an IP prefix (in `/' notation)- d529 2 a530 4
- the name of an address match list defined with d532 2 a533 5
- a nested address match list enclosed in braces
d535 1 a535 2d541 1 a541 2
d548 1 a548 2
d555 1 a555 2
d560 1 a560 2
d579 1 a579 2
d595 3 a597 4
d600 1 a600 2d607 1 a607 2
d610 1 a610 2d622 2 a623 2
d626 1 a626 2d630 1 a630 1
d636 1 a636 1
d640 1 a640 1
d651 1 a651 2
d658 1 a658 1
d668 1 a668 1
d675 1 a675 2
d685 1 a685 2
d687 1 a687 1d693 5 a697 6
d700 1 a700 2d708 1 a708 2
d711 1 a711 3
d870 2 a871 4
d877 1 a877 2
d880 3 a882 4aclacl-name{address_match_list}; d884 2 a885 3d889 1 a889 2d894 1 a894 2
d897 1 a897 3
d957 2 a958 4
d964 1 a964 1
d971 1 a971 1
d987 1 a987 1
d1002 1 a1002 1
d1005 1 a1005 1
geoip country US; d1015 2 a1016 4d1019 9 a1027 9controls { [ inet (ip_addr| * ) [ portip_port] allow {address_match_list} [ keys {key_list} ] [ unixpathpermnumberownernumbergroupnumber[ keys {key_list} ] [ read-onlyyes_or_no] ; ] [ ...; ] }; d1029 2 a1030 4d1034 1 a1034 2d1041 1 a1041 2
d1054 1 a1054 2
d1058 1 a1058 2
d1068 1 a1068 2
d1077 1 a1077 2
d1086 1 a1086 2
d1100 1 a1100 2
d1113 1 a1113 2
d1134 1 a1134 2
d1139 2 a1140 3
d1143 3 a1145 4includefilename;d1148 1 a1148 2d1158 2 a1159 3
d1162 4 a1165 5keykey_id{ algorithmalgorithm_id; secretsecret_string; }; d1167 2 a1168 4d1171 1 a1171 2d1178 1 a1178 2
d1189 1 a1189 2
d1198 1 a1198 2
d1212 2 a1213 3
d1216 19 a1234 20logging { [ channelchannel_name{ ( ( filepath_name[ versions (number|unlimited) ] [ sizesize_spec] ) | syslogsyslog_facility| stderr | null ) ; [ severity (critical|error|warning|notice|info|debug[level] |dynamic) ; ] [ print-categoryyes_or_no; ] [ print-severityyes_or_no; ] [ print-timeyes_or_no; ] }; ] [ categorycategory_name{channel_name; ... }; ] ... }; d1236 2 a1237 4d1240 1 a1240 2d1248 1 a1248 1
a1253 1 d1259 1 a1259 2
d1270 1 a1270 2
d1273 1 a1273 2d1277 1 a1277 2
d1288 1 a1288 2
d1293 1 a1293 2
d1301 1 a1301 2
d1324 1 a1324 2
d1340 1 a1340 2
a1343 1 d1350 1 a1350 2
d1372 1 a1372 1
d1375 1 a1375 1
d1384 1 a1384 1
d1396 1 a1396 2
d1405 1 a1405 2
a1418 1 d1424 1 a1424 2
d1431 1 a1431 1
d1449 1 a1449 2
d1452 1 a1452 2
a1457 1 d1485 1 a1485 2
d1493 1 a1493 2
d1503 1 a1503 2
d1509 2 a1510 3
d1513 1 a1513 2a1521 1 d1524 1 a1524 2
a1528 1 d1538 1 a1538 2
a1540 1 d1544 1 a1544 2
d1549 1 a1549 2
d1904 1 a1904 1
d1906 1 a1906 2d1909 1 a1909 2d1917 1 a1917 2
d1921 1 a1921 1
d1924 1 a1924 1
d1932 1 a1932 1
d1938 1 a1938 1
d1949 1 a1949 1
d1956 1 a1956 1
d1966 1 a1966 1
d1976 1 a1976 3
d2115 2 a2116 3
d2123 1 a2123 1
d2132 3 a2134 4
d2137 1 a2137 2d2141 7 a2147 10
lwres { [ listen-on { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... }; ] [ viewview_name; ] [ search {domain_name; ... }; ] [ ndotsnumber; ] }; d2149 2 a2150 3d2153 1 a2153 2d2161 1 a2161 2
d2172 1 a2172 2
d2183 1 a2183 2
d2191 1 a2191 2
d2200 2 a2201 2
a2203 1 d2205 2 a2206 5 mastersname[ portip_port] [ dscpip_dscp] { (masters_list; ) | (ip_addr[ portip_port] [ keykey] ; ) ... }; d2208 2 a2209 4d2213 1 a2213 2masters d2218 2 a2219 3
d2222 1 a2222 2d2226 255 a2480 255
options { [ attach-cachecache_name; ] [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ geoip-directorypath_name; ] [ key-directorypath_name; ] [ managed-keys-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-keytabpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomain_name; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ bindkeys-filepath_name; ] [ secroots-filepath_name; ] [ session-keyfilepath_name; ] [ session-keynamekey_name; ] [ session-keyalgalgorithm_id; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statistics (full|terse|none) ; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notify (yes_or_no|explicit|master-only) ; ] [ recursionyes_or_no; ] [ request-sityes_or_no; ] [ nosit-udp-sizenumber; ] [ sit-secretsecret_string; ] [ request-nsidyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave) ; ] [ auto-dnssec (allow|maintain|off) ; ] [ dnssec-enableyes_or_no; ] [ dnssec-validation (yes_or_no|auto) ; ] [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first) ; ] [ forwarders { (ip_addr[ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ dual-stack-servers [ portip_port] [ dscpip_dscp] { ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) ... } ; ] [ check-names (master|slave|response) (warn|fail|ignore) ; ] [ check-dup-records (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore) ; ] [ check-srv-cname (warn|fail|ignore) ; ] [ check-siblingyes_or_no; ] [ check-spf (warn|ignore) ; ] [ allow-new-zonesyes_or_no; ] [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-query-cache {address_match_list} ; ] [ allow-query-cache-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-recursion {address_match_list} ; ] [ allow-recursion-on {address_match_list} ; ] [ allow-update {address_match_list} ] [ allow-update-forwarding {address_match_list} ; ] [ automatic-interface-scanyes_or_no; ] [ update-check-kskyes_or_no; ] [ dnssec-update-mode (maintain|no-resign) ; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list} ; ] [ blackhole {address_match_list} ; ] [ no-case-compress {address_match_list} ; ] [ use-v4-udp-ports {port_list} ; ] [ avoid-v4-udp-ports {port_list} ; ] [ use-v6-udp-ports {port_list} ; ] [ avoid-v6-udp-ports {port_list} ; ] [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] [ query-source ( [ address ] (ip4_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ query-source-v6 ( [ address ] (ip6_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ] ; [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] [ max-recordsnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ tcp-clientsnumber; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ fetches-per-servernumber[ (drop|fail) ] ; ] [ fetches-per-zonenumber[ (drop|fail) ] ; ] [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format (one-answer|many-answers) ; ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-to-soayes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list} ; ] [ sortlist {address_match_list} ; ] [ rrset-order {order_spec; ... } ; ] [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ max-zone-ttl (unlimited|number) ; ] [ serial-update-method (increment|unixtime) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ dscpip_dscp; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] [ filter-aaaa {address_match_list} ; ] [ dns64ipv6-prefix{ [ clients {address_match_list} ; ] [ mapped {address_match_list} ; ] [ exclude {address_match_list} ; ] [ suffixip6-address; ] [ recursive-onlyyes_or_no; ] [ break-dnssecyes_or_no; ] } ; ] [ dns64-servername] [ dns64-contactname] [ preferred-glue (A|AAAA|none); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ max-rsa-exponent-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; ... } ; ] [ disable-ds-digestsdomain{digest_type; ... } ; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ max-recursion-depthnumber; ] [ max-recursion-queriesnumber; ] [ masterfile-format (text|raw|map) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] [ resolver-query-timeoutnumber; ] [ deny-answer-addresses {address_match_list} [ except-from {namelist} ] ; ] [ deny-answer-aliases {namelist} [ except-from {namelist} ] ; ] [ prefetchnumber[number] ; ] [ rate-limit { [ responses-per-secondnumber; ] [ referrals-per-secondnumber; ] [ nodata-per-secondnumber; ] [ nxdomains-per-secondnumber; ] [ errors-per-secondnumber; ] [ all-per-secondnumber; ] [ windownumber; ] [ log-onlyyes_or_no; ] [ qps-scalenumber; ] [ ipv4-prefix-lengthnumber; ] [ ipv6-prefix-lengthnumber; ] [ slipnumber; ] [ exempt-clients {address_match_list} ; ] [ max-table-sizenumber; ] [ min-table-sizenumber; ] } ; ] [ response-policy { zonezone_name[ policy ( given | disabled | passthru | drop | tcp-only | nxdomain | nodata | cnamedomain) ] [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] ; ... } [ recursive-onlyyes_or_no] [ max-policy-ttlnumber] [ break-dnssecyes_or_no] [ min-ns-dotsnumber] [ qname-wait-recurseyes_or_no] ; ] } ; ] d2482 2 a2483 4d2487 1 a2487 2d2496 1 a2496 2
d2499 1 a2499 1
d2508 1 a2508 2
d2514 1 a2514 2
d2524 1 a2524 2
d2531 1 a2531 2
a2539 1 d2554 1 a2554 2
d2569 1 a2569 2
d2581 1 a2581 1 d2583 1 a2583 2
- d2598 1 a2598 2
d2596 1 a2596 2
- d2609 1 a2609 2
d2607 1 a2607 2
- d2621 1 a2621 1
d2618 1 a2618 2
d2626 1 a2626 1
d2635 1 a2635 1 d2637 1 a2637 2
- d2646 1 a2646 2
d2644 1 a2644 2
- d2653 1 a2653 2
d2651 1 a2651 2
- d2668 1 a2668 2
d2666 1 a2666 2
- d2686 1 a2686 2
d2684 1 a2684 2
- d2697 1 a2697 2
d2694 2 a2695 3 most cases, the
key_nameshould be the server's host name.- d2701 1 a2701 2
d2699 1 a2699 2
- d2708 1 a2708 2
d2706 1 a2706 2
- d2714 1 a2714 2
d2712 1 a2712 2
- d2728 1 a2728 2
d2726 1 a2726 2
- d2735 1 a2735 2
d2733 1 a2733 2
- d2744 1 a2744 2
d2742 1 a2742 2
- d2753 1 a2753 2
d2751 1 a2751 2
- d2761 1 a2761 2
d2759 1 a2759 2
- d2773 1 a2773 2
d2771 1 a2771 2
- d2778 1 a2778 2
d2776 1 a2776 2
- d2785 1 a2785 2
d2783 1 a2783 2
- d2795 1 a2795 2
d2793 1 a2793 2
- d2802 1 a2802 2
d2800 1 a2800 2
- d2821 1 a2821 2
d2819 1 a2819 2
- d2833 1 a2833 1
d2828 1 a2828 2
d2838 1 a2838 1
d2845 1 a2845 1
d2861 1 a2861 1
d2866 1 a2866 1
a2869 1 d2875 1 a2875 2 d2878 1 a2878 1
d2886 1 a2886 1
d2891 1 a2891 1 d2894 1 a2894 1
d2902 1 a2902 1
d2907 1 a2907 1 d2910 1 a2910 1
d2922 1 a2922 1
d2928 1 a2928 1
d2933 1 a2933 1
d2944 1 a2944 1
d2951 1 a2951 1
d2957 1 a2957 1 d2959 1 a2959 2
- d2972 1 a2972 1
d2969 1 a2969 2
d2980 1 a2980 1
d2984 1 a2984 1
d2994 1 a2994 1
d3000 1 a3000 1
d3007 1 a3007 1
d3016 1 a3016 1 defaults to ::ffff:0.0.0.0/96. d3018 1 a3018 1
d3026 1 a3026 1
d3032 1 a3032 1
d3051 1 a3051 1 d3053 1 a3053 2
- d3069 1 a3069 1
d3066 1 a3066 2
d3082 1 a3082 1
d3088 1 a3088 1
d3097 1 a3097 1 d3100 1 a3100 1
d3109 1 a3109 1
d3117 1 a3117 1
d3122 1 a3122 1
d3127 1 a3127 1 d3130 1 a3130 1
d3135 1 a3135 1
d3141 1 a3141 1
d3149 1 a3149 1 d3152 1 a3152 1
d3164 1 a3164 1
d3172 1 a3172 1
d3183 1 a3183 1 d3185 1 a3185 2
d3188 1 a3188 2d3191 1 a3191 1
d3197 1 a3197 1
d3202 1 a3202 1 d3204 1 a3204 2
- d3211 1 a3211 2
d3209 1 a3209 2
- d3222 1 a3222 2
d3220 1 a3220 2
- d3229 1 a3229 2
d3227 1 a3227 2
- d3238 1 a3238 1
d3235 1 a3235 2
d3253 1 a3253 1
d3260 1 a3260 1
d3272 1 a3272 1
d3282 1 a3282 1
d3297 1 a3297 3
d3448 2 a3449 4
d3453 1 a3453 2 d3455 1 a3455 2
- d3462 1 a3462 2
d3460 1 a3460 2
- d3473 1 a3473 2
d3471 1 a3471 2
- d3480 1 a3480 2
d3478 1 a3478 2
- d3490 1 a3490 2
d3488 1 a3488 2
- d3497 1 a3497 2
d3495 1 a3495 2
- d3507 1 a3507 2
d3505 1 a3505 2
- d3516 1 a3516 2
d3514 1 a3514 2
- d3525 1 a3525 1
d3522 1 a3522 2
d3536 1 a3536 1
d3545 1 a3545 1
d3554 1 a3554 1 d3556 1 a3556 2
- d3567 1 a3567 2
d3565 1 a3565 2
- d3585 1 a3585 2
d3583 1 a3583 2
- d3596 1 a3596 2
d3594 1 a3594 2
- d3614 1 a3614 2
d3612 1 a3612 2
- d3623 1 a3623 2
d3621 1 a3621 2
- d3634 1 a3634 1
d3631 1 a3631 2
d3640 1 a3640 1
d3642 1 a3642 1d3646 2 a3647 30
- trust-anchor-telemetry
- d3649 1 a3649 2
Causes named to send specially-formed queries once per day to domains for which trust anchors have been configured via trusted-keys, managed-keys, dnssec-validation auto, or dnssec-lookaside auto.
The query name used for these queries has the form "_ta-xxxx(-xxxx)(...)".<domain>, where each "xxxx" is a group of four hexadecimal digits representing the key ID of a trusted DNSSEC key. The key IDs for each domain are sorted smallest to largest prior to encoding. The query type is NULL.
By monitoring these queries, zone operators will be able to see which resolvers have been updated to trust a new key; this may help them decide when it is safe to remove an old one.
The default is
yes.- d3655 1 a3655 2
d3653 1 a3653 2
- d3666 1 a3666 2
d3664 1 a3664 2
- d3673 1 a3673 2
d3671 1 a3671 2
- d3680 1 a3680 2
d3678 1 a3678 2
- d3696 1 a3696 2
d3691 1 a3691 2
d3703 1 a3703 2
d3723 1 a3723 2
d3733 1 a3733 2
d3742 1 a3742 2
d3752 1 a3752 2
d3770 1 a3770 2 d3773 1 a3773 1
d3778 1 a3778 1
d3787 1 a3787 1 d3790 1 a3790 1
d3804 1 a3804 1
d3812 1 a3812 1
d3818 1 a3818 1
d3826 1 a3826 1
d3833 1 a3833 1
d3838 1 a3838 1 d3840 1 a3840 2
- d3848 1 a3848 1
d3845 1 a3845 2
d3858 1 a3858 1
d3870 1 a3870 1
ixfr-from-differences d3879 1 a3879 1 d3881 1 a3881 2
- d3892 1 a3892 1
d3889 1 a3889 2
d3897 1 a3897 1
d3903 1 a3903 1
d3926 1 a3926 1
d3929 1 a3929 1 d3931 1 a3931 2
- d3941 1 a3941 1
d3938 1 a3938 2
d3955 1 a3955 1
d3957 1 a3957 1d3966 1 a3966 2d3963 2 a3964 2
- d3974 1 a3974 2
d3972 1 a3972 2
- d3983 1 a3983 1
d3980 1 a3980 2
d3996 1 a3996 1
d4000 1 a4000 1
check-names d4008 1 a4008 1 d4010 1 a4010 2
- d4018 1 a4018 2
d4016 1 a4016 2
- d4025 1 a4025 2
d4023 1 a4023 2
- d4036 1 a4036 1
d4033 1 a4033 2
d4049 1 a4049 1
d4059 1 a4059 1 d4061 1 a4061 2
- d4067 1 a4067 2
d4065 1 a4065 2
- d4073 1 a4073 2
d4071 1 a4071 2
- d4078 1 a4078 2
d4076 1 a4076 2
- d4086 1 a4086 2
d4084 1 a4084 2
- d4093 1 a4093 2
d4091 1 a4091 2
- d4100 1 a4100 1
d4097 1 a4097 2
d4105 1 a4105 1
d4116 1 a4116 1
d4124 1 a4124 1 d4127 1 a4127 1
d4137 1 a4137 1
d4142 1 a4142 1 d4144 1 a4144 2
- d4151 1 a4151 1
d4148 1 a4148 2
d4159 1 a4159 1
d4166 1 a4166 1
d4173 1 a4173 1 d4175 2 a4176 4
d4179 1 a4179 2d4189 1 a4189 2
d4191 1 a4191 2
- d4203 1 a4203 2
d4201 1 a4201 2
- d4209 1 a4209 2
d4207 1 a4207 2
d4218 2 a4219 3
d4222 1 a4222 2d4229 1 a4229 2
d4231 1 a4231 2
- d4242 2 a4243 3
d4240 1 a4240 2
d4246 1 a4246 3d4251 1 a4251 2
d4253 1 a4253 2
- d4269 1 a4269 1
d4266 1 a4266 2
d4278 1 a4278 1
d4280 1 a4280 1d4288 1 a4288 1d4284 2 a4285 2
d4295 1 a4295 1
d4301 1 a4301 1
d4307 1 a4307 1
d4311 1 a4311 1
d4313 1 a4313 1d4320 1 a4320 2d4317 2 a4318 2
- d4331 1 a4331 2
d4329 1 a4329 2
- d4339 1 a4339 2
d4337 1 a4337 2
- d4350 1 a4350 2
d4348 1 a4348 2
- d4356 1 a4356 2
d4354 1 a4354 2
- d4366 1 a4366 1
d4363 1 a4363 2
d4383 1 a4383 1
d4391 1 a4391 1 d4393 1 a4393 2
- d4403 1 a4403 2
d4401 1 a4401 2
- d4413 1 a4413 2
d4411 1 a4411 2
- d4421 1 a4421 2
d4419 1 a4419 2
- d4428 1 a4428 1
d4425 1 a4425 2
d4436 1 a4436 1
d4444 1 a4444 1
d4456 1 a4456 1
d4461 1 a4461 1
d4476 1 a4476 1 d4478 1 a4478 2
- d4486 2 a4487 4
d4484 1 a4484 2
d4490 1 a4490 2d4499 1 a4499 1
a4503 1 d4507 1 a4507 2
d4512 1 a4512 2
d4516 1 a4516 2
d4522 1 a4522 2
d4537 1 a4537 2
d4546 1 a4546 2
a4550 1 d4554 1 a4554 2
d4560 1 a4560 2
a4562 1 d4565 2 a4566 4
d4569 1 a4569 2d4578 1 a4578 2
d4589 1 a4589 2
a4593 1 d4597 1 a4597 2
a4606 1 d4610 1 a4610 2
d4626 1 a4626 2
d4638 1 a4638 2
a4642 1 d4646 1 a4646 2
d4658 1 a4658 2
d4660 1 a4660 2
- d4664 1 a4664 2
d4662 1 a4662 2
- d4668 1 a4668 2
d4666 1 a4666 2
- d4672 1 a4672 1
d4670 1 a4670 2
d4674 1 a4674 1d4680 2 a4681 2
d4683 1 a4683 1d4687 2 a4688 2
d4690 1 a4690 1d4694 3 a4696 4
d4699 1 a4699 2d4705 1 a4705 2
d4708 1 a4708 1
d4726 1 a4726 1
d4739 1 a4739 1 d4741 1 a4741 2
- d4748 1 a4748 2
d4746 1 a4746 2
- d4755 1 a4755 2
d4753 1 a4753 2
- d4762 1 a4762 2
d4760 1 a4760 2
- d4770 1 a4770 1
d4767 1 a4767 2
d4783 1 a4783 1
d4790 1 a4790 1 d4792 1 a4792 2
- d4803 1 a4803 3
d4801 1 a4801 2
- d4825 1 a4825 2
d4823 1 a4823 3
- d4834 1 a4834 2
d4832 1 a4832 2
- d4841 1 a4841 2
d4839 1 a4839 2
- d4856 1 a4856 1
d4853 1 a4853 2
transfer-source d4877 1 a4877 1
d4879 1 a4879 1d4886 1 a4886 2d4883 2 a4884 2
- d4892 1 a4892 1
d4889 1 a4889 2
d4898 1 a4898 1
d4909 1 a4909 1 d4911 1 a4911 2- d4918 1 a4918 2
d4916 1 a4916 2
- d4927 1 a4927 1
d4924 1 a4924 2
notify-source d4941 1 a4941 1
d4943 1 a4943 1d4950 1 a4950 2d4947 2 a4948 2
- d4955 2 a4956 4
d4953 1 a4953 2
d4959 1 a4959 2a4969 1 d4974 1 a4974 2
d4980 1 a4980 2
d4997 2 a4998 3
d5001 1 a5001 2d5014 1 a5014 2
d5022 1 a5022 2
d5024 1 a5024 2
- d5029 1 a5029 2
d5027 1 a5027 2
- d5046 1 a5046 2
d5044 1 a5044 2
- d5051 1 a5051 2
d5049 1 a5049 2
- d5056 2 a5057 4
d5054 1 a5054 2
d5060 1 a5060 2d5065 1 a5065 2
d5067 1 a5067 2
- d5074 1 a5074 2
d5072 1 a5072 2
d5085 1 a5085 9
- max-records
- d5087 1 a5087 2
The maximum number of records permitted in a zone. The default is zero which means unlimited.
- d5094 1 a5094 1
d5091 1 a5091 2
d5105 1 a5105 1
d5112 1 a5112 1
d5122 1 a5122 1 d5124 1 a5124 2
- d5133 1 a5133 1
d5128 1 a5128 2
These set the d5141 1 a5141 1
d5151 1 a5151 1
d5156 1 a5156 1
d5161 1 a5161 1 d5166 1 a5166 1
d5176 1 a5176 1
d5188 1 a5188 1
d5196 1 a5196 1
d5201 1 a5201 1
d5214 1 a5214 1
d5218 1 a5218 1 d5223 1 a5223 1
d5233 1 a5233 1
d5242 1 a5242 1
d5247 1 a5247 1
d5263 1 a5263 1
d5267 1 a5267 1 d5270 1 a5270 1
d5275 1 a5275 1
d5283 1 a5283 1
d5298 1 a5298 1
d5302 1 a5302 1 d5305 1 a5305 1
d5315 1 a5315 1
d5318 1 a5318 1 d5320 1 a5320 2
- d5338 1 a5338 2
d5336 1 a5336 2
- d5350 2 a5351 4
d5348 1 a5348 2
d5354 1 a5354 2d5409 2 a5410 4d5356 1 a5356 2
- d5367 1 a5367 2
d5365 1 a5365 2
- d5377 1 a5377 2
d5375 1 a5375 2
- d5393 1 a5393 1
d5390 1 a5390 2
d5402 1 a5402 1
d5406 2 a5407 2
d5413 1 a5413 2a5429 1 d5435 1 a5435 2
d5441 1 a5441 1
a5443 1 d5446 1 a5446 2
d5448 1 a5448 1d5452 3 a5454 4
d5457 1 a5457 2d5473 1 a5473 2
d5489 1 a5489 1
d5504 1 a5504 1
a5521 1 d5545 1 a5545 2
a5556 1 d5562 2 a5563 3
d5566 1 a5566 2d5576 1 a5576 2
d5580 1 a5580 1
d5586 1 a5586 1
d5591 1 a5591 1
d5594 1 a5594 2
d5638 2 a5639 3
a5641 1 d5647 1 a5647 2
d5653 1 a5653 1
d5657 1 a5657 1
d5660 1 a5660 2
d5662 1 a5662 1d5669 3 a5671 4
d5674 1 a5674 2d5677 1 a5677 1
d5685 1 a5685 2
d5691 1 a5691 2 d5693 1 a5693 2
- d5705 1 a5705 2
d5703 1 a5703 2
- d5716 1 a5716 1
d5713 1 a5713 2
d5722 1 a5722 1
d5724 1 a5724 1d5731 1 a5731 1d5727 2 a5728 2
d5745 1 a5745 1
d5750 1 a5750 1
d5756 1 a5756 1 d5758 1 a5758 2
- d5765 1 a5765 2
d5763 1 a5763 2
- d5773 1 a5773 1
d5770 1 a5770 2
d5778 1 a5778 1
d5782 1 a5782 1
d5798 1 a5798 1 d5803 1 a5803 1
d5813 1 a5813 1
d5822 1 a5822 1
d5830 1 a5830 1 d5833 1 a5833 1
d5841 1 a5841 1
d5848 1 a5848 1
d5853 1 a5853 1
d5864 1 a5864 1
d5872 1 a5872 1
d5880 1 a5880 1 d5883 1 a5883 1
d5890 1 a5890 1
d5895 1 a5895 1
d5904 1 a5904 1
d5908 1 a5908 1 d5911 1 a5911 1
Specifies d5922 1 a5922 1
d5936 1 a5936 1
d5945 1 a5945 1 d5949 1 a5949 2
- d5962 1 a5962 2
d5958 1 a5958 2
- d5973 1 a5973 1
d5970 1 a5970 2
d5977 1 a5977 1
d5981 1 a5981 1 d5983 1 a5983 2
- d5991 1 a5991 1
d5988 1 a5988 2
d5998 1 a5998 1
d6010 1 a6010 1
d6020 1 a6020 1 d6022 2 a6023 4
d6026 1 a6026 2d6045 1 a6045 1
d6052 1 a6052 2
d6054 1 a6054 2
- d6063 1 a6063 2
d6061 1 a6061 2
- d6076 1 a6076 2
d6074 1 a6074 2
- d6090 2 a6091 4
d6088 1 a6088 2
d6094 1 a6094 2d6106 1 a6106 1
d6111 1 a6111 1
d6215 1 a6215 1
d6227 1 a6227 1
d6236 1 a6236 1
d6245 1 a6245 1d6247 1 a6247 2
- d6253 1 a6253 2
d6251 1 a6251 2
- d6259 1 a6259 2
d6257 1 a6257 2
- d6264 1 a6264 2
d6262 1 a6262 2
- d6269 2 a6270 3
d6267 1 a6267 2
d6273 1 a6273 3d6283 1 a6283 2
d6291 1 a6291 2
d6300 1 a6300 2
d6313 1 a6313 2
d6329 1 a6329 2
d6333 1 a6333 2
d6335 1 a6335 2
- d6340 1 a6340 2
d6338 1 a6338 2
- d6348 1 a6348 2
d6346 1 a6346 2
- d6360 2 a6361 4
d6358 1 a6358 2
d6364 1 a6364 2d6390 1 a6390 2
d6393 1 a6393 2
d6401 1 a6401 2
d6406 1 a6406 2
d6421 1 a6421 2
a6425 1 d6429 1 a6429 2
a6433 1 d6435 1 a6435 2
d6441 1 a6441 2
a6446 1 d6448 1 a6448 2
d6453 1 a6453 2
d6474 1 a6474 2
d6483 2 a6484 3
d6487 1 a6487 2d6495 1 a6495 2
d6506 1 a6506 2
d6515 1 a6515 2
d6521 1 a6521 1
d6536 1 a6536 2
d6552 1 a6552 1 d6554 1 a6554 2
- d6562 1 a6562 2
d6560 1 a6560 2
- d6569 1 a6569 2
d6567 1 a6567 2
- d6581 1 a6581 2
d6579 1 a6579 2
- d6592 1 a6592 2
d6588 1 a6588 2
d6621 1 a6621 2
d6628 1 a6628 2
d6640 1 a6640 2
- d6648 1 a6648 2
d6646 1 a6646 2
- d6655 1 a6655 2
d6653 1 a6653 2
- d6663 1 a6663 2
d6661 1 a6661 2
- d6668 1 a6668 2
d6666 1 a6666 2
- d6676 1 a6676 1
d6673 1 a6673 2
d6681 1 a6681 2
d6689 1 a6689 1 d6693 1 a6693 2
d6704 1 a6704 2
- d6708 1 a6708 2
The placeholder policy says "do not override but d6706 1 a6706 2
- d6722 1 a6722 2
d6718 1 a6718 2
- d6726 1 a6726 2
d6724 1 a6724 2
- d6733 1 a6733 2
d6729 1 a6729 2
d6744 1 a6744 2
d6755 1 a6755 2
d6782 1 a6782 2
d6789 1 a6789 2
d6793 1 a6793 1
d6797 1 a6797 1
d6839 1 a6839 1
d6854 1 a6854 2
d6858 2 a6859 3
d6862 1 a6862 2d6875 1 a6875 2
d6883 1 a6883 2
d6902 1 a6902 2
d6911 1 a6911 2
d6935 1 a6935 2
d6940 1 a6940 2
d6951 1 a6951 2
d6975 1 a6975 2
d6988 1 a6988 2
d7006 1 a7006 2
d7018 1 a7018 2
d7054 1 a7054 2
d7068 1 a7068 2
d7072 1 a7072 2
d7079 3 a7081 4
d7084 24 a7107 30server (ip_addr|ip_prefix) { [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ request-nsidyes_or_no; ] [ request-sityes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ tcp-onlyyes_or_no; ] [ transfersnumber; ] [ transfer-format ( one-answer | many-answers ) ; ] [ keys {key_id} ; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ query-source ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ query-source-v6 ( [ address ] (ip_addr|*) ) [ port (ip_port|*) ] [ dscpip_dscp] ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-updateintervalnumber; ] } ; d7109 2 a7110 4d7114 1 a7114 2d7123 1 a7123 2
d7138 1 a7138 2
d7144 1 a7144 1
d7160 1 a7160 2
d7170 1 a7170 2
d7184 1 a7184 2
d7189 1 a7189 2
d7208 1 a7208 2
d7216 1 a7216 9
The tcp-only option sets the transport protocol to TCP. The default is to use the UDP transport and to fallback on TCP only when a truncated response is received.
d7230 1 a7230 2
transfers d7237 1 a7237 2
d7248 1 a7248 2
d7251 1 a7251 2
d7267 1 a7267 2
d7276 1 a7276 2
d7285 1 a7285 2
d7292 1 a7292 2
d7301 2 a7302 3
d7305 5 a7309 6statistics-channels { [ inet (ip_addr|*) [ portip_port] [ allow {address_match_list} ] ; ] ... }; d7311 2 a7312 3d7316 1 a7316 2d7322 1 a7322 2
d7332 1 a7332 2
d7343 1 a7343 2
d7348 1 a7348 2
d7360 1 a7360 2
d7364 1 a7364 2
d7376 1 a7376 2
d7386 1 a7386 2
d7401 1 a7401 2
d7418 2 a7419 3
d7422 4 a7425 5trusted-keys { (domain_nameflagsprotocolalgorithmkey_data; ) ... } ; d7427 2 a7428 3d7432 1 a7432 2d7443 1 a7443 1
d7451 1 a7451 1
d7460 1 a7460 1
d7467 2 a7468 3
d7471 4 a7474 5managed-keys { (domain_nameinitial_keyflagsprotocolalgorithmkey_data; ) ... } ; d7476 2 a7477 3d7481 1 a7481 2d7489 1 a7489 1
d7499 1 a7499 1
d7510 1 a7510 1
d7521 1 a7521 1
d7534 1 a7534 1
d7542 1 a7542 1
d7547 3 a7549 3 key specified in the managed-keys statement is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. d7551 1 a7551 1
d7559 15 a7573 18
In the current implementation, the managed keys database is stored as a master-format zone file.
On servers which do not use views, this file is named
managed-keys.bind. When views are in use, there will be a separate managed keys database for each view; the filename will be a hash of the view name followed by the suffix.mkeys.When the key database is changed, the zone is updated. As with any other dynamic zone, changes will be written into a journal file, e.g.,
managed-keys.bind.jnl. Changes are committed to the master file as soon as possible afterward; this will usually occur within 30 d7575 4 a7578 4 automatic key maintenance, the zone file and journal file can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by named.) d7580 1 a7580 1d7588 3 a7590 5 (Note: The ISC DLV service is expected to cease operation by the end of 2017.) In both cases, the key that is used to initialize the key maintenance process is built into named, and can be overridden from bindkeys-file. d7592 2 a7593 3
d7596 8 a7603 8viewview_name[class] { match-clients {address_match_list} ; match-destinations {address_match_list} ; match-recursive-onlyyes_or_no; [view_option; ... ] [zone_statement; ... ] } ; d7605 2 a7606 3d7609 1 a7609 2d7618 1 a7618 2
d7646 1 a7646 2
d7655 1 a7655 2
d7668 1 a7668 2
d7673 1 a7673 2
d7689 1 a7689 2
a7692 1 d7725 2 a7726 3
d7730 191 d7922 3 a7924 205zonezone_name[class] { type master ; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update {address_match_list} ; ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ update-policylocal| {update_policy_rule; ... } ; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-spf (warn|ignore); ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] [ serial-update-method (increment|unixtime) ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type slave ; [ allow-notify {address_match_list} ; ] [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ allow-transfer {address_match_list} ; ] [ allow-update-forwarding {address_match_list} ; ] [ dnssec-update-mode (maintain|no-resign); ] [ update-check-kskyes_or_no; ] [ dnssec-dnskey-kskonlyyes_or_no; ] [ dnssec-loadkeys-intervalnumber; ] [ dnssec-secure-to-insecureyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ request-ixfryes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notify (yes_or_no|explicit|master-only) ; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ notify-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ zone-statistics (full|terse|none) ; ] [ sig-validity-intervalnumber[number] ; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ auto-dnssec (allow|maintain|off) ; ] [ inline-signingyes_or_no; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] } ; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; ] // Not Implemented. } ; zonezone_name[class] { type stub; [ allow-query {address_match_list} ; ] [ allow-query-on {address_match_list} ; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw|map) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... ] } ; ] [ masters [ portip_port] [ dscpip_dscp] { (masters_list|ip_addr[ portip_port] ) [ keykey_name] ; ... } ; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source (ip4_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [ portip_port] [ dscpip_dscp] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statistics (full|terse|none) ; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] } ; zonezone_name[class] { type static-stub; [ allow-query {address_match_list} ; ] [ server-addresses { [ip_addr; ... } ; ] [ server-names { [namelist] } ; ] [ zone-statistics (full|terse|none) ; ] } ; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[ portip_port] [ dscpip_dscp] ; ... } ; ] [ delegation-onlyyes_or_no; ] } ; zone"."[class] { type redirect; filestring; [ masterfile-format (text|raw|map) ; ] [ allow-query {address_match_list} ; ] [ max-zone-ttlnumber; ] } ; zonezone_name[class] { type delegation-only; } ; zonezone_name[class] { [ in-viewstring; ] } ; d7927 2 a7928 3d7931 1 a7931 2d7934 1 a7934 2d7944 1 a7944 3
d8257 3 a8259 5
d8262 1 a8262 2d8267 1 a8267 1
d8276 1 a8276 1
d8280 2 a8281 3
d8284 1 a8284 2d8286 1 a8286 2
- d8291 1 a8291 2
d8289 1 a8289 2
- d8296 1 a8296 2
d8294 1 a8294 2
- d8301 1 a8301 2
d8299 1 a8299 2
- d8306 1 a8306 2
d8304 1 a8304 2
- d8311 1 a8311 2
d8309 1 a8309 2
- d8316 1 a8316 2
d8314 1 a8314 2
- d8321 1 a8321 2
d8319 1 a8319 2
- d8344 1 a8344 2
d8342 1 a8342 2
- d8354 1 a8354 2
d8352 1 a8352 2
- d8359 1 a8359 2
d8357 1 a8357 2
- d8364 1 a8364 2
d8362 1 a8362 2
- d8369 1 a8369 2
d8367 1 a8367 2
- d8374 1 a8374 2
d8372 1 a8372 2
- d8379 1 a8379 2
d8377 1 a8377 2
- d8384 1 a8384 2
d8382 1 a8382 2
- d8389 1 a8389 2
d8387 1 a8387 2
- d8395 1 a8395 2
d8393 1 a8393 2
- d8401 1 a8401 2
d8399 1 a8399 2
- d8406 1 a8406 2
d8404 1 a8404 2
- d8412 1 a8412 1
d8409 1 a8409 2
d8423 1 a8423 1
d8429 1 a8429 1
d8435 1 a8435 1 d8437 1 a8437 2
- d8443 1 a8443 1
d8440 1 a8440 2
d8449 1 a8449 1
d8452 1 a8452 1 d8454 1 a8454 2
- d8462 1 a8462 2
d8460 1 a8460 2
- d8469 1 a8469 2
d8467 1 a8467 2
- d8481 1 a8481 2
d8479 1 a8479 2
- d8486 1 a8486 2
d8484 1 a8484 2
- d8492 1 a8492 2
d8490 1 a8490 2
d8495 1 a8495 9
- max-records
- d8497 1 a8497 2
See the description of max-records in the section called “Server Resource Limits”.
- d8502 1 a8502 2
d8500 1 a8500 2
- d8507 1 a8507 2
d8505 1 a8505 2
- d8512 1 a8512 2
d8510 1 a8510 2
- d8517 1 a8517 2
d8515 1 a8515 2
- d8522 1 a8522 2
d8520 1 a8520 2
- d8527 1 a8527 2
d8525 1 a8525 2
- d8533 1 a8533 2
d8531 1 a8531 2
- d8542 1 a8542 2
d8540 1 a8540 2
- d8550 1 a8550 1
d8547 1 a8547 2
d8559 1 a8559 1
d8568 1 a8568 1
d8576 1 a8576 1 d8579 1 a8579 1
d8597 1 a8597 1
d8609 1 a8609 1
d8619 1 a8619 1 d8621 1 a8621 2
- d8626 1 a8626 2
d8624 1 a8624 2
- d8631 1 a8631 2
d8629 1 a8629 2
- d8636 1 a8636 2
d8634 1 a8634 2
- d8641 1 a8641 2
d8639 1 a8639 2
- d8646 1 a8646 2
d8644 1 a8644 2
- d8651 1 a8651 2
d8649 1 a8649 2
- d8656 1 a8656 2
d8654 1 a8654 2
- d8661 1 a8661 2
d8659 1 a8659 2
- d8666 1 a8666 2
d8664 1 a8664 2
- d8671 1 a8671 2
d8669 1 a8669 2
- d8678 1 a8678 2
d8674 1 a8674 2
- d8682 1 a8682 2
d8680 1 a8680 2
- d8691 1 a8691 2
d8689 1 a8689 2
- d8697 1 a8697 2
d8695 1 a8695 2
- d8704 1 a8704 2
d8702 1 a8702 2
- d8711 1 a8711 2
d8709 1 a8709 2
- d8720 1 a8720 2
d8718 1 a8718 2
- d8725 1 a8725 2
d8723 1 a8723 2
- d8730 1 a8730 2
d8728 1 a8728 2
- d8736 1 a8736 2
d8734 1 a8734 2
- d8741 2 a8742 3
d8739 1 a8739 2
d8745 1 a8745 2BIND 9 supports two alternative d8751 1 a8751 1
d8757 1 a8757 1
d8767 1 a8767 1
d8777 1 a8777 1
d8792 1 a8792 1
d8799 1 a8799 2
update-policy { grant local-ddns zonesub any; }; d8801 1 a8801 2d8805 1 a8805 2
a8807 1 d8811 1 a8811 2
d8820 1 a8820 1
d8826 1 a8826 1
d8843 1 a8843 1
d8850 1 a8850 1
d8862 1 a8862 2
d9142 2 a9143 4
d9147 1 a9147 2
d9156 2 a9157 3
d9160 1 a9160 2d9171 1 a9171 1
d9189 1 a9189 1d9193 1 a9193 1
d9201 1 a9201 1
d9208 1 a9208 1
d9212 1 a9212 1
d9216 4 a9219 5
d9222 1 a9222 2d9225 1 a9225 2d9232 1 a9232 1
d9235 1 a9235 2d9245 1 a9245 2
d9248 1 a9248 2
d9323 2 a9324 3
d9327 1 a9327 2
d10332 2 a10333 3
d10337 1 a10337 2
d10390 2 a10391 4
d10402 1 a10402 1
d10422 1 a10422 1
d10428 2 a10429 2
d10432 1 a10432 2d10445 1 a10445 1
d10451 1 a10451 1
d10462 1 a10462 1
d10466 1 a10466 1
d10469 1 a10469 2
d10573 2 a10574 3
d10580 1 a10580 1
d10584 1 a10584 1
d10587 1 a10587 2
d10625 2 a10626 3
d10630 3 a10632 4
d10635 1 a10635 2d10644 1 a10644 2
d10661 1 a10661 1
d10670 1 a10670 2
d10814 2 a10815 2d10807 1 a10807 2
d10818 1 a10818 2d10826 1 a10826 2
d10881 2 a10882 3
d10886 2 a10887 2
d10890 1 a10890 2d10905 1 a10905 2
d10936 2 a10937 3
d10939 1 a10939 1d10946 3 a10948 3
d10951 1 a10951 2d10959 1 a10959 1
d10963 1 a10963 1
d10966 1 a10966 2d10973 2 a10974 2
d10977 1 a10977 2d10982 1 a10982 1
$ORIGIN a10991 1 d10996 1 a10996 2
a10998 1 d11002 2 a11003 3
d11006 1 a11006 2d11013 1 a11013 1
d11020 1 a11020 1
d11025 1 a11025 1
d11027 1 a11027 1d11037 3 a11039 3
d11042 1 a11042 2d11048 1 a11048 1
d11053 1 a11053 1
$TTL d11056 3 a11058 3
d11061 1 a11061 2d11071 1 a11071 1
$GENERATE a11078 1 d11082 1 a11082 2
a11084 1 d11092 1 a11092 2
a11096 1 d11101 1 a11101 2
a11103 1 d11114 1 a11114 3
d11242 2 a11243 3
d11247 1 a11247 1
d11250 2 a11251 3
d11254 1 a11254 2d11259 1 a11259 1
d11265 1 a11265 1
d11273 1 a11273 1
d11284 1 a11284 1
d11292 1 a11292 1
d11309 3 a11311 4
d11314 1 a11314 2d12848 1 a12848 1d11323 1 a11323 2
d11327 1 a11327 3
d11426 2 a11427 4
d11437 1 a11437 2
d11441 1 a11441 2
d11451 1 a11451 2
d11454 1 a11454 2d11457 1 a11457 1
d11460 1 a11460 1
d11469 1 a11469 2
d11472 1 a11472 2
d11479 1 a11479 2
d11483 1 a11483 1
d11486 2 a11487 3
d11490 1 a11490 2d11506 1 a11506 2
d11509 1 a11509 3d12100 3 a12102 5
d12105 1 a12105 3d12254 3 a12256 5
d12259 1 a12259 3d12637 3 a12639 6
d12642 1 a12642 2d12657 1 a12657 3
d12792 3 a12794 5
d12797 1 a12797 2d12804 1 a12804 2
d12806 1 a12806 2
- d12813 1 a12813 2
d12811 1 a12811 2
- d12817 1 a12817 2
d12815 1 a12815 2
- d12821 1 a12821 2
d12819 1 a12819 2
- d12827 4 a12830 5
d12825 1 a12825 2
BIND 9.10.5-P1
@ 1.1.1.31 log @ --- 9.10.5-P2 released --- 4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. @ text @d13793 1 a13793 1BIND 9.10.5-P2
@ 1.1.1.32 log @Changes since 9.10.5-P2: --- 9.10.7 released --- --- 9.10.7rc2 released --- 4904. [bug] Temporarily revert change #4859. [GL #124] --- 9.10.7rc1 released --- 4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670] 4888. [test] Initialize sockets correctly in sample-update so that the nsupdate system test will run on Windows. [RT #47097] 4886. [doc] Document dig -u in manpage. [RT #47150] 4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126] 4882. [bug] Address potential memory leak in dns_update_signaturesinc. [RT #47084] 4881. [bug] Only include dst_openssl.h when OpenSSL is required. [RT #47068] 4879. [bug] dns_rdata_caa:value_len field was too small. [RT #47086] --- 9.10.7b1 released --- 4876. [bug] Address deadlock with accessing a keytable. [RT #47000] 4874. [bug] Wrong time display when reporting new keywarntime. [RT #47042] 4872. [bug] Don't permit loading meta RR types such as TKEY from master files. [RT #47009] 4871. [bug] Fix configure glitch in detecting stdatomic.h support on systems with multiple compilers. [RT #46959] 4870. [test] Update included ATF library to atf-0.21 preserving the ATF tool. [RT #46967] 4869. [bug] Address some cases where NULL with zero length could be passed to memmove which is undefined behaviour and can lead to bad optimisation. [RT #46888] 4867. [cleanup] Normalize rndc on/off commands (validation and querylog) so they accept the same synonyms for on/off (yes/no, true/false, enable/disable). Thanks to Tony Finch. [RT #47022] 4866. [port] DST library initialization verifies MD5 (when MD5 was not disabled) and SHA-1 hash and HMAC support. [RT #46764] 4863. [bug] Fix various other bugs reported by Valgrind's memcheck tool. [RT #46978] 4862. [bug] The rdata flags for RRSIG were not being properly set when constructing a rdataslab. [RT #46978] 4861. [bug] The isc_crc64 unit test was not endian independent. [RT #46973] 4860. [bug] isc_int8_t should be signed char. [RT #46973] 4859. [bug] A loop was possible when attempting to validate unsigned CNAME responses from secure zones; this caused a delay in returning SERVFAIL and also increased the chances of encountering CVE-2017-3145. [RT #46839] 4858. [security] Addresses could be referenced after being freed in resolver.c, causing an assertion failure. (CVE-2017-3145) [RT #46839] 4857. [bug] Maintain attach/detach semantics for event->db, event->node, event->rdataset and event->sigrdataset in query.c. [RT #46891] 4856. [bug] 'rndc zonestatus' reported the wrong underlying type for a inline slave zone. [RT #46875] 4852. [bug] Add REQUIRE's and INSIST's to isc_time_formattimestamp, isc_time_formathttptimestamp, isc_time_formatISO8601. [RT #46892] 4851. [port] Support using kyua as well as atf-run to run the unit tests. [RT #46853] 4846. [test] Adjust timing values in runtime system test. Address named.pid removal races in runtime system test. [RT #46800] 4844. [test] Address memory leaks in libatf-c. [RT #46798] 4843. [bug] dnssec-signzone free hashlist on exit. [RT #46791] 4842. [bug] Conditionally compile opensslecdsa_link.c to avoid warnings about unused function. [RT #46790] 4841. [bug] Address -fsanitize=undefined warnings. [RT #46786] 4840. [test] Add tests to cover fallback to using ZSK on inactive KSK. [RT #46787] 4839. [bug] zone.c:zone_sign was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true (default) leaving records unsigned with one or more DNSKEY algorithms. [RT #46774] 4838. [bug] zone.c:add_sigs was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true (default) leaving records unsigned with one or more DNSKEY algorithms. [RT #46754] 4837. [bug] dns_update_signatures{inc} (add_sigs) was not properly determining if there were active KSK and ZSK keys for a algorithm when update-check-ksk is true (default) leaving records unsigned when there were multiple DNSKEY algorithms for the zone. [RT #46743] 4836. [bug] Zones created using "rndc addzone" could temporarily fail to inherit an "allow-transfer" ACL that had been configured in the options statement. [RT #46603] 4833. [bug] isc_event_free should check that the event is not linked when called. [RT #46725] 4832. [bug] Events were not being removed from zone->rss_events. [RT #46725] 4831. [bug] Convert the RRSIG expirytime to 64 bits for comparisions in diff.c:resign. [RT #46710] 4830. [bug] Failure to configure ATF when requested did not cause an error in top-level configure script. [RT #46655] 4829. [bug] isc_heap_delete did not zero the index value when the heap was created with a callback to do that. [RT #46709] 4827. [misc] Add a precommit check script util/checklibs.sh [RT #46215] 4826. [cleanup] Prevent potential build failures in bin/confgen/ and bin/named/ when using parallel make. [RT #46648] 4823. [test] Refactor reclimit system test to improve its reliability and speed. [RT #46632] 4822. [bug] Use resign_sooner in dns_db_setsigningtime. [RT #46473] 4821. [bug] When resigning ensure that the SOA's expire time is always later that the resigning time of other records. [RT #46473] 4820. [bug] dns_db_subtractrdataset should transfer the resigning information to the new header. [RT #46473] 4819. [bug] Fully backout the transaction when adding a RRset to the resigning / removal heaps fails. [RT #46473] 4818. [test] The logfileconfig system test could intermittently report false negatives on some platforms. [RT #46615] 4817. [cleanup] Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE. [RT #45433] 4816. [bug] Don't use a common array for storing EDNS options in DiG as it could fill up. [RT #45611] 4815. [bug] rbt_test.c:insert_and_delete needed to call dns_rbt_addnode instead of dns_rbt_addname. [RT #46553] 4814. [cleanup] Use AS_HELP_STRING for consistent help text. [RT #46521] 4812. [bug] Minor improvements to stability and consistency of code handling managed keys. [RT #46468] 4810. [test] The chain system test failed if the IPv6 interfaces were not configured. [RT #46508] 4809. [port] Check at configure time whether -latomic is needed for stdatomic.h. [RT #46324] 4805. [bug] TCP4Active and TCP6Active weren't being updated correctly. [RT #46454] 4804. [port] win32: access() does not work on directories as required by POSIX. Supply a alternative in isc_file_isdirwritable. [RT #46394] 4803. [bug] Backport fix for RT #46055 from RT #46267. [RT #46430] 4792. [bug] Fix map file header correctness check. [RT #38418] 4791. [doc] Fixed outdated documentation about export libraries. [RT #46341] 4790. [bug] nsupdate could trigger a require when sending a update to the second address of the server. [RT #45731] 4788. [cleanup] When using "update-policy local", log a warning when an update matching the session key is received from a remote host. [RT #46213] 4787. [cleanup] Turn nsec3param_salt_totext() into a public function, dns_nsec3param_salttotext(), and add unit tests for it. [RT #46289] 4783. [test] dnssec: 'check that NOTIFY is sent at the end of NSEC3 chain generation failed' required more time on some machines for the IXFR to complete. [RT #46388] 4781. [maint] B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889] 4780. [bug] When answering ANY queries, don't include the NS RRset in the authority section if it was already in the answer section. [RT #44543] 4777. [cleanup] Removed a redundant call to configure_view_acl(). [RT #46369] 4774. [bug]was incorrectly included in several header files. [RT #46311] 4773. [doc] Fixed generating Doxygen documentation for functions annotated using certain macros. Miscellaneous Doxygen-related cleanups. [RT #46276] 4771. [bug] When sending RFC 5011 refresh queries, disregard cached DNSKEY rrsets. [RT #46251] 4770. [bug] Cache additional data from priming queries as glue. Previously they were ignored as unsigned non-answer data from a secure zone, and never actually got added to the cache, causing hints to be used frequently for root-server addresses, which triggered re-priming. [RT #45241] 4769. [bug] Enforce the requirement that the managed keys directory (specified by "managed-keys-directory", and defaulting to the working directory if not specified) must be writable. [RT #46077] 4766. [cleanup] Addresss Coverity warnings. [RT #46150] 4762. [func] "update-policy local" is now restricted to updates from local addresses. (Previously, other addresses were allowed so long as updates were signed by the local session key.) [RT #45492] 4761. [protocol] Add support for DOA. [RT #45612] 4759. [func] Add logging channel "trust-anchor-telementry" to record trust-anchor-telementry in incoming requests. Both _ta-XXXX. /NULL and EDNS KEY-TAG options are logged. [RT #46124] 4758. [doc] Remove documentation of unimplemented "topology". [RT #46161] 4756. [bug] Interrupting dig could lead to an INSIST failure after certain errors were encountered while querying a host whose name resolved to more than one address. Change 4537 increased the odds of triggering this issue by causing dig to hang indefinitely when certain error paths were evaluated. dig now also retries TCP queries (once) if the server gracefully closes the connection before sending a response. [RT #42832, #45159] 4754. [bug] dns_zone_setview needs a two stage commit to properly handle errors. [RT #45841] 4753. [contrib] Software obtainable from known upstream locations (i.e., zkt, nslint, query-loc) has been removed. Links to these and other packages can be found at https://www.isc.org/community/tools [RT #46182] 4752. [test] Add unit test for isc_net_pton. [RT #46171] 4749. [func] The ISC DLV service has been shut down, and all DLV records have been removed from dlv.isc.org. - Removed references to ISC DLV in documentation - Removed DLV key from bind.keys - No longer use ISC DLV by default in delv [RT #46155] 4748. [cleanup] Sprintf to snprintf coversions. [RT #46132] 4746. [cleanup] Add configured prefixes to configure summary output. [RT #46153] 4745. [test] Add color-coded pass/fail messages to system tests when running on terminals that support them. [RT #45977] 4744. [bug] Suppress trust-anchor-telementry queries if validation is disabled. [RT #46131] 4741. [bug] Make isc_refcount_current() atomically read the counter value. [RT #46074] 4739. [cleanup] Address clang static analysis warnings. [RT #45952] 4738. [port] win32: strftime mishandles %Z. [RT #46039] 4737. [cleanup] Address Coverity warnings. [RT #46012] 4736. [cleanup] (a) Added comments to NSEC3-related functions in lib/dns/zone.c. (b) Refactored NSEC3 salt formatting code. (c) Minor tweaks to lock and result handling. [RT #46053] 4735. [bug] Add @@ISC_OPENSSL_LIBS@@ to isc-config. [RT #46078] 4734. [contrib] Added sample configuration for DNS-over-TLS in contrib/dnspriv. 4730. [bug] Fix out of bounds access in DHCID totext() method. [RT #46001] 4729. [bug] Don't use memset() to wipe memory, as it may be removed by compiler optimizations when the memset() occurs on automatic stack allocation just before function return. [RT #45947] 4728. [func] Use C11's stdatomic.h instead of isc_atomic where available. [RT #40668] 4727. [bug] Retransferring an inline-signed slave using NSEC3 around the time its NSEC3 salt was changed could result in an infinite signing loop. [RT #45080] 4725. [bug] Nsupdate: "recvsoa" was incorrectly reported for failures in sending the update message. The correct location to be reported is "update_completed". [RT #46014] 4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of strlcpy() and strlcat() for safety. [RT #45981] 4719. [bug] Address PVS static analyzer warnings. [RT #45946] 4717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1, FORMERR if TC=0, and log the error correctly. [RT #45836] 4715. [bug] TreeMemMax was mis-identified as a second HeapMemMax in the Json cache statistics. [RT #45980] 4714. [port] openbsd/libressl: add support for building with --enable-openssl-hash. [RT #45982] 4713. [cleanup] Minor revisions to RPZ code to reduce differences with the development branch. [RT #46037] 4712. [bug] "dig +domain" and "dig +search" didn't retain the search domain when retrying with TCP. [RT #45547] 4711. [test] Some RR types were missing from genzones.sh. [RT #45782] 4709. [cleanup] Use dns_name_fullhash() to hash names for RRL. [RT #45435] 4703. [bug] BINDInstall.exe was missing some buffer length checks. [RT #45898] 4698. [port] Add --with-python-install-dir configure option to allow specifying a nonstandard installation directory for Python modules. [RT #45407] 4696. [port] Enable filter-aaaa support by default on Windows builds. [RT #45883] 4692. [bug] Fix build failures with libressl introduced in 4676. [RT #45879] 4690. [bug] Command line options -4/-6 were handled inconsistently between tools. [RT #45632] 4689. [cleanup] Turn on minimal responses for CDNSKEY and CDS in addition to DNSKEY and DS. Thanks to Tony Finch. [RT #45690] 4688. [protocol] Check and display EDNS KEY TAG options (RFC 8145) in messages. [RT #44804] 4686. [bug] dnssec-settime -p could print a bogus warning about key deletion scheduled before its inactivation when a key had an inactivation date set but no deletion date set. [RT #45807] 4685. [bug] dnssec-settime incorrectly calculated publication and activation dates for a successor key. [RT #45806] 4684. [bug] delv could send bogus DNS queries when an explicit server address was specified on the command line along with -4/-6. [RT #45804] 4683. [bug] Prevent nsupdate from immediately exiting on invalid user input in interactive mode. [RT #28194] 4682. [bug] Don't report errors on records below a DNAME. [RT #44880] 4680. [bug] Fix failing over to another master server address when nsupdate is used with GSS-API. [RT #45380] 4679. [cleanup] Suggest using -o when dnssec-verify finds a SOA record not at top of zone and -o is not used. [RT #45519] 4677. [cleanup] Split up the main function in dig to better support the iOS app version. [RT #45508] 4676. [cleanup] Allow BIND to be built using OpenSSL 1.0.X with deprecated functions removed. [RT #45706] 4675. [cleanup] Don't use C++ keyword class. [RT #45726] 4673. [port] Silence GCC 7 warnings. [RT #45592] 4672. [bug] Fix a regression introduced by change 3938 (when --enable-fetchlimit is NOT in use), where named as resolver would, upon fetch timeout, repeat fetching from the same nameserver address. This also broke "forward first;" configurations (as forwarders are also treated as nameservers when fetching). [RT #45321] 4671. [bug] Fix a race condition that could cause the resolver to crash with assertion failure when chasing DS in specific conditions with a very short RTT to the upstream nameserver. [RT #45168] 4670. [cleanup] Ensure that a request MAC is never sent back in an XFR response unless the signature was verified. [RT #45494] 4668. [bug] Use localtime_r and gmtime_r for thread safety. [RT #45664] 4667. [cleanup] Refactor RDATA unit tests. [RT #45610] 4665. [protocol] Added support for ED25519 and ED448 DNSSEC signing algorithms (RFC 8080). (Note: these algorithms depend on code currently in the development branch of OpenSSL which has not yet been released.) [RT #44696] 4663. [cleanup] Clarify error message printed by dnssec-dsfromkey. [RT #21731] 4662. [performance] Improve cache memory cleanup of zero TTL records by putting them at the tail of LRU header lists. [RT #45274] 4661. [bug] A race condition could occur if a zone was reloaded while resigning, triggering a crash in rbtdb.c:closeversion(). [RT #45276] 4660. [bug] Remove spurious "peer" from Windows socket log messages. [RT #45617] 4658. [bug] Clean up build directory created by "setup.py install" immediately. [RT #45628] 4657. [bug] rrchecker system test result could be improperly determined. [RT #45602] 4655. [bug] Lack of seccomp could be falsely reported. [RT #45599] 4654. [cleanup] Don't use C++ keywords delete, new and namespace. [RT #45538] 4652. [bug] Nsupdate could attempt to use a zeroed address on server timeout. [RT #45417] 4651. [test] Silence coverity warnings in tsig_test.c. [RT #45528] --- 9.10.6 released --- --- 9.10.6rc2 released --- 4653. [bug] Reorder includes to move @@DST_OPENSSL_INC@@ and @@ISC_OPENSSL_INC@@ after shipped include directories. [RT #45581] --- 9.10.6rc1 released --- 4647. [bug] Change 4643 broke verification of TSIG signed TCP message sequences where not all the messages contain TSIG records. These may be used in AXFR and IXFR responses. [RT #45509] 4645. [bug] Fix PKCS#11 RSA parsing when MD5 is disabled. [RT #45300] --- 9.10.6b1 released --- 4643. [security] An error in TSIG handling could permit unauthorized zone transfers or zone updates. (CVE-2017-3142) (CVE-2017-3143) [RT #45383] 4642. [cleanup] Add more logging of RFC 5011 events affecting the status of managed keys: newly observed keys, deletion of revoked keys, etc. [RT #45354] 4641. [cleanup] Parallel builds (make -j) could fail with --with-atf / --enable-developer. [RT #45373] 4640. [bug] If query_findversion failed in query_getdb due to memory failure the error status was incorrectly discarded. [RT #45331] 4636. [bug] Normalize rpz policy zone names when checking for existence. [RT #45358] 4635. [bug] Fix RPZ NSDNAME logging that was logging failures as NSIP. [RT #45052] 4634. [contrib] check5011.pl needs to handle optional space before semi-colon in +multi-line output. [RT #45352] 4633. [maint] Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET. 4632. [security] The BIND installer on Windows used an unquoted service path, which can enable privilege escalation. (CVE-2017-3141) [RT #45229] 4631. [security] Some RPZ configurations could go into an infinite query loop when encountering responses with TTL=0. (CVE-2017-3140) [RT #45181] 4629. [bug] dns_client_startupdate could not be called with a running client. [RT #45277] 4628. [bug] Fixed a potential reference leak in query_getdb(). [RT #45247] 4627. [func] Deprecate 'dig +sit', it is replaced by 'dig +cookie'. [RT #45245] 4626. [test] Added more tests for handling of different record ordering in CNAME and DNAME responses. [QA #430] 4624. [bug] Check isc_mem_strdup results in dns_view_setnewzones. [RT #45210] 4622. [bug] Remove unnecessary escaping of semicolon in CAA and URI records. [RT #45216] 4621. [port] Force alignment of oid arrays to silence loader warnings. [RT #45131] 4620. [port] Handle EPFNOSUPPORT being returned when probing to see if a socket type is supported. [RT #45214] 4617. [test] Update rndc system test to be more delay tolerant. [RT #45177] 4615. [bug] AD could be set on truncated answer with no records present in the answer and authority sections. [RT #45140] 4614. [test] Fixed an error in the sockaddr unit test. [RT #45146] 4612. [bug] Silence 'may be use uninitalised' warning and simplify the code in lwres/getaddinfo:process_answer. [RT #45158] 4609. [cleanup] Rearrange makefiles to enable parallel execution (i.e. "make -j"). [RT #45078] 4608. [func] DiG now warns about .local queries which are reserved for Multicast DNS. [RT #44783] 4606. [port] Stop using experimental "Experimental keys on scalar" feature of perl as it has been removed. [RT #45012] 4604. [bug] Don't use ERR_load_crypto_strings() when building with OpenSSL 1.1.0. [RT #45117] 4603. [doc] Automatically generate named.conf(5) man page from doc/misc/options. Thanks to Tony Finch. [RT #43525] 4602. [func] Threads are now set to human-readable names to assist debugging, when supported by the OS. [RT #43234] 4601. [bug] Reject incorrect RSA key lengths during key generation and and sign/verify context creation. [RT #45043] 4600. [bug] Adjust RPZ trigger counts only when the entry being deleted exists. [RT #43386] 4599. [bug] Fix inconsistencies in inline signing time comparison that were introduced with the introduction of rdatasetheader->resign_lsb. [RT #42112] 4597. [bug] The validator now ignores SHA-1 DS digest type when a DS record with SHA-384 digest type is present and is a supported digest type. [RT #45017] 4596. [bug] Validate glue before adding it to the additional section. This also fixes incorrect TTL capping when the RRSIG expired earlier than the TTL. [RT #45062] 4593. [doc] Update README using markdown, remove outdated FAQ file in favor of the knowledge base. 4592. [bug] A race condition on shutdown could trigger an assertion failure in dispatch.c. [RT #43822] 4591. [port] Addressed some python 3 compatibility issues. Thanks to Ville Skytta. [RT #44955] [RT #44956] 4590. [bug] Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being properly detected. [RT #44871] 4589. [cleanup] "configure -q" is now silent. [RT #44829] 4588. [bug] nsupdate could send queries for TKEY to the wrong server when using GSSAPI. Thanks to Tomas Hozza. [RT #39893] 4587. [bug] named-checkzone failed to handle occulted data below DNAMEs correctly. [RT #44877] 4585. [port] win32: Set CompileAS value. [RT #42474] 4584. [bug] A number of memory usage statistics were not properly reported when they exceeded 4G. [RT #44750] 4574. [bug] Dig leaked memory with multiple +subnet options. [RT #44683] 4555. [func] dig +ednsopt: EDNS options can now be specified by name in addition to numeric value. [RT #44461] @ text @d3 1 a3 1 - Copyright (C) 2004-2018 Internet Systems Consortium, Inc. ("ISC") d379 2 a380 19 Its acceptable value might be further limited by the context in which it is used.
fixedpointA non-negative real number that can be specified to the nearest one hundredth. Up to five digits can be specified before a decimal point, and up to two digits after, so the maximum value is 99999.99. Acceptable values might be further limited by the context in which it is used. d1284 1 a1284 1 to be used by the algorithm, and is treated as a Base64 a1960 10
trust-anchor-telemetry
Logs trust-anchor-telemetry requests received by named.
a2412 1 [ inline-signing yes_or_no; ] a2616 1 [ trust-anchor-telemetryyes_or_no; ] d2734 6 a2739 4 Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g.named.run) is this directory. d2742 3 a2744 5 which the server was started. The directory specified should be an absolute path. It is strongly recommended that the directory be writable by the effective user ID of the named process. d2778 1 a2778 3 directory. The directory must be writable by the effective user ID of the named process. d2924 3 a2926 2 See the discussion of dnssec-validation for details. If not specified, the default is d3120 6 d3130 22 a3151 6 NOTE: The ISC-provided DLV service atdlv.isc.org, has been shut down. The dnssec-lookaside auto; configuration option, which set named up to use ISC DLV with minimal configuration, has accordingly been removed. d3165 1 a3165 1 dnssec-validation auto must be active. d3715 1 a3715 1 In BIND 8, this enabled keeping of d3897 3 a3899 2 managed-keys, or dnssec-validation auto. d4240 7 a4246 9 is disabled.If set to
auto, DNSSEC validation is enabled, and a default trust anchor for the DNS root zone is used. If set toyes, DNSSEC validation is enabled, but a trust anchor must be manually configured using a trusted-keys or managed-keys statement. The default a4248 18The default root trust anchor is stored in the file
bind.keys. named will load that key at startup if dnssec-validation is set toauto. A copy of the file is installed along with BIND 9, and is current as of the release date. If the root key expires, a new copy ofbind.keyscan be downloaded from https://www.isc.org/bind-keys.To prevent problems if
a4251 8 named only loads the root key frombind.keysis not found, the current trust anchor is also compiled in to named. Relying on this is not recommended, however, as it requires named to be recompiled with a new key when the root key expires.)bind.keys. The file cannot be used to store keys for other zones. The root key inbind.keysis ignored if dnssec-validation auto is not in use.d4779 1 a4779 2 and filter-aaaa-on-v6 apply. The default is
any. a5880 9topology d5887 50 d5941 13 a5953 11 records (RRs) forming a resource record set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in the section called “RRset Ordering”). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client's address. This only requires configuring the name servers, not all the clients. d5957 13 a5969 8 The sortlist statement (see below) takes an address_match_list and interprets it in a special way. Each top level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of d5973 30 a6002 21 Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is interpreted as a topology preference list. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response. In BIND 8, this option indicated network topology so that preferential treatment could be given to the topologicaly closest name servers when sending queries. It is not implemented in BIND 9.
In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on d6032 4 a6035 4 local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected d6037 4 a6040 2 directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted. d6311 7 a6317 5 zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, up to a hard-coded maximum expiry of 24 weeks. However, these values are set by the master, giving slave server administrators little control over their contents. d6321 6 a6326 4 maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values. d8128 1 a8128 1 domain name, flags, protocol, algorithm, and the Base64 d8192 2 a8193 2 initialization method currently supported is
initial-key. d8265 9 a8273 7 root zone. The key that is used to initialize the key maintenance process is stored inbind.keys; the location of this file can be overridden with the bindkeys-file option. As a fallback in the event nobind.keyscan be found, the initializing key is also compiled directly into named. a9209 14file d9612 1 a9612 2 (except when set to Set the zone's filename. In master, hint, and redirect zones which do not have masters defined, zone data is loaded from this file. In slave, stub, and redirect zones which do have masters defined, zone data is retrieved from another server and saved in this file. This option is not applicable to other zone types.
local) only examines the signer of a message; the source d9616 2 a9617 2 A pre-defined update-policy rule can be switched on with the command d9620 6 a9625 7 named to generate a TSIG session key and place it in a file. That key will then be allowed to update the zone, if the update request is sent from localhost. By default, the session key is stored in the file/var/run/named/session.key; the key name is "local-ddns" and the key algorithm is HMAC-SHA256. These values are configurable with the d9631 5 a9635 6 A client on the local system, if it is run with appropriate permissions, may read the session key from the key file and use the key to sign update requests. The zone's update policy will be set to allow that key to change any record within the zone. Assuming the key name is "local-ddns", this policy is: d9642 2 a9643 13 ...with an additional restriction that only clients connecting from the local system will be permitted to send updates.Note that only one session key is generated; all zones configured to use update-policy local will accept the same key.
The command nsupdate -l implements this feature, sending requests to localhost and signing them using the key retrieved from the session key file. d9793 1 a9793 2
identityfield or "." d9845 1 a9845 1 field. The name field should be set to "." d9879 1 a9879 1 field. The name field should be set to "." d9896 1 a9896 2identityfield. The name field should be set to "." d9911 1 a9911 2 namespaces match the name to be updated. The name field should be set to "." a10420 13 DOAImplements the Digital Object Architecture over DNS. Experimental.
d12145 1 a12145 1 BIND 8 did not support the optional TTL and CLASS fields. d13793 1 a13793 1
BIND 9.10.7
@ 1.1.1.1.2.1 log @file Bv9ARM.ch06.html was added on branch jym-xensuspend on 2009-05-13 18:50:48 +0000 @ text @d1 9264 @ 1.1.1.1.2.2 log @Sync with HEAD. Second commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html @ text @a0 9264Chapter 6. BIND 9 Configuration Reference @Table of Contents
- Configuration File Elements
- Configuration File Grammar
- acl Statement Grammar
- acl Statement Definition and Usage
- controls Statement Grammar
- controls Statement Definition and Usage
- include Statement Grammar
- include Statement Definition and Usage
- key Statement Grammar
- key Statement Definition and Usage
- logging Statement Grammar
- logging Statement Definition and Usage
- lwres Statement Grammar
- lwres Statement Definition and Usage
- masters Statement Grammar
- masters Statement Definition and Usage
- options Statement Grammar
- options Statement Definition and Usage
- statistics-channels Statement Grammar
- statistics-channels Statement Definition and Usage
- server Statement Grammar
- server Statement Definition and Usage
- trusted-keys Statement Grammar
- trusted-keys Statement Definition and Usage
- view Statement Grammar
- view Statement Definition and Usage
- zone Statement Grammar
- zone Statement Definition and Usage
- Zone File
- BIND9 Statistics
BIND 9 configuration is broadly similar to BIND 8; however, there are a few new areas of configuration, such as views. BIND 8 configuration files should work with few alterations in BIND 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features found in BIND 9.
BIND 4 configuration files can be converted to the new format using the shell script
contrib/named-bootconf/named-bootconf.sh.Following is a list of elements used throughout the BIND configuration file documentation:
acl_nameThe name of an
address_match_listas defined by the acl statement.
address_match_listA list of one or more
ip_addr,ip_prefix,key_id, oracl_nameelements, see the section called “Address Match Lists”.
masters_listA named list of one or more
ip_addrwith optionalkey_idand/orip_port. Amasters_listmay include othermasters_lists.
domain_nameA quoted string which will be used as a DNS name, for example "
my.test.domain".
dotted_decimalOne to four integers valued 0 through 255 separated by dots (`.'), such as 123, 45.67 or 89.123.45.67.
ip4_addrAn IPv4 address with exactly four elements in
dotted_decimalnotation.
ip6_addrAn IPv6 address, such as 2001:db8::1234. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as delimiter. It is strongly recommended to use string zone names rather than numeric identifiers, in order to be robust against system configuration changes. However, since there is no standard mapping for such names and identifier values, currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local address fe80::1 on the link attached to the interface ne0 can be specified as fe80::1%ne0. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated.
ip_addrAn
ip4_addrorip6_addr.
ip_portAn IP port
number. Thenumberis limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases, an asterisk (`*') character can be used as a placeholder to select a random high-numbered port.
ip_prefixAn IP network specified as an
ip_addr, followed by a slash (`/') and then the number of bits in the netmask. Trailing zeros in aip_addrmay omitted. For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240.When specifying a prefix involving a IPv6 scoped address the scope may be omitted. In that case the prefix will match packets from any scope.
key_idA
domain_namerepresenting the name of a shared key, to be used for transaction security.
key_listA list of one or more
key_ids, separated by semicolons and ending with a semicolon.
numberA non-negative 32-bit integer (i.e., a number between 0 and 4294967295, inclusive). Its acceptable value might further be limited by the context in which it is used.
path_nameA quoted string which will be used as a pathname, such as
zones/master/my.test.domain.
port_listA list of an
ip_portor a port range. A port range is specified in the form ofrangefollowed by twoip_ports,port_lowandport_high, which represents port numbers fromport_lowthroughport_high, inclusive.port_lowmust not be larger thanport_high. For example,range 1024 65535represents ports from 1024 through 65535. In either case an asterisk (`*') character is not allowed as a validip_port.
size_specA number, the word
unlimited, or the worddefault.An
unlimitedsize_specrequests unlimited use, or the maximum available amount. Adefault size_specuses the limit that was in force when the server was started.A
numbercan optionally be followed by a scaling factor:Korkfor kilobytes,Mormfor megabytes, andGorgfor gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). Using
unlimitedis the best way to safely set a really large number.
yes_or_noEither
yesorno. The wordstrueandfalseare also accepted, as are the numbers1and0.
dialup_optionOne of
yes,no,notify,notify-passive,refreshorpassive. When used in a zone,notify-passive,refresh, andpassiveare restricted to slave and stub zones.address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | key key_id | acl_name | { address_match_list } )Address match lists are primarily used to determine access control for various server operations. They are also used in the listen-on and sortlist statements. The elements which constitute an address match list can be any of the following:
- an IP address (IPv4 or IPv6)
- an IP prefix (in `/' notation)
- a key ID, as defined by the key statement
- the name of an address match list defined with the acl statement
- a nested address match list enclosed in braces
Elements can be negated with a leading exclamation mark (`!'), and the match list names "any", "none", "localhost", and "localnets" are predefined. More information on those names can be found in the description of the acl statement.
The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term "address match list" is still used throughout the documentation.
When a given IP address or prefix is compared to an address match list, the comparison takes place in approximately O(1) time. However, key comparisons require that the list of keys be traversed until a matching key is found, and therefore may be somewhat slower.
The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or in a sortlist, and whether the element was negated.
When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-notify, allow-recursion, allow-recursion-on, allow-query, allow-query-on, allow-query-cache, allow-query-cache-on, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists. Similarly, the listen-on option will cause the server to refuse queries on any of the machine's addresses which do not match the list.
Order of insertion is significant. If more than one element in an ACL is found to match a given IP address or prefix, preference will be given to the one that came first in the ACL definition. Because of this first-match behavior, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in 1.2.3/24; ! 1.2.3.13; the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using ! 1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through.
The BIND 9 comment syntax allows for comments to appear anywhere that whitespace may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style.
/* This is a BIND comment as in C */
// This is a BIND comment as in C++
# This is a BIND comment as in common UNIX shells and perl
Comments may appear anywhere that whitespace may appear in a BIND configuration file.
C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.
C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */:
/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */
C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair.
For example:
// This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment.
Shell-style (or perl-style, if you prefer) comments start with the character
#(number sign) and continue to the end of the physical line, as in C++ comments.For example:
# This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment.
Warning
You cannot use the semicolon (`;') character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement.
A BIND 9 configuration consists of statements and comments. Statements end with a semicolon. Statements and comments are the only elements that can appear without enclosing braces. Many statements contain a block of sub-statements, which are also terminated with a semicolon.
The following statements are supported:
acl
defines a named IP address matching list, for access control and other uses.
controls
declares control channels to be used by the rndc utility.
include
includes a file.
key
specifies key information for use in authentication and authorization using TSIG.
logging
specifies what the server logs, and where the log messages are sent.
lwres
configures named to also act as a light-weight resolver daemon (lwresd).
masters
defines a named masters list for inclusion in stub and slave zone masters clauses.
options
controls global server configuration options and sets defaults for other statements.
statistics-channels
declares communication channels to get access to named statistics.
server
sets certain configuration options on a per-server basis.
trusted-keys
defines trusted DNSSEC keys.
view
defines a view.
zone
defines a zone.
The logging and options statements may only occur once per configuration.
The acl statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).
Note that an address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.
The following ACLs are built-in:
any
Matches all hosts.
none
Matches no hosts.
localhost
Matches the IPv4 and IPv6 addresses of all network interfaces on the system.
localnets
Matches any host on an IPv4 or IPv6 network for which the system has an interface. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. In such a case, localnets only matches the local IPv6 addresses, just like localhost.
controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} keys {key_list}; ] [ inet ...; ] [ unixpathpermnumberownernumbergroupnumberkeys {key_list}; ] [ unix ...; ] };The controls statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are used by the rndc utility to send commands to and retrieve non-DNS results from a name server.
An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of
*(asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of::. If you will only use rndc on the local host, using the loopback address (127.0.0.1or::1) is recommended for maximum security.If no port is specified, port 953 is used. The asterisk "
*" cannot be used for ip_port.The ability to issue commands over the control channel is restricted by the allow and keys clauses. Connections to the control channel are permitted based on the address_match_list. This is for simple IP address based filtering only; any key_id elements of the address_match_list are ignored.
A unix control channel is a UNIX domain socket listening at the specified path in the file system. Access to the socket is specified by the perm, owner and group clauses. Note on some platforms (SunOS and Solaris) the permissions (perm) are applied to the parent directory as the permissions on the socket itself are ignored.
The primary authorization mechanism of the command channel is the key_list, which contains a list of key_ids. Each key_id in the key_list is authorized to execute commands over the control channel. See Remote Name Daemon Control application in the section called “Administrative Tools”) for information about configuring keys in rndc.
If no controls statement is present, named will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. In this case, and also when the controls statement is present but does not have a keys clause, named will attempt to load the command channel key from the file
rndc.keyin/etc(or whateversysconfdirwas specified as when BIND was built). To create arndc.keyfile, runrndc-confgen -a.The
rndc.keyfeature was created to ease the transition of systems from BIND 8, which did not have digital signatures on its command channel messages and thus did not have a keys clause. It makes it possible to use an existing BIND 8 configuration file in BIND 9 unchanged, and still have rndc work the same way ndc worked in BIND 8, simply by executing the commandrndc-confgen -aafter BIND 9 is installed.Since the
rndc.keyfeature is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make arndc.confwith your own key if you wish to change those things. Therndc.keyfile also has its permissions set such that only the owner of the file (the user that named is running as) can access it. If you desire greater flexibility in allowing other users to access rndc commands, then you need to create arndc.conffile and make it group readable by a group that contains the users who should have access.To disable the command channel, use an empty controls statement: controls { };.
The include statement inserts the specified file at the point where the include statement is encountered. The include statement facilitates the administration of configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private keys that are readable only by the name server.
The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) or the command channel (see the section called “controls Statement Definition and Usage”).
The key statement can occur at the top level of the configuration file or inside a view statement. Keys defined in top-level key statements can be used in all views. Keys intended for use in a controls statement (see the section called “controls Statement Definition and Usage”) must be defined at the top level.
The
key_id, also known as the key name, is a domain name uniquely identifying the key. It can be used in a server statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key matching this name, algorithm, and secret.The
algorithm_idis a string that specifies a security/authentication algorithm. Named supportshmac-md5,hmac-sha1,hmac-sha224,hmac-sha256,hmac-sha384andhmac-sha512TSIG authentication. Truncated hashes are supported by appending the minimum number of required bits preceded by a dash, e.g.hmac-sha1-80. Thesecret_stringis the secret to be used by the algorithm, and is treated as a base-64 encoded string.logging { [ channelchannel_name{ ( filepath_name[ versions (number| unlimited ) ] [ sizesize spec] | syslogsyslog_facility| stderr | null ); [ severity (critical|error|warning|notice|info|debug[level] |dynamic); ] [ print-categoryyesorno; ] [ print-severityyesorno; ] [ print-timeyesorno; ] }; ] [ categorycategory_name{channel_name; [channel_name; ... ] }; ] ... };The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be:
logging { category default { default_syslog; default_debug; }; category unmatched { null; }; };In BIND 9, the logging configuration is only established when the entire configuration file has been parsed. In BIND 8, it was established as soon as the logging statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "
-g" option was specified.All log output goes to one or more channels; you can make as many of them as you want.
Every channel definition must include a destination clause that says whether messages selected for the channel go to a file, to a particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any).
The null destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless.
The file destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.
If you use the versions log file option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file
lamers.log, then just before it is openedlamers.log.1is renamed tolamers.log.2,lamers.log.0is renamed tolamers.log.1, andlamers.logis renamed tolamers.log.0. You can say versions unlimited to not limit the number of versions. If a size option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any existing log file is simply appended.The size option for files is used to limit log growth. If the file ever exceeds the size, then named will stop writing to the file unless it has a versions option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no versions option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the maximum size. The default behavior is not to limit the size of the file.
Example usage of the size and versions options:
channel an_example_channel { file "example.log" versions 3 size 20m; print-time yes; print-category yes; };The syslog destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored.
The severity clause works like syslog's "priorities", except that they can also be used if you are writing straight to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.
If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.
The stderr destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a foreground process, for example when debugging a configuration.
The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the named server with the
-dflag followed by a positive integer, or by running rndc trace. The global debug level can be set to zero, and debugging mode turned off, by running rndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example:channel specific_debug_level { file "foo"; severity debug 3; };will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global debug level to determine what messages to print.
If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print- options are on:
28-Feb-2000 15:05:32.863 general: notice: runningThere are four predefined channels that are used for named's default logging as follows. How they are used is described in the section called “The category Phrase”.
channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel };The default_debug channel has the special property that it only produces output when the server's debug level is nonzero. It normally writes to a file called
named.runin the server's working directory.For security reasons, when the "
-u" command line option is used, thenamed.runfile is created only after named has changed to the new UID, and any debug output generated while named is starting up and still running as root is discarded. If you need to capture this output, you must run the server with the "-g" option and redirect standard error to a file.Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.
There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following "default default" is used:
category default { default_syslog; default_debug; };As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:
channel my_security_channel { file "my_security_file"; severity info; }; category security { my_security_channel; default_syslog; default_debug; };To discard all messages in a category, specify the null channel:
category xfer-out { null; }; category notify { null; };Following are the available categories and brief descriptions of the types of log information they contain. More categories may be added in future BIND releases.
default
The default category defines the logging options for those categories where no specific configuration has been defined.
general
The catch-all. Many things still aren't classified into categories, and they all end up here.
database
Messages relating to the databases used internally by the name server to store zone and cache data.
security
Approval and denial of requests.
config
Configuration file parsing and processing.
resolver
DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.
xfer-in
Zone transfers the server is receiving.
xfer-out
Zone transfers the server is sending.
notify
The NOTIFY protocol.
client
Processing of client requests.
unmatched
Messages that named was unable to determine the class of or for which there was no matching view. A one line summary is also logged to the client category. This category is best sent to a file or stderr, by default it is sent to the null channel.
network
Network operations.
update
Dynamic updates.
update-security
Approval and denial of update requests.
queries
Specify where queries should be logged to.
At startup, specifying the category queries will also enable query logging unless querylog option has been specified.
The query log entry reports the client's IP address and port number, and the query name, class and type. It also reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C).
client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
client ::1#62537: query: www.example.net IN AAAA -SEquery-errors
Information about queries that resulted in some failure.
dispatch
Dispatching of incoming packets to the server modules where they are to be processed.
dnssec
DNSSEC and TSIG protocol processing.
lame-servers
Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution.
delegation-only
Delegation only. Logs queries that have been forced to NXDOMAIN as the result of a delegation-only zone or a delegation-only in a hint or stub zone declaration.
edns-disabled
Log queries that have been forced to use plain DNS due to timeouts. This is often due to the remote servers not being RFC 1034 compliant (not always returning FORMERR or similar to EDNS queries and other extensions to the DNS when they are not understood). In other words, this is targeted at servers that fail to respond to DNS queries that they don't understand.
Note: the log message can also be due to packet loss. Before reporting servers for non-RFC 1034 compliance they should be re-tested to determine the nature of the non-compliance. This testing should prevent or reduce the number of false-positive reports.
Note: eventually named will have to stop treating such timeouts as due to RFC 1034 non compliance and start treating it as plain packet loss. Falsely classifying packet loss as due to RFC 1034 non compliance impacts on DNSSEC validation which requires EDNS for the DNSSEC records to be returned.
The query-errors category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged with debug levels.
At the debug levels of 1 or higher, each response with the rcode of SERVFAIL is logged as follows:
client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880This means an error resulting in SERVFAIL was detected at line 3880 of source file
query.c. Log messages of this level will particularly help identify the cause of SERVFAIL for an authoritative server.At the debug levels of 2 or higher, detailed context information of recursive resolutions that resulted in SERVFAIL is logged. The log message will look like as follows:
fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]The first part before the colon shows that a recursive resolution for AAAA records of www.example.com completed in 30.000183 seconds and the final result that led to the SERVFAIL was determined at line 2970 of source file
resolver.c.The following part shows the detected final result and the latest result of DNSSEC validation. The latter is always success when no validation attempt is made. In this example, this query resulted in SERVFAIL probably because all name servers are down or unreachable, leading to a timeout in 30 seconds. DNSSEC validation was probably not attempted.
The last part enclosed in square brackets shows statistics information collected for this particular resolution attempt. The
domainfield shows the deepest zone that the resolver reached; it is the zone where the error was finally detected. The meaning of the other fields is summarized in the following table.
referralThe number of referrals the resolver received throughout the resolution process. In the above example this is 2, which are most likely com and example.com.
restartThe number of cycles that the resolver tried remote servers at the
domainzone. In each cycle the resolver sends one query (possibly resending it, depending on the response) to each known name server of thedomainzone.
qrysentThe number of queries the resolver sent at the
domainzone.
timeoutThe number of timeouts since the resolver received the last response.
lameThe number of lame servers the resolver detected at the
domainzone. A server is detected to be lame either by an invalid response or as a result of lookup in BIND9's address database (ADB), where lame servers are cached.
neterrThe number of erroneous results that the resolver encountered in sending queries at the
domainzone. One common case is the remote server is unreachable and the resolver receives an ICMP unreachable error message.
badrespThe number of unexpected responses (other than
lame) to queries sent by the resolver at thedomainzone.
adberrFailures in finding remote server addresses of the
domainzone in the ADB. One common case of this is that the remote server's name does not have any address records.
findfailFailures of resolving remote server addresses. This is a total number of failures throughout the resolution process.
valfailFailures of DNSSEC validation. Validation failures are counted throughout the resolution process (not limited to the
domainzone), but should only happen indomain.At the debug levels of 3 or higher, the same messages as those at the debug 1 level are logged for other errors than SERVFAIL. Note that negative responses such as NXDOMAIN are not regarded as errors here.
At the debug levels of 4 or higher, the same messages as those at the debug 2 level are logged for other errors than SERVFAIL. Unlike the above case of level 3, messages are logged for negative responses. This is because any unexpected results can be difficult to debug in the recursion case.
This is the grammar of the lwres statement in the
named.conffile:lwres { [ listen-on {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] [ viewview_name; ] [ search {domain_name; [domain_name; ... ] }; ] [ ndotsnumber; ] };The lwres statement configures the name server to also act as a lightweight resolver server. (See the section called “Running a Resolver Daemon”.) There may be multiple lwres statements configuring lightweight resolver servers with different properties.
The listen-on statement specifies a list of addresses (and ports) that this instance of a lightweight resolver daemon should accept requests on. If no port is specified, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, port 921.
The view statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the response will be constructed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is used, and if there is no default view, an error is triggered.
The search statement is equivalent to the search statement in
/etc/resolv.conf. It provides a list of domains which are appended to relative names in queries.The ndots statement is equivalent to the ndots statement in
/etc/resolv.conf. It indicates the minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended.mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] };masters lists allow for a common set of masters to be easily used by multiple stub and slave zones.
This is the grammar of the options statement in the
named.conffile:options { [ versionversion_string; ] [ hostnamehostname_string; ] [ server-idserver_id_string; ] [ directorypath_name; ] [ key-directorypath_name; ] [ named-xferpath_name; ] [ tkey-gssapi-credentialprincipal; ] [ tkey-domaindomainname; ] [ tkey-dhkeykey_namekey_tag; ] [ cache-filepath_name; ] [ dump-filepath_name; ] [ memstatisticsyes_or_no; ] [ memstatistics-filepath_name; ] [ pid-filepath_name; ] [ recursing-filepath_name; ] [ statistics-filepath_name; ] [ zone-statisticsyes_or_no; ] [ auth-nxdomainyes_or_no; ] [ deallocate-on-exityes_or_no; ] [ dialupdialup_option; ] [ fake-iqueryyes_or_no; ] [ fetch-glueyes_or_no; ] [ flush-zones-on-shutdownyes_or_no; ] [ has-old-clientsyes_or_no; ] [ host-statisticsyes_or_no; ] [ host-statistics-maxnumber; ] [ minimal-responsesyes_or_no; ] [ multiple-cnamesyes_or_no; ] [ notifyyes_or_no|explicit|master-only; ] [ recursionyes_or_no; ] [ rfc2308-type1yes_or_no; ] [ use-id-poolyes_or_no; ] [ maintain-ixfr-baseyes_or_no; ] [ ixfr-from-differences (yes_or_no|master|slave); ] [ dnssec-enableyes_or_no; ] [ dnssec-validationyes_or_no; ] [ dnssec-lookasidedomaintrust-anchordomain; ] [ dnssec-must-be-securedomain yes_or_no; ] [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first); ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ dual-stack-servers [portip_port] { (domain_name[portip_port] |ip_addr[portip_port] ) ; ... }; ] [ check-names (master|slave|response) (warn|fail|ignore); ] [ check-mx (warn|fail|ignore); ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ check-mx-cname (warn|fail|ignore); ] [ check-srv-cname (warn|fail|ignore); ] [ check-siblingyes_or_no; ] [ allow-notify {address_match_list}; ] [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-query-cache {address_match_list}; ] [ allow-query-cache-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-recursion {address_match_list}; ] [ allow-recursion-on {address_match_list}; ] [ allow-update {address_match_list}; ] [ allow-update-forwarding {address_match_list}; ] [ update-check-kskyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ allow-v6-synthesis {address_match_list}; ] [ blackhole {address_match_list}; ] [ use-v4-udp-ports {port_list}; ] [ avoid-v4-udp-ports {port_list}; ] [ use-v6-udp-ports {port_list}; ] [ avoid-v6-udp-ports {port_list}; ] [ listen-on [ portip_port] {address_match_list}; ] [ listen-on-v6 [ portip_port] {address_match_list}; ] [ query-source ( (ip4_addr|*) [ port (ip_port|*) ] | [ address (ip4_addr|*) ] [ port (ip_port|*) ] ) ; ] [ query-source-v6 ( (ip6_addr|*) [ port (ip_port|*) ] | [ address (ip6_addr|*) ] [ port (ip_port|*) ] ) ; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-intervalnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ tcp-clientsnumber; ] [ reserved-socketsnumber; ] [ recursive-clientsnumber; ] [ serial-query-ratenumber; ] [ serial-queriesnumber; ] [ tcp-listen-queuenumber; ] [ transfer-format( one-answer | many-answers ); ] [ transfers-innumber; ] [ transfers-outnumber; ] [ transfers-per-nsnumber; ] [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-delayseconds; ] [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ notify-to-soayes_or_no; ] [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] [ max-ixfr-log-sizenumber; ] [ max-journal-sizesize_spec; ] [ coresizesize_spec; ] [ datasizesize_spec; ] [ filessize_spec; ] [ stacksizesize_spec; ] [ cleaning-intervalnumber; ] [ heartbeat-intervalnumber; ] [ interface-intervalnumber; ] [ statistics-intervalnumber; ] [ topology {address_match_list}]; [ sortlist {address_match_list}]; [ rrset-order {order_spec; [order_spec; ... ] ] }; [ lame-ttlnumber; ] [ max-ncache-ttlnumber; ] [ max-cache-ttlnumber; ] [ sig-validity-intervalnumber; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ min-rootsnumber; ] [ use-ixfryes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ treat-cr-as-spaceyes_or_no; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ portip_port; ] [ additional-from-authyes_or_no; ] [ additional-from-cacheyes_or_no; ] [ random-devicepath_name; ] [ max-cache-sizesize_spec; ] [ match-mapped-addressesyes_or_no; ] [ preferred-glue (A|AAAA|NONE); ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; [algorithm; ] }; ] [ acache-enableyes_or_no; ] [ acache-cleaning-intervalnumber; ] [ max-acache-sizesize_spec; ] [ clients-per-querynumber; ] [ max-clients-per-querynumber; ] [ masterfile-format (text|raw) ; ] [ empty-servername; ] [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] [ zero-no-soa-ttlyes_or_no; ] [ zero-no-soa-ttl-cacheyes_or_no; ] };The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If there is no options statement, an options block with each option set to its default will be used.
- directory
The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g.
named.run) is this directory. If a directory is not specified, the working directory defaults to `.', the directory from which the server was started. The directory specified should be an absolute path.- key-directory
When performing dynamic update of secure zones, the directory where the public and private key files should be found, if different than the current working directory. The directory specified must be an absolute path.
- named-xfer
This option is obsolete. It was used in BIND 8 to specify the pathname to the named-xfer program. In BIND 9, no separate named-xfer program is needed; its functionality is built into the name server.
- tkey-gssapi-credential
The security credential with which the server should authenticate keys requested by the GSS-TSIG protocol. Currently only Kerberos 5 authentication is available and the credential is a Kerberos principal which the server can acquire through the default system key file, normally
/etc/krb5.keytab. Normally this principal is of the form "dns/server.domain". To use GSS-TSIG, tkey-domain must also be set.- tkey-domain
The domain appended to the names of all shared keys generated with TKEY. When a client requests a TKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will will be
client specified part+tkey-domain. Otherwise, the name of the shared key will berandom hex digits+tkey-domain. In most cases, the domainname should be the server's domain name, or an otherwise non-existent subdomain like "_tkey.domainname". If you are using GSS-TSIG, this variable must be defined.- tkey-dhkey
The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name.
- cache-file
This is for testing only. Do not use.
- dump-file
The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is
named_dump.db.- memstatistics-file
The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is
named.memstats.- pid-file
The pathname of the file the server writes its process ID in. If not specified, the default is
/var/run/named/named.pid. The pid-file is used by programs that want to send signals to the running name server. Specifying pid-file none disables the use of a PID file — no file will be written and any existing one will be removed. Note that none is a keyword, not a filename, and therefore is not enclosed in double quotes.- recursing-file
The pathname of the file the server dumps the queries that are currently recursing when instructed to do so with rndc recursing. If not specified, the default is
named.recursing.- statistics-file
The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is
named.statsin the server's current directory. The format of the file is described in the section called “The Statistics File”.- port
The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS.
- random-device
The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read entropy. If this is a file, operations requiring entropy will fail when the file has been exhausted. If not specified, the default value is
/dev/random(or equivalent) when present, and none otherwise. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads.- preferred-glue
If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. The default is not to prefer any type (NONE).
- root-delegation-only
Turn on enforcement of delegation-only in TLDs (top level domains) and root zones with an optional exclude list.
Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
options { root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; };- disable-algorithms
Disable the specified DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. Only the most specific will be applied.
- dnssec-lookaside
When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal dnssec validation has left the key untrusted, the trust-anchor will be append to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does) the DNSKEY RRset is deemed to be trusted.
- dnssec-must-be-secure
Specify hierarchies which must be or may not be secure (signed and validated). If
yes, then named will only accept answers if they are secure. Ifno, then normal dnssec validation applies allowing for insecure answers to be accepted. The specified domain must be under a trusted-key or dnssec-lookaside must be active.
- auth-nxdomain
If
yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default isno; this is a change from BIND 8. If you are using very old DNS software, you may need to set it toyes.- deallocate-on-exit
This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs the checks.
- memstatistics
Write memory statistics to the file specified by memstatistics-file at exit. The default is
nounless '-m record' is specified on the command line in which case it isyes.- dialup
If
yes, then the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all happens in a short interval, once every heartbeat-interval and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default isno.The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup option.
If the zone is a master zone, then the server will send out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY) allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by notify and also-notify.
If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only perform them when the heartbeat-interval expires in addition to sending NOTIFY requests.
Finer control can be achieved by using
notifywhich only sends NOTIFY messages,notify-passivewhich sends NOTIFY messages and suppresses the normal refresh queries,refreshwhich suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires, andpassivewhich just disables normal refresh processing.
dialup mode
normal refresh
heart-beat refresh
heart-beat notify
no (default)
yes
no
no
yes
no
yes
yes
notify
yes
no
yes
refresh
no
yes
no
passive
no
no
no
notify-passive
no
no
yes
Note that normal NOTIFY processing is not affected by dialup.
- fake-iquery
In BIND 8, this option enabled simulating the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation.
- fetch-glue
This option is obsolete. In BIND 8,
fetch-glue yescaused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea and BIND 9 never does it.- flush-zones-on-shutdown
When the nameserver exits due receiving SIGTERM, flush or do not flush any pending zone writes. The default is flush-zones-on-shutdown
no.- has-old-clients
This option was incorrectly implemented in BIND 8, and is ignored by BIND 9. To achieve the intended effect of has-old-clients
yes, specify the two separate options auth-nxdomainyesand rfc2308-type1noinstead.- host-statistics
In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9.
- maintain-ixfr-base
This option is obsolete. It was used in BIND 8 to determine whether a transaction log was kept for Incremental Zone Transfer. BIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone transfers, use provide-ixfr
no.- minimal-responses
If
yes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. The default isno.- multiple-cnames
This option was used in BIND 8 to allow a domain name to have multiple CNAME records in violation of the DNS standards. BIND 9.2 onwards always strictly enforces the CNAME rules both in master files and dynamic updates.
- notify
If
yes(the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see the section called “Notify”. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the also-notify option.If
master-only, notifies are only sent for master zones. Ifexplicit, notifies are sent only to servers explicitly listed using also-notify. Ifno, no notifies are sent.The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves to crash.
- notify-to-soa
If
yesdo not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate master. Sometimes, however, a slave is listed as the SOA MNAME in hidden master configurations and in that case you would want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset.- recursion
If
yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a referral response. The default isyes. Note that setting recursion no does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. See also fetch-glue above.- rfc2308-type1
Setting this to
yeswill cause the server to send NS records along with the SOA record for negative answers. The default isno.Note
Not yet implemented in BIND 9.
- use-id-pool
This option is obsolete. BIND 9 always allocates query IDs from a pool.
- zone-statistics
If
yes, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics no in the zone statement). These statistics may be accessed using rndc stats, which will dump them to the file listed in the statistics-file. See also the section called “The Statistics File”.- use-ixfr
This option is obsolete. If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option in the section called “server Statement Definition and Usage”. See also the section called “Incremental Zone Transfers (IXFR)”.
- provide-ixfr
See the description of provide-ixfr in the section called “server Statement Definition and Usage”.
- request-ixfr
See the description of request-ixfr in the section called “server Statement Definition and Usage”.
- treat-cr-as-space
This option was used in BIND 8 to make the server treat carriage return ("\r") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines are always accepted, and the option is ignored.
- additional-from-auth, additional-from-cache
These options control the behavior of an authoritative server when answering queries which have additional data, or when following CNAME and DNAME chains.
When both of these options are set to
yes(the default) and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the reply will be filled in using data from other authoritative zones and from the cache. In some situations this is undesirable, such as when there is concern over the correctness of the cache, or in servers where slave zones may be added and modified by untrusted third parties. Also, avoiding the search for this additional data will speed up server operations at the possible expense of additional queries to resolve what would otherwise be provided in the additional section.For example, if a query asks for an MX record for host
foo.example.com, and the record found is "MX 10 mail.example.net", normally the address records (A and AAAA) formail.example.netwill be provided as well, if known, even though they are not in the example.com zone. Setting these options to no disables this behavior and makes the server only search for additional data in the zone it answers from.These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set them to no without also specifying recursion no will cause the server to ignore the options and log a warning message.
Specifying additional-from-cache no actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue.
When a name server is non-recursively queried for a name that is not below the apex of any served zone, it normally answers with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server will not be able to provide upwards referrals when additional-from-cache no has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals are not required for the resolution process.
- match-mapped-addresses
If
yes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. Enabling this option is sometimes useful on IPv6-enabled Linux systems, to work around a kernel quirk that causes IPv4 TCP connections such as zone transfers to be accepted on an IPv6 socket using mapped addresses, causing address match lists designed for IPv4 to fail to match. The use of this option for any other purpose is discouraged.- ixfr-from-differences
When
yesand the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a non-incremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The differences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer.By allowing incremental zone transfers to be used for non-dynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different from the previous one, the set of differences will be of a size comparable to the combined size of the old and new zone version, and the server will need to temporarily allocate memory to hold this complete difference set.
ixfr-from-differences also accepts master and slave at the view and options levels which causes ixfr-from-differences to be enabled for all master or slave zones respectively. It is off by default.
- multi-master
This should be set when you have multiple masters for a zone and the addresses refer to different machines. If
yes, named will not log when the serial number on the master is less than what named currently has. The default isno.- dnssec-enable
Enable DNSSEC support in named. Unless set to
yes, named behaves as if it does not support DNSSEC. The default isyes.- dnssec-validation
Enable DNSSEC validation in named. Note dnssec-enable also needs to be set to
yesto be effective. The default isyes.- dnssec-accept-expired
Accept expired signatures when verifying DNSSEC signatures. The default is
no. Setting this option to "yes" leaves named vulnerable to replay attacks.- querylog
Specify whether query logging should be started when named starts. If querylog is not specified, then the query logging is determined by the presence of the logging category queries.
- check-names
This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones the default is fail. For slave zones the default is warn. For answers received from the network (response) the default is ignore.
The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.
check-names applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. It also applies to the RDATA of PTR records where the owner name indicated that it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
- check-mx
Check whether the MX record appears to refer to a IP address. The default is to warn. Other possible values are fail and ignore.
- check-wildcard
This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option affects master zones. The default (yes) is to check for non-terminal wildcards and issue a warning.
- check-integrity
Perform post load zone integrity checks on master zones. This checks that MX and SRV records refer to address (A or AAAA) records and that glue address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use named-checkzone). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency checks use named-checkzone). The default is yes.
- check-mx-cname
If check-integrity is set then fail, warn or ignore MX records that refer to CNAMES. The default is to warn.
- check-srv-cname
If check-integrity is set then fail, warn or ignore SRV records that refer to CNAMES. The default is to warn.
- check-sibling
When performing integrity checks, also check that sibling glue exists. The default is yes.
- zero-no-soa-ttl
When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. The default is yes.
- zero-no-soa-ttl-cache
When caching a negative response to a SOA query set the TTL to zero. The default is no.
- update-check-ksk
When regenerating the RRSIGs following a UPDATE request to a secure zone, check the KSK flag on the DNSKEY RR to determine if this key should be used to generate the RRSIG. This flag is ignored if there are not DNSKEY RRs both with and without a KSK. The default is yes.
- try-tcp-refresh
Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is yes.
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
- forward
This option is only meaningful if the forwarders list is not empty. A value of
first, the default, causes the server to query the forwarders first — and if that doesn't answer the question, the server will then look for the answer itself. Ifonlyis specified, the server will only query the forwarders.- forwarders
Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have a different forward only/first behavior, or not forward at all, see the section called “zone Statement Grammar”.
Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 on the host machine.
- dual-stack-servers
Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual stacked, then the dual-stack-servers have no effect unless access to a transport has been disabled on the command line (e.g. named -4).
Access to the server can be restricted based on the IP address of the requesting system. See the section called “Address Match Lists” for details on how to specify IP address lists.
- allow-notify
Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master.
- allow-query
Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
Note
allow-query-cache is now used to specify access to the cache.
- allow-query-on
Specifies which local addresses can accept ordinary DNS questions. This makes it possible, for instance, to allow queries on internal-facing interfaces but disallow them on external-facing ones, without necessarily knowing the internal network's addresses.
allow-query-on may also be specified in the zone statement, in which case it overrides the options allow-query-on statement.
If not specified, the default is to allow queries on all addresses.
Note
allow-query-cache is used to specify access to the cache.
- allow-query-cache
Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used.
- allow-query-cache-on
Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, localnets and localhost.
- allow-recursion
Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used.
- allow-recursion-on
Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses.
- allow-update
Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see the section called “Dynamic Update Security” for details.
- allow-update-forwarding
Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the master. The default is
{ none; }, which means that no update forwarding will be performed. To enable update forwarding, specifyallow-update-forwarding { any; };. Specifying values other than{ none; }or{ any; }is usually counterproductive, since the responsibility for update access control should rest with the master server, not the slaves.Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based access control to attacks; see the section called “Dynamic Update Security” for more details.
- allow-v6-synthesis
This option was introduced for the smooth transition from AAAA to A6 and from "nibble labels" to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages.
- allow-transfer
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers to all hosts.
- blackhole
Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. The default is
none.The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port, and an
address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.Multiple listen-on statements are allowed. For example,
listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; };will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.
If no listen-on is specified, the server will listen on port 53 on all IPv4 interfaces.
The listen-on-v6 option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6.
When
{ any; }is specified as the
address_match_listfor the listen-on-v6 option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542). Instead, it listens on the IPv6 wildcard address. If the system only has incomplete API support for IPv6, however, the behavior is the same as that for IPv4.A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system.
Multiple listen-on-v6 options can be used. For example,
listen-on-v6 { any; }; listen-on-v6 port 1234 { !2001:db8::/32; any; };will enable the name server on port 53 for any IPv6 addresses (with a single wildcard socket), and on port 1234 of IPv6 addresses that is not in the prefix 2001:db8::/32 (with separate sockets for each matched address.)
To make the server not listen on any IPv6 address, use
listen-on-v6 { none; };If no listen-on-v6 option is specified, the server will not listen on any IPv6 address unless -6 is specified when named is invoked. If -6 is specified then named will listen on port 53 on all IPv6 interfaces by default.
If the server doesn't know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * (asterisk) or is omitted, a wildcard IP address (INADDR_ANY) will be used.
If port is * or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in the use-v4-udp-ports (for IPv4) and use-v6-udp-ports (for IPv6) options, excluding the ranges specified in the avoid-v4-udp-ports and avoid-v6-udp-ports options, respectively.
The defaults of the query-source and query-source-v6 options are:
query-source address * port *; query-source-v6 address * port *;If use-v4-udp-ports or use-v6-udp-ports is unspecified, named will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, named will use the corresponding system default range; otherwise, it will use its own defaults:
use-v4-udp-ports { range 1024 65535; }; use-v6-udp-ports { range 1024 65535; };Note: make sure the ranges be sufficiently large for security. A desirable size depends on various parameters, but we generally recommend it contain at least 16384 ports (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be changed while named is running; the new range will automatically be applied when named is reloaded. It is encouraged to configure use-v4-udp-ports and use-v6-udp-ports explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications.
Note: the operational configuration where named runs may prohibit the use of some ports. For example, UNIX systems will not allow named running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will fail, resulting in resolution failures or delay. It is therefore important to configure the set of ports that can be safely used in the expected operational environment.
The defaults of the avoid-v4-udp-ports and avoid-v6-udp-ports options are:
avoid-v4-udp-ports {}; avoid-v6-udp-ports {};Note: BIND 9.5.0 introduced the use-queryport-pool option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the query-source or query-source-v6 options; it implicitly disables the use of randomized port numbers.
- use-queryport-pool
This option is obsolete.
- queryport-pool-ports
This option is obsolete.
- queryport-pool-updateinterval
This option is obsolete.
Note
The address specified in the query-source option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port.
Note
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
Note
See also transfer-source and notify-source.
BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers.
- also-notify
Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. If an also-notify list is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list).
- max-transfer-time-in
Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
- max-transfer-idle-in
Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
- max-transfer-time-out
Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
- max-transfer-idle-out
Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
- serial-query-rate
Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20.
- serial-queries
In BIND 8, the serial-queries option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined using the serial-query-rate option.
- transfer-format
Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the master server to determine which format it sends. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only supported by relatively new slave servers, such as BIND 9, BIND 8.x and BIND 4.9.5 onwards. The many-answers format is also supported by recent Microsoft Windows nameservers. The default is many-answers. transfer-format may be overridden on a per-server basis by using the server statement.
- transfers-in
The maximum number of inbound zone transfers that can be running concurrently. The default value is
10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system.- transfers-out
The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is
10.- transfers-per-ns
The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is
2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement.- transfer-source
transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.
Note
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
- transfer-source-v6
The same as transfer-source, except zone transfers are performed using IPv6.
- alt-transfer-source
An alternate transfer source if the one listed in transfer-source fails and use-alt-transfer-source is set.
Note
If you do not wish the alternate transfer source to be used, you should set use-alt-transfer-source appropriately and you should not depend upon getting a answer back to the first refresh query.- alt-transfer-source-v6
An alternate transfer source if the one listed in transfer-source-v6 fails and use-alt-transfer-source is set.
- use-alt-transfer-source
Use the alternate transfer sources or not. If views are specified this defaults to no otherwise it defaults to yes (for BIND 8 compatibility).
- notify-source
notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view block in the configuration file.
Note
Solaris 2.5.1 and earlier does not support setting the source address for TCP sockets.
- notify-source-v6
Like notify-source, but applies to notify messages sent to IPv6 addresses.
use-v4-udp-ports, avoid-v4-udp-ports, use-v6-udp-ports, and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. See the section called “Query Address” about how the available ports are determined. For example, with the following configuration
use-v6-udp-ports { range 32768 65535; }; avoid-v6-udp-ports { 40000; range 50000 60000; };UDP ports of IPv6 messages sent from named will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535.
avoid-v4-udp-ports and avoid-v6-udp-ports can be used to prevent named from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a firewall, the answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with use-v4-udp-ports and use-v6-udp-ports, and the avoid- options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification.
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See the description of size_spec in the section called “Configuration File Elements”.
The following options set operating system resource limits for the name server process. Some operating systems don't support some or any of the limits. On such systems, a warning will be issued if the unsupported limit is used.
- coresize
The maximum size of a core dump. The default is
default.- datasize
The maximum amount of data memory the server may use. The default is
default. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this limit, the allocation will fail, which may in turn leave the server unable to perform DNS service. Therefore, this option is rarely useful as a way of limiting the amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the max-cache-size and recursive-clients options instead.- files
The maximum number of files the server may have open concurrently. The default is
unlimited.- stacksize
The maximum amount of stack memory the server may use. The default is
default.The following options set limits on the server's resource consumption that are enforced internally by the server rather than the operating system.
- max-ixfr-log-size
This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option max-journal-size performs a similar function in BIND 9.
- max-journal-size
Sets a maximum size for each journal file (see the section called “The journal file”). When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is
unlimited. This may also be set on a per-zone basis.- host-statistics-max
In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9.
- recursive-clients
The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is
1000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the recursive-clients option may have to be decreased on hosts with limited memory.- tcp-clients
The maximum number of simultaneous client TCP connections that the server will accept. The default is
100.- reserved-sockets
The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of interfaces named listens on, tcp-clients as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is
512. The minimum value is128and the maximum value is128less than maxsockets (-S). This option may be removed in the future.This option has little effect on Windows.
- max-cache-size
The maximum amount of memory to use for the server's cache, in bytes. When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely based on an LRU based strategy so that the limit is not exceeded. A value of 0 is special, meaning that records are purged from the cache only when their TTLs expire. Another special keyword
unlimitedmeans the maximum value of 32-bit unsigned integers (0xffffffff), which may not have the same effect as 0 on machines that support more than 32 bits of memory space. Any positive values less than 2MB will be ignored reset to 2MB. In a server with multiple views, the limit applies separately to the cache of each view. The default is 0.- tcp-listen-queue
The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter "dataready" this also controls how many TCP connections that will be queued in kernel space waiting for some data before being passed to accept. Values less than 3 will be silently raised.
- cleaning-interval
This interval is effectively obsolete. Previously, the server would remove expired resource records from the cache every cleaning-interval minutes. BIND 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior.
- heartbeat-interval
The server will perform zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur.
- interface-interval
The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, the server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the listen-on configuration), and will stop listening on interfaces that have gone away.
- statistics-interval
Name server statistics will be logged every statistics-interval minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged.
Note
Not yet implemented in BIND 9.
All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example,
topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; };will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
The default topology is
topology { localhost; localnets; };Note
The topology option is not implemented in BIND 9.
The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order (but see the rrset-order statement in the section called “RRset Ordering”). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client's address. This only requires configuring the name servers, not all the clients.
The sortlist statement (see below) takes an address_match_list and interprets it even more specifically than the topology statement does (the section called “Topology”). Each top level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name or a nested address_match_list) of each top level list is checked against the source address of the query until a match is found.
Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is treated the same as the address_match_list in a topology statement. Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.
In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on their directly connected networks.
sortlist { { localhost; // IF the local host { localnets; // THEN first fit on the 192.168.1/24; // following nets { 192.168.2/24; 192.168.3/24; }; }; }; { 192.168.1/24; // IF on class C 192.168.1 { 192.168.1/24; // THEN use .1, or .2 or .3 { 192.168.2/24; 192.168.3/24; }; }; }; { 192.168.2/24; // IF on class C 192.168.2 { 192.168.2/24; // THEN use .2, or .1 or .3 { 192.168.1/24; 192.168.3/24; }; }; }; { 192.168.3/24; // IF on class C 192.168.3 { 192.168.3/24; // THEN use .3, or .1 or .2 { 192.168.1/24; 192.168.2/24; }; }; }; { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net }; };The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted.
sortlist { { localhost; localnets; }; { localnets; }; };When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. The rrset-order statement permits configuration of the ordering of the records in a multiple record response. See also the sortlist statement, the section called “The sortlist Statement”.
An order_spec is defined as follows:
[class
class_name] [typetype_name] [name"domain_name"] orderorderingIf no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is "*" (asterisk).
The legal values for ordering are:
fixed
Records are returned in the order they are defined in the zone file.
random
Records are returned in some random order.
cyclic
Records are returned in a cyclic round-robin order.
If BIND is configured with the "--enable-fixed-rrset" option at compile time, then the initial ordering of the RRset will match the one specified in the zone file.
For example:
rrset-order { class IN type A name "host.example.com" order random; order cyclic; };will cause any responses for type A records in class IN that have "
host.example.com" as a suffix, to always be returned in random order. All other records are returned in cyclic order.If multiple rrset-order statements appear, they are not combined — the last one applies.
Note
In this release of BIND 9, the rrset-order statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line.
- lame-ttl
Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is NOT recommended.) The default is
600(10 minutes) and the maximum value is1800(30 minutes).- max-ncache-ttl
To reduce network traffic and increase performance, the server stores negative answers. max-ncache-ttl is used to set a maximum retention time for these answers in the server in seconds. The default max-ncache-ttl is
10800seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value.- max-cache-ttl
Sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days). A value of zero may cause all queries to return SERVFAIL, because of lost caches of intermediate RRsets (such as NS and glue AAAA/A records) in the resolution process.
- min-roots
The minimum number of root servers that is required for a request for the root servers to be accepted. The default is
2.Note
Not implemented in BIND 9.
- sig-validity-interval
Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates (the section called “Dynamic Update”) will expire. There is a optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base interval is greater than 7 days otherwise it is specified in hours. The default base interval is
30days giving a re-signing interval of 7 1/2 days. The maximum values are 10 years (3660 days).The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.
The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates.
- sig-signing-nodes
Specify the maximum number of nodes to be examined in each quantum when signing a zone with a new DNSKEY. The default is
100.- sig-signing-signatures
Specify a threshold number of signatures that will terminate processing a quantum when signing a zone with a new DNSKEY. The default is
10.- sig-signing-type
Specify a private RDATA type to be used when generating key signing records. The default is
65535.It is expected that this parameter may be removed in a future version once there is a standard type.
- min-refresh-time, max-refresh-time, min-retry-time, max-retry-time
These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents.
These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.
- edns-udp-size
Sets the advertised EDNS UDP buffer size in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes.
- max-udp-size
Sets the maximum EDNS UDP message size named will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting max-udp-size to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive buffer (edns-udp-size).
- masterfile-format
Specifies the file format of zone files (see the section called “Additional File Formats”). The default value is
text, which is the standard textual representation. Files in other formats thantextare typically expected to be generated by the named-compilezone tool. Note that when a zone file in a different format thantextis loaded, named may omit some of the checks which would be performed for a file in thetextformat. In particular, check-names checks do not apply for therawformat. This means a zone file in therawformat must be generated with the same check level as that specified in the named configuration file. This statement sets the masterfile-format for all zones, but can be overridden on a per-zone or per-view basis by including a masterfile-format statement within the zone or view block in the configuration file.- clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept before dropping additional clients. named will attempt to self tune this value and changes will be logged. The default values are 10 and 100.
This value should reflect how many queries come in for a given name in the time it takes to resolve that name. If the number of queries exceed this value, named will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The estimate will then be lowered in 20 minutes if it has remained unchanged.
If clients-per-query is set to zero, then there is no limit on the number of clients per query and no queries will be dropped.
If max-clients-per-query is set to zero, then there is no upper bound other than imposed by recursive-clients.
- notify-delay
The delay, in seconds, between sending sets of notify messages for a zone. The default is zero.
The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain
bindin the CHAOS class. These zones are part of a built-in view (see the section called “view Statement Grammar”) of class CHAOS which is separate from the default view of class IN; therefore, any global server options such as allow-query do not apply the these zones. If you feel the need to disable these zones, use the options below, or hide the built-in CHAOS view by defining an explicit view of class CHAOS that matches all clients.
- version
The version the server should report via a query of the name
version.bindwith type TXT, class CHAOS. The default is the real version number of this server. Specifying version none disables processing of the queries.- hostname
The hostname the server should report via a query of the name
hostname.bindwith type TXT, class CHAOS. This defaults to the hostname of the machine hosting the name server as found by the gethostname() function. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying hostname none; disables processing of the queries.- server-id
The ID the server should report when receiving a Name Server Identifier (NSID) query, or a query of the name
ID.SERVERwith type TXT, class CHAOS. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying server-id none; disables processing of the queries. Specifying server-id hostname; will cause named to use the hostname as found by the gethostname() function. The default server-id is none.Named has some built-in empty zones (SOA and NS records only). These are for zones that should normally be answered locally and which queries should not be sent to the Internet's root servers. The official servers which cover these namespaces return NXDOMAIN responses to these queries. In particular, these cover the reverse namespace for addresses from RFC 1918 and RFC 3330. They also include the reverse namespace for IPv6 local address (locally assigned), IPv6 link local addresses, the IPv6 loopback address and the IPv6 unknown address.
Named will attempt to determine if a built in zone already exists or is active (covered by a forward-only forwarding declaration) and will not create a empty zone in that case.
The current list of empty zones is:
- 0.IN-ADDR.ARPA
- 127.IN-ADDR.ARPA
- 254.169.IN-ADDR.ARPA
- 2.0.192.IN-ADDR.ARPA
- 255.255.255.255.IN-ADDR.ARPA
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
- D.F.IP6.ARPA
- 8.E.F.IP6.ARPA
- 9.E.F.IP6.ARPA
- A.E.F.IP6.ARPA
- B.E.F.IP6.ARPA
Empty zones are settable at the view level and only apply to views of class IN. Disabled empty zones are only inherited from options if there are no disabled empty zones specified at the view level. To override the options list of disabled zones, you can disable the root zone at the view level, for example:
disable-empty-zone ".";
If you are using the address ranges covered here, you should already have reverse zones covering the addresses you use. In practice this appears to not be the case with many queries being made to the infrastructure servers for names in these spaces. So many in fact that sacrificial servers were needed to be deployed to channel the query load away from the infrastructure servers.
Note
The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built in empty zones. This will enable them to return referrals to deeper in the tree.
- empty-server
Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used.
- empty-contact
Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used.
- empty-zones-enable
Enable or disable all empty zones. By default, they are enabled.
- disable-empty-zone
Disable individual empty zones. By default, none are disabled. This option can be specified multiple times.
The additional section cache, also called acache, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. Note that acache is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function.
Additional section caching does not change the response content (except the RRsets ordering of the additional section, see below), but can improve the response performance significantly. It is particularly effective when BIND 9 acts as an authoritative server for a zone that has many delegations with many glue RRs.
In order to obtain the maximum performance improvement from additional section caching, setting additional-from-cache to no is recommended, since the current implementation of acache does not short-cut of additional section information from the DNS cache data.
One obvious disadvantage of acache is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the acache mechanism can be disabled by setting acache-enable to no. It is also possible to specify the upper limit of memory consumption for acache by using max-acache-size.
Additional section caching also has a minor effect on the RRset ordering in the additional section. Without acache, cyclic order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the setting of rrset-order. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases it only contains a single RR), in which case the ordering does not matter much.
The following is a summary of options related to acache.
- acache-enable
If yes, additional section caching is enabled. The default value is no.
- acache-cleaning-interval
The server will remove stale cache entries, based on an LRU based algorithm, every acache-cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur.
- max-acache-size
The maximum amount of memory in bytes to use for the server's acache. When the amount of data in the acache reaches this limit, the server will clean more aggressively so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the acache of each view. The default is
16M.statistics-channels { [ inet ( ip_addr | * ) [ port ip_port ] [allow {address_match_list} ]; ] [ inet ...; ] };The statistics-channels statement declares communication channels to be used by system administrators to get access to statistics information of the name server.
This statement intends to be flexible to support multiple communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; the statistics-channels statement is still accepted even if it is built without the library, but any HTTP access will fail with an error.
An inet control channel is a TCP socket listening at the specified ip_port on the specified ip_addr, which can be an IPv4 or IPv6 address. An ip_addr of
*(asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of::.If no port is specified, port 80 is used for HTTP channels. The asterisk "
*" cannot be used for ip_port.The attempt of opening a statistics channel is restricted by the optional allow clause. Connections to the statistics channel are permitted based on the address_match_list. If no allow clause is present, named accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately.
If no statistics-channels statement is present, named will not open any communication channels.
serverip_addr[/prefixlen]{ [ bogusyes_or_no; ] [ provide-ixfryes_or_no; ] [ request-ixfryes_or_no; ] [ ednsyes_or_no; ] [ edns-udp-sizenumber; ] [ max-udp-sizenumber; ] [ transfersnumber; ] [ transfer-format( one-answer | many-answers ); ]] [ keys{ string ; [ string ; [...]] }; ] [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ query-source [ address (ip_addr|*) ] [ port (ip_port|*) ]; ] [ query-source-v6 [ address (ip_addr|*) ] [ port (ip_port|*) ]; ] [ use-queryport-poolyes_or_no; ] [ queryport-pool-portsnumber; ] [ queryport-pool-intervalnumber; ] };The server statement defines characteristics to be associated with a remote name server. If a prefix length is specified, then a range of servers is covered. Only the most specific server clause applies regardless of the order in
named.conf.The server statement can occur at the top level of the configuration file or inside a view statement. If a view statement contains one or more server statements, only those apply to the view and any top-level ones are ignored. If a view contains no server statements, any top-level server statements are used as defaults.
If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no.
The provide-ixfr clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer will be provided whenever possible. If set to no, all transfers to the remote server will be non-incremental. If not set, the value of the provide-ixfr option in the view or global options block is used as a default.
The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the request-ixfr option in the view or global options block is used as a default.
IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used.
The edns clause determines whether the local server will attempt to use EDNS when communicating with the remote server. The default is yes.
The edns-udp-size option sets the EDNS UDP size that is advertised by named when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you wish to advertises a different value to this server than the value you advertise globally, for example, when there is a firewall at the remote site that is blocking large replies.
The max-udp-size option sets the maximum EDNS UDP message size named will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large replies from named.
The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.
transfers is used to limit the number of concurrent inbound zone transfers from the specified server. If no transfers clause is specified, the limit is set according to the transfers-per-ns option.
The keys clause identifies a key_id defined by the key statement, to be used for transaction security (TSIG, the section called “TSIG”) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the message. A request originating from the remote server is not required to be signed by this key.
Although the grammar of the keys clause allows for multiple keys, only a single key per server is currently supported.
The transfer-source and transfer-source-v6 clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. For an IPv4 remote server, only transfer-source can be specified. Similarly, for an IPv6 remote server, only transfer-source-v6 can be specified. For more details, see the description of transfer-source and transfer-source-v6 in the section called “Zone Transfers”.
The notify-source and notify-source-v6 clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an IPv4 remote server, only notify-source can be specified. Similarly, for an IPv6 remote server, only notify-source-v6 can be specified.
The query-source and query-source-v6 clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 remote server, only query-source can be specified. Similarly, for an IPv6 remote server, only query-source-v6 can be specified.
trusted-keys {stringnumbernumbernumberstring; [stringnumbernumbernumberstring; [...]] };The trusted-keys statement defines DNSSEC security roots. DNSSEC is described in the section called “DNSSEC”. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is unsigned. Once a key has been configured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts DNSSEC validation on all DNS data in subdomains of a security root.
All keys (and corresponding zones) listed in trusted-keys are deemed to exist regardless of what parent zones say. Similarly for all keys listed in trusted-keys only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used.
The trusted-keys statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base-64 representation of the key data. Spaces, tabs, newlines and carriage returns are ignored in the key data, so the configuration may be split up into multiple lines.
viewview_name[class] { match-clients {address_match_list}; match-destinations {address_match_list}; match-recursive-onlyyes_or_no; [view_option; ...] [zone_statement; ...] };The view statement is a powerful feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers.
Each view statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the
address_match_listof the view's match-clients clause and its destination IP address matches theaddress_match_listof the view's match-destinations clause. If not specified, both match-clients and match-destinations default to matching all addresses. In addition to checking IP addresses match-clients and match-destinations can also take keys which provide an mechanism for the client to select the view. A view can also be specified as match-recursive-only, which means that only recursive requests from matching clients will match that view. The order of the view statements is significant — a client request will be resolved in the context of the first view that it matches.Zones defined within a view statement will only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup.
Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. When no view-specific value is given, the value in the options statement is used as a default. Also, zone options can have default values specified in the view statement; these view-specific defaults take precedence over those in the options statement.
Views are class specific. If no class is given, class IN is assumed. Note that all non-IN views must contain a hint zone, since only the IN class has compiled-in default hints.
If there are no view statements in the config file, a default view that matches any client is automatically created in class IN. Any zone statements specified on the top level of the configuration file are considered to be part of this default view, and the options statement will apply to the default view. If any explicit view statements are present, all zone statements must occur inside view statements.
Here is an example of a typical split DNS setup implemented using view statements:
view "internal" { // This should match our internal networks. match-clients { 10.0.0.0/8; }; // Provide recursive service to internal clients only. recursion yes; // Provide a complete view of the example.com zone // including addresses of internal hosts. zone "example.com" { type master; file "example-internal.db"; }; }; view "external" { // Match all clients not matched by the previous view. match-clients { any; }; // Refuse recursive service to external clients. recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. zone "example.com" { type master; file "example-external.db"; }; };zonezone_name[class] { type master; [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-update {address_match_list}; ] [ update-policy {update_policy_rule[...] }; ] [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] [ check-names (warn|fail|ignore) ; ] [ check-mx (warn|fail|ignore) ; ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ zone-statisticsyes_or_no; ] [ sig-validity-intervalnumber; ] [ sig-signing-nodesnumber; ] [ sig-signing-signaturesnumber; ] [ sig-signing-typenumber; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ key-directorypath_name; ] [ zero-no-soa-ttlyes_or_no; ] }; zonezone_name[class] { type slave; [ allow-notify {address_match_list}; ] [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ allow-transfer {address_match_list}; ] [ allow-update-forwarding {address_match_list}; ] [ update-check-kskyes_or_no; ] [ try-tcp-refreshyes_or_no; ] [ also-notify {ip_addr[portip_port] ; [ip_addr[portip_port] ; ... ] }; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ filestring; ] [ masterfile-format (text|raw) ; ] [ journalstring; ] [ max-journal-sizesize_spec; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ ixfr-basestring; ] [ ixfr-from-differencesyes_or_no; ] [ ixfr-tmp-filestring; ] [ maintain-ixfr-baseyes_or_no; ] [ masters [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] [ max-ixfr-log-sizenumber; ] [ max-transfer-idle-innumber; ] [ max-transfer-idle-outnumber; ] [ max-transfer-time-innumber; ] [ max-transfer-time-outnumber; ] [ notifyyes_or_no|explicit|master-only; ] [ notify-delayseconds; ] [ notify-to-soayes_or_no; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ notify-source (ip4_addr|*) [portip_port] ; ] [ notify-source-v6 (ip6_addr|*) [portip_port] ; ] [ zone-statisticsyes_or_no; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] [ zero-no-soa-ttlyes_or_no; ] }; zonezone_name[class] { type hint; filestring; [ delegation-onlyyes_or_no; ] [ check-names (warn|fail|ignore) ; // Not Implemented. ] }; zonezone_name[class] { type stub; [ allow-query {address_match_list}; ] [ allow-query-on {address_match_list}; ] [ check-names (warn|fail|ignore) ; ] [ dialupdialup_option; ] [ delegation-onlyyes_or_no; ] [ filestring; ] [ masterfile-format (text|raw) ; ] [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ masters [portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }; ] [ max-transfer-idle-innumber; ] [ max-transfer-time-innumber; ] [ pubkeynumbernumbernumberstring; ] [ transfer-source (ip4_addr|*) [portip_port] ; ] [ transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ alt-transfer-source (ip4_addr|*) [portip_port] ; ] [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] ; ] [ use-alt-transfer-sourceyes_or_no; ] [ zone-statisticsyes_or_no; ] [ databasestring; ] [ min-refresh-timenumber; ] [ max-refresh-timenumber; ] [ min-retry-timenumber; ] [ max-retry-timenumber; ] [ multi-masteryes_or_no; ] }; zonezone_name[class] { type forward; [ forward (only|first) ; ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ delegation-onlyyes_or_no; ] }; zonezone_name[class] { type delegation-only; };
masterThe server has a master copy of the data for the zone and will be able to provide authoritative answers for it.
slaveA slave zone is a replica of a master zone. The masters list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. Masters list elements can also be names of other masters lists. By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number before the list of IP addresses, or on a per-server basis after the IP address. Authentication to the master can also be done with per-server TSIG keys. If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this file on a server restart. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth. Note that for large numbers (in the tens or hundreds of thousands) of zones per server, it is best to use a two-level naming scheme for zone filenames. For example, a slave server for the zone
example.commight place the zone contents into a file calledex/example.comwhereex/is just the first two letters of the zone name. (Most operating systems behave very slowly if you put 100 000 files into a single directory.)
stubA stub zone is similar to a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation.
Stub zones can be used to eliminate the need for glue NS record in a parent zone at the expense of maintaining a stub zone entry and a set of name server addresses in
named.conf. This usage is not recommended for new configurations, and BIND 9 supports it only in a limited way. In BIND 4/8, zone transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users could get away with configuring child stubs only in the master server for the parent zone. BIND 9 never mixes together zone data from different zones in this way. Therefore, if a BIND 9 master serving a parent zone has child stub zones configured, all the slave servers for the parent zone also need to have the same child stub zones configured.Stub zones can also be used as a way of forcing the resolution of a given domain to use a particular set of authoritative servers. For example, the caching name servers on a private network using RFC1918 addressing may be configured with stub zones for
10.in-addr.arpato use a set of internal name servers as the authoritative servers for that domain.
forwardA "forward zone" is a way to configure forwarding on a per-domain basis. A zone statement of type forward can contain a forward and/or forwarders statement, which will apply to queries within the domain given by the zone name. If no forwarders statement is present or an empty list for forwarders is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the options statement. Thus if you want to use this type of zone to change the behavior of the global forward option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same servers as set globally) you need to re-specify the global forwarders.
hintThe initial set of root name servers is specified using a "hint zone". When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers hints. Classes other than IN have no built-in defaults hints.
delegation-onlyThis is used to enforce the delegation-only status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without an explicit or implicit delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone apex. This should not be applied to leaf zones.
delegation-onlyhas no effect on answers received from forwarders.The zone's name may optionally be followed by a class. If a class is not specified, class
IN(forInternet), is assumed. This is correct for the vast majority of cases.The
hesiodclass is named for an information service from MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on. The keywordHSis a synonym for hesiod.Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the
CHAOSclass.
- allow-notify
See the description of allow-notify in the section called “Access Control”.
- allow-query
See the description of allow-query in the section called “Access Control”.
- allow-query-on
See the description of allow-query-on in the section called “Access Control”.
- allow-transfer
See the description of allow-transfer in the section called “Access Control”.
- allow-update
See the description of allow-update in the section called “Access Control”.
- update-policy
Specifies a "Simple Secure Update" policy. See the section called “Dynamic Update Policies”.
- allow-update-forwarding
See the description of allow-update-forwarding in the section called “Access Control”.
- also-notify
Only meaningful if notify is active for this zone. The set of machines that will receive a
DNS NOTIFYmessage for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. also-notify is not meaningful for stub zones. The default is the empty list.- check-names
This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn.
- check-mx
See the description of check-mx in the section called “Boolean Options”.
- check-wildcard
See the description of check-wildcard in the section called “Boolean Options”.
- check-integrity
See the description of check-integrity in the section called “Boolean Options”.
- check-sibling
See the description of check-sibling in the section called “Boolean Options”.
- zero-no-soa-ttl
See the description of zero-no-soa-ttl in the section called “Boolean Options”.
- update-check-ksk
See the description of update-check-ksk in the section called “Boolean Options”.
- try-tcp-refresh
See the description of try-tcp-refresh in the section called “Boolean Options”.
- database
Specify the type of database to be used for storing the zone data. The string following the database keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the database type.
The default is
"rbt", BIND 9's native in-memory red-black-tree database. This database does not take arguments.Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default.
- dialup
See the description of dialup in the section called “Boolean Options”.
- delegation-only
The flag only applies to hint and stub zones. If set to
yes, then the zone will also be treated as if it is also a delegation-only type zone.- forward
Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried.
- forwarders
Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone and the global options are not used.
- ixfr-base
Was used in BIND 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. BIND 9 ignores the option and constructs the name of the journal file by appending "
.jnl" to the name of the zone file.- ixfr-tmp-file
Was an undocumented option in BIND 8. Ignored in BIND 9.
- journal
Allow the default journal's filename to be overridden. The default is the zone's filename with "
.jnl" appended. This is applicable to master and slave zones.- max-journal-size
See the description of max-journal-size in the section called “Server Resource Limits”.
- max-transfer-time-in
See the description of max-transfer-time-in in the section called “Zone Transfers”.
- max-transfer-idle-in
See the description of max-transfer-idle-in in the section called “Zone Transfers”.
- max-transfer-time-out
See the description of max-transfer-time-out in the section called “Zone Transfers”.
- max-transfer-idle-out
See the description of max-transfer-idle-out in the section called “Zone Transfers”.
- notify
See the description of notify in the section called “Boolean Options”.
- notify-delay
See the description of notify-delay in the section called “Tuning”.
- notify-to-soa
See the description of notify-to-soa in the section called “Boolean Options”.
- pubkey
In BIND 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signatures on load and ignores the option.
- zone-statistics
If
yes, the server will keep statistical information for this zone, which can be dumped to the statistics-file defined in the server options.- sig-validity-interval
See the description of sig-validity-interval in the section called “Tuning”.
- sig-signing-nodes
See the description of sig-signing-nodes in the section called “Tuning”.
- sig-signing-signatures
See the description of sig-signing-signatures in the section called “Tuning”.
- sig-signing-type
See the description of sig-signing-type in the section called “Tuning”.
- transfer-source
See the description of transfer-source in the section called “Zone Transfers”.
- transfer-source-v6
See the description of transfer-source-v6 in the section called “Zone Transfers”.
- alt-transfer-source
See the description of alt-transfer-source in the section called “Zone Transfers”.
- alt-transfer-source-v6
See the description of alt-transfer-source-v6 in the section called “Zone Transfers”.
- use-alt-transfer-source
See the description of use-alt-transfer-source in the section called “Zone Transfers”.
- notify-source
See the description of notify-source in the section called “Zone Transfers”.
- notify-source-v6
See the description of notify-source-v6 in the section called “Zone Transfers”.
- min-refresh-time, max-refresh-time, min-retry-time, max-retry-time
See the description in the section called “Tuning”.
- ixfr-from-differences
See the description of ixfr-from-differences in the section called “Boolean Options”. (Note that the ixfr-from-differences
masterandslavechoices are not available at the zone level.)- key-directory
See the description of key-directory in the section called “options Statement Definition and Usage”.
- multi-master
See the description of multi-master in the section called “Boolean Options”.
- masterfile-format
See the description of masterfile-format in the section called “Tuning”.
BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, respectively.
The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone.
The update-policy clause is new in BIND 9 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the update-policy zone option, and are only meaningful for master zones. When the update-policy statement is present, it is a configuration error for the allow-update statement to be present. The update-policy statement only examines the signer of a message; the source address is not relevant.
This is how a rule definition looks:
( grant | deny )identitynametypename[types]Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field in accordance with the nametype field, and the type matches the types specified in the type field.
No signer is required for
tcp-selfor6to4-selfhowever the standard reverse mapping / prefix conversion must match the identity field.The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0) key used to sign the update request. When a TKEY exchange has been used to create a shared secret, the identity of the shared secret is the same as the identity of the key used to authenticate the TKEY exchange. TKEY is also the negotiation method used by GSS-TSIG, which establishes an identity that is the Kerberos principal of the client, such as
"user@@host.domain". When theidentityfield specifies a wildcard name, it is subject to DNS wildcard expansion, so the rule will apply to multiple identities. Theidentityfield must contain a fully-qualified domain name.The
nametypefield has 12 values:name,subdomain,wildcard,self,selfsub,selfwild,krb5-self,ms-self,krb5-subdomain,ms-subdomain,tcp-selfand6to4-self.
nameExact-match semantics. This rule matches when the name being updated is identical to the contents of the
namefield.
subdomainThis rule matches when the name being updated is a subdomain of, or identical to, the contents of the
namefield.
wildcardThe
namefield is subject to DNS wildcard expansion, and this rule matches when the name being updated name is a valid expansion of the wildcard.
selfThis rule matches when the name being updated matches the contents of the
identityfield. Thenamefield is ignored, but should be the same as theidentityfield. Theselfnametype is most useful when allowing using one key per name to update, where the key has the same name as the name to be updated. Theidentitywould be specified as*(an asterisk) in this case.
selfsubThis rule is similar to
selfexcept that subdomains ofselfcan also be updated.
selfwildThis rule is similar to
selfexcept that only subdomains ofselfcan be updated.
tcp-selfAllow updates that have been sent via TCP and for which the standard mapping from the initiating IP address into the IN-ADDR.ARPA and IP6.ARPA namespaces match the name to be updated.
Note
It is theoretically possible to spoof these TCP sessions.
6to4-selfAllow the 6to4 prefix to be update by any TCP conection from the 6to4 network or from the corresponding IPv4 address. This is intended to allow NS or DNAME RRsets to be added to the reverse tree.
Note
It is theoretically possible to spoof these TCP sessions.In all cases, the
namefield must specify a fully-qualified domain name.If no types are explicitly specified, this rule matches all types except RRSIG, NS, SOA, NSEC and NSEC3. Types may be specified by name, including "ANY" (ANY matches all types except NSEC and NSEC3, which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are checked for each existing record type.
This section, largely borrowed from RFC 1034, describes the concept of a Resource Record (RR) and explains when each is used. Since the publication of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.
A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify that a particular nearby server be tried first. See the section called “The sortlist Statement” and the section called “RRset Ordering”.
The components of a Resource Record are:
owner name
The domain name where the RR is found.
type
An encoded 16-bit value that specifies the type of the resource record.
TTL
The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
class
An encoded 16-bit value that identifies a protocol family or instance of a protocol.
RDATA
The resource data. The format of the data is type (and sometimes class) specific.
The following are types of valid RRs:
A
A host address. In the IN class, this is a 32-bit IP address. Described in RFC 1035.
AAAA
IPv6 address. Described in RFC 1886.
A6
IPv6 address. This can be a partial address (a suffix) and an indirection to the name where the rest of the address (the prefix) can be found. Experimental. Described in RFC 2874.
AFSDB
Location of AFS database servers. Experimental. Described in RFC 1183.
APL
Address prefix list. Experimental. Described in RFC 3123.
CERT
Holds a digital certificate. Described in RFC 2538.
CNAME
Identifies the canonical name of an alias. Described in RFC 1035.
DHCID
Is used for identifying which DHCP client is associated with this name. Described in RFC 4701.
DNAME
Replaces the domain name specified with another name to be looked up, effectively aliasing an entire subtree of the domain name space rather than a single record as in the case of the CNAME RR. Described in RFC 2672.
DNSKEY
Stores a public key associated with a signed DNS zone. Described in RFC 4034.
DS
Stores the hash of a public key associated with a signed DNS zone. Described in RFC 4034.
GPOS
Specifies the global position. Superseded by LOC.
HINFO
Identifies the CPU and OS used by a host. Described in RFC 1035.
IPSECKEY
Provides a method for storing IPsec keying material in DNS. Described in RFC 4025.
ISDN
Representation of ISDN addresses. Experimental. Described in RFC 1183.
KEY
Stores a public key associated with a DNS name. Used in original DNSSEC; replaced by DNSKEY in DNSSECbis, but still used with SIG(0). Described in RFCs 2535 and 2931.
KX
Identifies a key exchanger for this DNS name. Described in RFC 2230.
LOC
For storing GPS info. Described in RFC 1876. Experimental.
MX
Identifies a mail exchange for the domain with a 16-bit preference value (lower is better) followed by the host name of the mail exchange. Described in RFC 974, RFC 1035.
NAPTR
Name authority pointer. Described in RFC 2915.
NSAP
A network service access point. Described in RFC 1706.
NS
The authoritative name server for the domain. Described in RFC 1035.
NSEC
Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Described in RFC 4034.
NSEC3
Used in DNSSECbis to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. NSEC3 differs from NSEC in that it prevents zone enumeration but is more computationally expensive on both the server and the client than NSEC. Described in RFC 5155.
NSEC3PARAM
Used in DNSSECbis to tell the authoritative server which NSEC3 chains are available to use. Described in RFC 5155.
NXT
Used in DNSSEC to securely indicate that RRs with an owner name in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name. Used in original DNSSEC; replaced by NSEC in DNSSECbis. Described in RFC 2535.
PTR
A pointer to another part of the domain name space. Described in RFC 1035.
PX
Provides mappings between RFC 822 and X.400 addresses. Described in RFC 2163.
RP
Information on persons responsible for the domain. Experimental. Described in RFC 1183.
RRSIG
Contains DNSSECbis signature data. Described in RFC 4034.
RT
Route-through binding for hosts that do not have their own direct wide area network addresses. Experimental. Described in RFC 1183.
SIG
Contains DNSSEC signature data. Used in original DNSSEC; replaced by RRSIG in DNSSECbis, but still used for SIG(0). Described in RFCs 2535 and 2931.
SOA
Identifies the start of a zone of authority. Described in RFC 1035.
SPF
Contains the Sender Policy Framework information for a given email domain. Described in RFC 4408.
SRV
Information about well known network services (replaces WKS). Described in RFC 2782.
SSHFP
Provides a way to securely publish a secure shell key's fingerprint. Described in RFC 4255.
TXT
Text records. Described in RFC 1035.
WKS
Information about which well known network services, such as SMTP, that a domain supports. Historical.
X25
Representation of X.25 network addresses. Experimental. Described in RFC 1183.
The following classes of resource records are currently valid in the DNS:
IN
The Internet.
CH
Chaosnet, a LAN protocol created at MIT in the mid-1970s. Rarely used for its historical purpose, but reused for BIND's built-in server information zones, e.g.,
version.bind.HS
Hesiod, an information service developed by MIT's Project Athena. It is used to share information about various systems databases, such as users, groups, printers and so on.
The owner name is often implicit, rather than forming an integral part of the RR. For example, many name servers internally form tree or hash structures for the name space, and chain RRs off nodes. The remaining RR parts are the fixed header (type, class, TTL) which is consistent for all RRs, and a variable part (RDATA) that fits the needs of the resource being described.
The meaning of the TTL field is a time limit on how long an RR can be kept in a cache. This limit does not apply to authoritative data in zones; it is also timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates. While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the change to minimize inconsistency during the change, and then increased back to its former value following the change.
The data in the RDATA section of RRs is carried as a combination of binary strings and domain names. The domain names are frequently used as "pointers" to other data in the DNS.
RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when stored in a name server or resolver. In the examples provided in RFC 1034, a style similar to that used in master files was employed in order to show the contents of RRs. In this format, most RRs are shown on a single line, although continuation lines are possible using parentheses.
The start of the line gives the owner of the RR. If a line begins with a blank, then the owner is assumed to be the same as that of the previous RR. Blank lines are often included for readability.
Following the owner, we list the TTL, type, and class of the RR. Class and type use the mnemonics defined above, and TTL is an integer before the type field. In order to avoid ambiguity in parsing, type and class mnemonics are disjoint, TTLs are integers, and the type mnemonic is always last. The IN class and TTL values are often omitted from examples in the interests of clarity.
The resource data or RDATA section of the RR are given using knowledge of the typical representation for the data.
For example, we might show the RRs carried in a message as:
ISI.EDU.
MX
10 VENERA.ISI.EDU.
MX
10 VAXA.ISI.EDU
VENERA.ISI.EDU
A
128.9.0.32
A
10.1.0.52
VAXA.ISI.EDU
A
10.2.0.27
A
128.9.0.33The MX RRs have an RDATA section which consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address format to contain a 32-bit internet address.
The above example shows six RRs, with two RRs at each of three domain names.
Similarly we might see:
XX.LCS.MIT.EDU.
IN A
10.0.0.44
CH A
MIT.EDU. 2420This example shows two addresses for
XX.LCS.MIT.EDU, each of a different class.As described above, domain servers store information as a series of resource records, each of which contains a particular piece of information about a given domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name matched with a relevant datum, and stored with some additional type information to help systems determine when the RR is relevant.
MX records are used to control delivery of email. The data specified in the record is a priority and a domain name. The priority controls the order in which email delivery is attempted, with the lowest number first. If two priorities are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent will fall back to the next largest priority. Priority numbers do not have any absolute meaning — they are relevant only respective to other MX records for that domain name. The domain name given is the machine to which the mail will be delivered. It must have an associated address record (A or AAAA) — CNAME is not sufficient.
For a given domain, if there is both a CNAME record and an MX record, the MX record is in error, and will be ignored. Instead, the mail will be delivered to the server specified in the MX record pointed to by the CNAME.
For example:
example.com.
IN
MX
10
mail.example.com.
IN
MX
10
mail2.example.com.
IN
MX
20
mail.backup.org.
mail.example.com.
IN
A
10.0.0.1
mail2.example.com.
IN
A
10.0.0.2Mail delivery will be attempted to
mail.example.comandmail2.example.com(in any order), and if neither of those succeed, delivery tomail.backup.orgwill be attempted.The time-to-live of the RR field is a 32-bit integer represented in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded. The following three types of TTL are currently used in a zone file.
SOA
The last field in the SOA is the negative caching TTL. This controls how long other servers will cache no-such-domain (NXDOMAIN) responses from you.
The maximum time for negative caching is 3 hours (3h).
$TTL
The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
RR TTLs
Each RR can have a TTL as the second field in the RR, which will control how long other servers can cache the it.
All of these TTLs default to units of seconds, though units can be explicitly specified, for example,
1h30m.Reverse name resolution (that is, translation from IP address to name) is achieved by means of the in-addr.arpa domain and PTR records. Entries in the in-addr.arpa domain are made in least-to-most significant order, read left to right. This is the opposite order to the way IP addresses are usually written. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding in-addr.arpa name of 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose data field is the name of the machine or, optionally, multiple PTR records if the machine has more than one name. For example, in the [example.com] domain:
$ORIGIN
2.1.10.in-addr.arpa
3
IN PTR foo.example.com.Note
The $ORIGIN lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate that the example is relative to the listed origin.
The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format itself is class independent all records in a Master File must be of the same class.
Master File Directives include $ORIGIN, $INCLUDE, and $TTL.
Syntax: $ORIGIN
domain-name[comment]$ORIGIN sets the domain name that will be appended to any unqualified records. When a zone is first read in there is an implicit $ORIGIN <
zone-name>. The current $ORIGIN is appended to the domain specified in the $ORIGIN argument if it is not absolute.$ORIGIN example.com. WWW CNAME MAIN-SERVERis equivalent to
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.Syntax: $INCLUDE
filename[origin] [comment]Read and process the file
filenameas if it were included into the file at this point. If origin is specified the file is processed with $ORIGIN set to that value, otherwise the current $ORIGIN is used.The origin and the current domain name revert to the values they had prior to the $INCLUDE once the file has been read.
Note
RFC 1035 specifies that the current origin should be restored after an $INCLUDE, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both.
Syntax: $GENERATE
rangelhs[ttl] [class]typerhs[comment]$GENERATE is used to create a series of resource records that only differ from each other by an iterator. $GENERATE can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation.
$ORIGIN 0.0.192.IN-ADDR.ARPA. $GENERATE 1-2 0 NS SERVER$.EXAMPLE. $GENERATE 1-127 $ CNAME $.0is equivalent to
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE. 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. ... 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
range
This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. All of start, stop and step must be positive.
lhs
This describes the owner name of the resource records to be created. Any single $ (dollar sign) symbols within the lhs string are replaced by the iterator value. To get a $ in the output, you need to escape the $ using a backslash \, e.g. \$. The $ may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a { (left brace) immediately following the $ as ${offset[,width[,base]]}. For example, ${-20,3,d} subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (d), octal (o) and hexadecimal (x or X for uppercase). The default modifier is ${0,0,d}. If the lhs is not absolute, the current $ORIGIN is appended to the name.
For compatibility with earlier versions, $$ is still recognized as indicating a literal $ in the output.
ttl
Specifies the time-to-live of the generated records. If not specified this will be inherited using the normal ttl inheritance rules.
class and ttl can be entered in either order.
class
Specifies the class of the generated records. This must match the zone class if it is specified.
class and ttl can be entered in either order.
type
At present the only supported types are PTR, CNAME, DNAME, A, AAAA and NS.
rhs
rhs is a domain name. It is processed similarly to lhs.
The $GENERATE directive is a BIND extension and not part of the standard zone file format.
BIND 8 does not support the optional TTL and CLASS fields.
In addition to the standard textual format, BIND 9 supports the ability to read or dump to zone files in other formats. The
rawformat is currently available as an additional format. It is a binary format representing BIND 9's internal data structure directly, thereby remarkably improving the loading time.For a primary server, a zone file in the
rawformat is expected to be generated from a textual zone file by the named-compilezone command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the masterfile-format option) when named dumps the zone contents after zone transfer or when applying prior updates.If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the named-compilezone command. All necessary modification should go to the text file, which should then be converted to the binary form by the named-compilezone command again.
Although the
rawformat uses the network byte order and avoids architecture-dependent data alignment so that it is as much portable as possible, it is primarily expected to be used inside the same single system. In order to export a zone file in therawformat or make a portable backup of the file, it is recommended to convert the file to the standard textual representation.BIND 9 maintains lots of statistics information and provides several interfaces for users to get access to the statistics. The available statistics include all statistics counters that were available in BIND 8 and are meaningful in BIND 9, and other information that is considered useful.
The statistics information is categorized into the following sections.
Incoming Requests
The number of incoming DNS requests for each OPCODE.
Incoming Queries
The number of incoming queries for each RR type.
Outgoing Queries
The number of outgoing queries for each RR type sent from the internal resolver. Maintained per view.
Name Server Statistics
Statistics counters about incoming request processing.
Zone Maintenance Statistics
Statistics counters regarding zone maintenance operations such as zone transfers.
Resolver Statistics
Statistics counters about name resolution performed in the internal resolver. Maintained per view.
Cache DB RRsets
The number of RRsets per RR type (positive or negative) and nonexistent names stored in the cache database. Maintained per view.
Socket I/O Statistics
Statistics counters about network related events.
A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when zone-statistics is set to
yes. These statistics counters are shown with their zone and view names. In some cases the view names are omitted for the default view.There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified by the statistics-file configuration option. The other is remotely accessible via a statistics channel when the statistics-channels statement is specified in the configuration file (see the section called “statistics-channels Statement Grammar”.)
The text format statistics dump begins with a line, like:
+++ Statistics Dump +++ (973798949)
The number in parentheses is a standard Unix-style timestamp, measured as seconds since January 1, 1970. Following that line is a set of statistics information, which is categorized as described above. Each section begins with a line, like:
++ Name Server Statistics ++
Each section consists of lines, each containing the statistics counter value followed by its textual description. See below for available counters. For brevity, counters that have a value of 0 are not shown in the statistics file.
The statistics dump ends with the line where the number is identical to the number in the beginning line; for example:
--- Statistics Dump --- (973798949)
The following tables summarize statistics counters that BIND 9 provides. For each row of the tables, the leftmost column is the abbreviated symbol name of that counter. These symbols are shown in the statistics information accessed via an HTTP statistics channel. The rightmost column gives the description of the counter, which is also shown in the statistics file (but, in this document, possibly with slight modification for better readability). Additional notes may also be provided in this column. When a middle column exists between these two columns, it gives the corresponding counter name of the BIND 8 statistics, if applicable.
Symbol
BIND8 Symbol
Description
Requestv4
RQ
IPv4 requests received. Note: this also counts non query requests.
Requestv6
RQ
IPv6 requests received. Note: this also counts non query requests.
ReqEdns0
Requests with EDNS(0) received.
ReqBadEDNSVer
Requests with unsupported EDNS version received.
ReqTSIG
Requests with TSIG received.
ReqSIG0
Requests with SIG(0) received.
ReqBadSIG
Requests with invalid (TSIG or SIG(0)) signature.
ReqTCP
RTCP
TCP requests received.
AuthQryRej
RUQ
Authoritative (non recursive) queries rejected.
RecQryRej
RURQ
Recursive queries rejected.
XfrRej
RUXFR
Zone transfer requests rejected.
UpdateRej
RUUpd
Dynamic update requests rejected.
Response
SAns
Responses sent.
RespTruncated
Truncated responses sent.
RespEDNS0
Responses with EDNS(0) sent.
RespTSIG
Responses with TSIG sent.
RespSIG0
Responses with SIG(0) sent.
QrySuccess
Queries resulted in a successful answer. This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the success counter of previous versions of BIND 9.
QryAuthAns
Queries resulted in authoritative answer.
QryNoauthAns
SNaAns
Queries resulted in non authoritative answer.
QryReferral
Queries resulted in referral answer. This corresponds to the referral counter of previous versions of BIND 9.
QryNxrrset
Queries resulted in NOERROR responses with no data. This corresponds to the nxrrset counter of previous versions of BIND 9.
QrySERVFAIL
SFail
Queries resulted in SERVFAIL.
QryFORMERR
SFErr
Queries resulted in FORMERR.
QryNXDOMAIN
SNXD
Queries resulted in NXDOMAIN. This corresponds to the nxdomain counter of previous versions of BIND 9.
QryRecursion
RFwdQ
Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the recursion counter of previous versions of BIND 9.
QryDuplicate
RDupQ
Queries which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed. This corresponds to the duplicate counter of previous versions of BIND 9.
QryDropped
Recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the clients-per-query and max-clients-per-query options (see the description about clients-per-query.) This corresponds to the dropped counter of previous versions of BIND 9.
QryFailure
Other query failures. This corresponds to the failure counter of previous versions of BIND 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as AuthQryRej and RecQryRej that would also fall into this counter are provided, and so this counter would not be of much interest in practice.
XfrReqDone
Requested zone transfers completed.
UpdateReqFwd
Update requests forwarded.
UpdateRespFwd
Update responses forwarded.
UpdateFwdFail
Dynamic update forward failed.
UpdateDone
Dynamic updates completed.
UpdateFail
Dynamic updates failed.
UpdateBadPrereq
Dynamic updates rejected due to prerequisite failure.
Symbol
Description
NotifyOutv4
IPv4 notifies sent.
NotifyOutv6
IPv6 notifies sent.
NotifyInv4
IPv4 notifies received.
NotifyInv6
IPv6 notifies received.
NotifyRej
Incoming notifies rejected.
SOAOutv4
IPv4 SOA queries sent.
SOAOutv6
IPv6 SOA queries sent.
AXFRReqv4
IPv4 AXFR requested.
AXFRReqv6
IPv6 AXFR requested.
IXFRReqv4
IPv4 IXFR requested.
IXFRReqv6
IPv6 IXFR requested.
XfrSuccess
Zone transfer requests succeeded.
XfrFail
Zone transfer requests failed.
Symbol
BIND8 Symbol
Description
Queryv4
SFwdQ
IPv4 queries sent.
Queryv6
SFwdQ
IPv6 queries sent.
Responsev4
RR
IPv4 responses received.
Responsev6
RR
IPv6 responses received.
NXDOMAIN
RNXD
NXDOMAIN received.
SERVFAIL
RFail
SERVFAIL received.
FORMERR
RFErr
FORMERR received.
OtherError
RErr
Other errors received.
EDNS0Fail
EDNS(0) query failures.
Mismatch
RDupR
Mismatch responses received.
Truncated
Truncated responses received.
Lame
RLame
Lame delegations received.
Retry
SDupQ
Query retries performed.
QueryAbort
Queries aborted due to quota control.
QuerySockFail
Failures in opening query sockets. One common reason for such failures is a failure of opening a new socket due to a limitation on file descriptors.
QueryTimeout
Query timeouts.
GlueFetchv4
SSysQ
IPv4 NS address fetches invoked.
GlueFetchv6
SSysQ
IPv6 NS address fetches invoked.
GlueFetchv4Fail
IPv4 NS address fetch failed.
GlueFetchv6Fail
IPv6 NS address fetch failed.
ValAttempt
DNSSEC validation attempted.
ValOk
DNSSEC validation succeeded.
ValNegOk
DNSSEC validation on negative information succeeded.
ValFail
DNSSEC validation failed.
QryRTTnn
Frequency table on round trip times (RTTs) of queries. Each nn specifies the corresponding frequency. In the sequence of nn_1, nn_2, ..., nn_m, the value of nn_i is the number of queries whose RTTs are between nn_(i-1) (inclusive) and nn_i (exclusive) milliseconds. For the sake of convenience we define nn_0 to be 0. The last entry should be represented as nn_m+, which means the number of queries whose RTTs are equal to or over nn_m milliseconds.
Socket I/O statistics counters are defined per socket types, which are UDP4 (UDP/IPv4), UDP6 (UDP/IPv6), TCP4 (TCP/IPv4), TCP6 (TCP/IPv6), Unix (Unix Domain), and FDwatch (sockets opened outside the socket module). In the following table <TYPE> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field.
Symbol
Description
<TYPE>Open
Sockets opened successfully. This counter is not applicable to the FDwatch type.
<TYPE>OpenFail
Failures of opening sockets. This counter is not applicable to the FDwatch type.
<TYPE>Close
Sockets closed.
<TYPE>BindFail
Failures of binding sockets.
<TYPE>ConnFail
Failures of connecting sockets.
<TYPE>Conn
Connections established successfully.
<TYPE>AcceptFail
Failures of accepting incoming connection requests. This counter is not applicable to the UDP and FDwatch types.
<TYPE>Accept
Incoming connections successfully accepted. This counter is not applicable to the UDP and FDwatch types.
<TYPE>SendErr
Errors in socket send operations. This counter corresponds to SErr counter of BIND 8.
<TYPE>RecvErr
Errors in socket receive operations. This includes errors of send operations on a connected UDP socket notified by an ICMP error message.
Most statistics counters that were available in BIND 8 are also supported in BIND 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables.
- RFwdR,SFwdR
These counters are not supported because BIND 9 does not adopt the notion of forwarding as BIND 8 did.
- RAXFR
This counter is accessible in the Incoming Queries section.
- RIQ
This counter is accessible in the Incoming Requests section.
- ROpts
This counter is not supported because BIND 9 does not care about IP options in the first place.