summaryrefslogtreecommitdiffstats
path: root/doc/misc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 18:37:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 18:37:14 +0000
commitea648e70a989cca190cd7403fe892fd2dcc290b4 (patch)
treee2b6b1c647da68b0d4d66082835e256eb30970e8 /doc/misc
parentInitial commit. (diff)
downloadbind9-upstream.tar.xz
bind9-upstream.zip
Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/misc')
-rw-r--r--doc/misc/Makefile.in73
-rw-r--r--doc/misc/delegation-only.zoneopt3
-rw-r--r--doc/misc/dnssec81
-rw-r--r--doc/misc/docbook-grammars.pl85
-rw-r--r--doc/misc/docbook-options.pl184
-rw-r--r--doc/misc/docbook-zoneopt.pl64
-rw-r--r--doc/misc/format-options.pl41
-rw-r--r--doc/misc/forward.zoneopt6
-rw-r--r--doc/misc/hint.zoneopt6
-rw-r--r--doc/misc/in-view.zoneopt3
-rw-r--r--doc/misc/ipv6111
-rw-r--r--doc/misc/master.zoneopt56
-rw-r--r--doc/misc/migration264
-rw-r--r--doc/misc/migration-4to955
-rw-r--r--doc/misc/options883
-rw-r--r--doc/misc/redirect.zoneopt13
-rw-r--r--doc/misc/rfc-compliance160
-rw-r--r--doc/misc/roadmap47
-rw-r--r--doc/misc/sdb167
-rw-r--r--doc/misc/slave.zoneopt59
-rw-r--r--doc/misc/sort-options.pl43
-rw-r--r--doc/misc/static-stub.zoneopt11
-rw-r--r--doc/misc/stub.zoneopt27
-rw-r--r--doc/misc/tcp-fast-open32
24 files changed, 2474 insertions, 0 deletions
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
new file mode 100644
index 0000000..c4967ff
--- /dev/null
+++ b/doc/misc/Makefile.in
@@ -0,0 +1,73 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_RULES@
+
+PERL = @PERL@
+
+MANOBJS = options
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f options
+
+# Do not make options depend on ../../bin/tests/cfg_test, doing so
+# will cause excessively clever versions of make to attempt to build
+# that program right here, right now, if it is missing, which will
+# cause make doc to bomb.
+
+CFG_TEST = ../../bin/tests/cfg_test
+
+options: FORCE
+ if test -x ${CFG_TEST} ; \
+ then \
+ ${CFG_TEST} --named --grammar > $@.raw ; \
+ ${CFG_TEST} --zonegrammar master > master.zoneopt ; \
+ ${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \
+ ${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \
+ ${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \
+ ${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \
+ ${CFG_TEST} --zonegrammar static-stub > static-stub.zoneopt ; \
+ ${CFG_TEST} --zonegrammar redirect > redirect.zoneopt ; \
+ ${CFG_TEST} --zonegrammar delegation-only > delegation-only.zoneopt ; \
+ ${CFG_TEST} --zonegrammar in-view > in-view.zoneopt ; \
+ ${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \
+ ${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \
+ mv -f $@.new $@ ; \
+ rm -f $@.raw $@.sorted ; \
+ else \
+ rm -f $@.new $@.raw $@.sorted ; \
+ fi
+
+docbook: options
+ ${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook
+ ${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl forward.zoneopt > ${top_srcdir}/doc/arm/forward.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl hint.zoneopt > ${top_srcdir}/doc/arm/hint.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl stub.zoneopt > ${top_srcdir}/doc/arm/stub.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl static-stub.zoneopt > ${top_srcdir}/doc/arm/static-stub.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl redirect.zoneopt > ${top_srcdir}/doc/arm/redirect.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl delegation-only.zoneopt > ${top_srcdir}/doc/arm/delegation-only.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl in-view.zoneopt > ${top_srcdir}/doc/arm/in-view.zoneopt.xml
+ ${PERL} docbook-grammars.pl options acl > ${top_srcdir}/doc/arm/acl.grammar.xml
+ ${PERL} docbook-grammars.pl options controls > ${top_srcdir}/doc/arm/controls.grammar.xml
+ ${PERL} docbook-grammars.pl options key > ${top_srcdir}/doc/arm/key.grammar.xml
+ ${PERL} docbook-grammars.pl options logging > ${top_srcdir}/doc/arm/logging.grammar.xml
+ ${PERL} docbook-grammars.pl options masters > ${top_srcdir}/doc/arm/masters.grammar.xml
+ ${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml
+ ${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml
+ ${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml
+ ${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml
+ ${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml
diff --git a/doc/misc/delegation-only.zoneopt b/doc/misc/delegation-only.zoneopt
new file mode 100644
index 0000000..ab86327
--- /dev/null
+++ b/doc/misc/delegation-only.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+ type delegation-only;
+};
diff --git a/doc/misc/dnssec b/doc/misc/dnssec
new file mode 100644
index 0000000..84db388
--- /dev/null
+++ b/doc/misc/dnssec
@@ -0,0 +1,81 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+DNSSEC Release Notes
+
+This document summarizes the state of the DNSSEC implementation in
+this release of BIND9.
+
+
+OpenSSL Library Required
+
+To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
+the OpenSSL library. As of BIND 9.2, the library is no longer
+included in the distribution - it must be provided by the operating
+system or installed separately.
+
+To build BIND 9 with OpenSSL, use "configure --with-openssl". If
+the OpenSSL library is installed in a nonstandard location, you can
+specify a path as in "configure --with-openssl=/var".
+
+
+Key Generation and Signing
+
+The tools for generating DNSSEC keys and signatures are now in the
+bin/dnssec directory. Documentation for these programs can be found
+in doc/arm/Bv9ARM.4.html and the man pages.
+
+The random data used in generating DNSSEC keys and signatures comes
+from either /dev/random (if the OS supports it) or keyboard input.
+Alternatively, a device or file containing entropy/random data can be
+specified.
+
+
+Serving Secure Zones
+
+When acting as an authoritative name server, BIND9 includes KEY, SIG
+and NXT records in responses as specified in RFC2535 when the request
+has the DO flag set in the query.
+
+
+Secure Resolution
+
+Basic support for validation of DNSSEC signatures in responses has
+been implemented but should still be considered experimental.
+
+When acting as a caching name server, BIND9 is capable of performing
+basic DNSSEC validation of positive as well as nonexistence responses.
+This functionality is enabled by including a "trusted-keys" clause
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
+
+Validation of wildcard responses is not currently supported. In
+particular, a "name does not exist" response will validate
+successfully even if it does not contain the NXT records to prove the
+nonexistence of a matching wildcard.
+
+Proof of insecure status for insecure zones delegated from secure
+zones works when the zones are completely insecure. Privately
+secured zones delegated from secure zones will not work in all cases,
+such as when the privately secured zone is served by the same server
+as an ancestor (but not parent) zone.
+
+Handling of the CD bit in queries is now fully implemented. Validation
+is not attempted for recursive queries if CD is set.
+
+
+Secure Dynamic Update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete. Affected NXT and SIG records are updated by the server when
+an update occurs. Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+Secure Zone Transfers
+
+BIND 9 does not implement the zone transfer security mechanisms of
+RFC2535 section 5.6, and we have no plans to implement them in the
+future as we consider them inferior to the use of TSIG or SIG(0) to
+ensure the integrity of zone transfers.
diff --git a/doc/misc/docbook-grammars.pl b/doc/misc/docbook-grammars.pl
new file mode 100644
index 0000000..43f47e8
--- /dev/null
+++ b/doc/misc/docbook-grammars.pl
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+use Time::Piece;
+
+if (@ARGV < 2) {
+ print STDERR <<'END';
+usage:
+ perl docbook-options.pl options_file section > section.grammar.xml
+END
+ exit 1;
+}
+
+my $FILE = shift;
+my $SECTION = shift;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+my $t = Time::Piece->new();
+my $year = $t->year;
+
+print <<END;
+<!--
+ - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<programlisting>
+END
+
+# skip preamble
+my $preamble = 0;
+while (<FH>) {
+ if (m{^\s*$}) {
+ last if $preamble > 0;
+ } else {
+ $preamble++;
+ }
+}
+
+my $display = 0;
+while (<FH>) {
+ if (m{^$SECTION\b}) {
+ $display = 1
+ }
+
+ if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) {
+ next;
+ }
+
+ s{ // not configured}{};
+ s{ // non-operational}{};
+ s{ // may occur multiple times}{};
+ s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
+ s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
+ s{[[]}{[}g;
+ s{[]]}{]}g;
+ s{ }{\t}g;
+
+ if (m{^\s*$} && $display) {
+ last;
+ }
+ if ($display) {
+ print;
+ }
+}
+
+print <<END;
+</programlisting>
+END
diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl
new file mode 100644
index 0000000..6495b53
--- /dev/null
+++ b/doc/misc/docbook-options.pl
@@ -0,0 +1,184 @@
+#!/usr/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+use Time::Piece;
+
+if (@ARGV < 1) {
+ print STDERR <<'END';
+usage:
+ perl docbook-options.pl options_file [YYYY/MM/DD] >named.conf.docbook
+END
+ exit 1;
+}
+
+my $FILE = shift;
+
+my $DATE;
+if (@ARGV >= 2) {
+ $DATE = shift
+} else {
+ $DATE = `git log --max-count=1 --date=short --format='%cd' $FILE` or die "unable to determine last modification date of '$FILE'; specify on command line\nexiting";
+}
+chomp $DATE;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+my $t = Time::Piece->new();
+my $year = $t->year;
+
+print <<END;
+<!--
+ - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-options.pl -->
+
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
+ <info>
+ <date>$DATE</date>
+ </info>
+ <refentryinfo>
+ <corpname>ISC</corpname>
+ <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><filename>named.conf</filename></refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><filename>named.conf</filename></refname>
+ <refpurpose>configuration file for <command>named</command></refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+END
+
+for (my $y = 2004; $y <= $year; $y++) {
+ print " <year>$y</year>\n";
+}
+
+print <<END;
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis sepchar=" ">
+ <command>named.conf</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection><info><title>DESCRIPTION</title></info>
+
+ <para><filename>named.conf</filename> is the configuration file
+ for
+ <command>named</command>. Statements are enclosed
+ in braces and terminated with a semi-colon. Clauses in
+ the statements are also semi-colon terminated. The usual
+ comment styles are supported:
+ </para>
+ <para>
+ C style: /* */
+ </para>
+ <para>
+ C++ style: // to end of line
+ </para>
+ <para>
+ Unix style: # to end of line
+ </para>
+ </refsection>
+
+END
+
+# skip preamble
+my $preamble = 0;
+while (<FH>) {
+ if (m{^\s*$}) {
+ last if $preamble > 0;
+ } else {
+ $preamble++;
+ }
+}
+
+my $blank = 0;
+while (<FH>) {
+ if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) {
+ next;
+ }
+
+ s{ // not configured}{};
+ s{ // non-operational}{};
+ s{ // may occur multiple times}{};
+ s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
+ s{[[]}{[}g;
+ s{[]]}{]}g;
+ s{ }{\t}g;
+ if (m{^([a-z0-9-]+) }) {
+ my $HEADING = uc $1;
+ print <<END;
+ <refsection><info><title>$HEADING</title></info>
+
+ <literallayout class="normal">
+END
+ }
+
+ if (m{^\s*$} && !$blank) {
+ $blank = 1;
+ print <<END;
+</literallayout>
+ </refsection>
+END
+ } else {
+ $blank = 0;
+ }
+ print;
+}
+
+print <<END;
+ <refsection><info><title>FILES</title></info>
+
+ <para><filename>/etc/named.conf</filename>
+ </para>
+ </refsection>
+
+ <refsection><info><title>SEE ALSO</title></info>
+
+ <para><citerefentry>
+ <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsection>
+
+</refentry>
+END
diff --git a/doc/misc/docbook-zoneopt.pl b/doc/misc/docbook-zoneopt.pl
new file mode 100644
index 0000000..295fc28
--- /dev/null
+++ b/doc/misc/docbook-zoneopt.pl
@@ -0,0 +1,64 @@
+#!/usr/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use warnings;
+use strict;
+use Time::Piece;
+
+if (@ARGV < 1) {
+ print STDERR <<'END';
+usage:
+ perl docbook-zoneopt.pl zoneopt_file [YYYY]
+END
+ exit 1;
+}
+
+my $FILE = shift;
+
+my $t = Time::Piece->new();
+my $year;
+$year = `git log --max-count=1 --date=format:%Y --format='%cd' -- $FILE` or $year = $t->year;
+chomp $year;
+
+open (FH, "<", $FILE) or die "Can't open $FILE";
+
+print <<END;
+<!--
+ - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+END
+
+while (<FH>) {
+ if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) {
+ next;
+ }
+
+ s{ // not configured}{};
+ s{ // may occur multiple times}{};
+ s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g;
+ s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>};
+ s{[[]}{[}g;
+ s{[]]}{]}g;
+ s{ }{\t}g;
+
+ print;
+}
+
+print <<END;
+</programlisting>
+END
diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl
new file mode 100644
index 0000000..338d61e
--- /dev/null
+++ b/doc/misc/format-options.pl
@@ -0,0 +1,41 @@
+#!/usr/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+print <<END;
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+END
+
+# Break long lines
+while (<>) {
+ chomp;
+ s/\t/ /g;
+ my $line = $_;
+ m!^( *)!;
+ my $indent = $1;
+ my $comment = "";
+ if ( $line =~ m!//.*! ) {
+ $comment = $&;
+ $line =~ s!//.*!!;
+ }
+ my $start = "";
+ while (length($line) >= 79 - length($comment)) {
+ $_ = $line;
+ # this makes sure that the comment has something in front of it
+ $len = 75 - length($comment);
+ m!^(.{0,$len}) (.*)$!;
+ $start = $start.$1."\n";
+ $line = $indent." ".$2;
+ }
+ print $start.$line.$comment."\n";
+}
diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt
new file mode 100644
index 0000000..e694813
--- /dev/null
+++ b/doc/misc/forward.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+ type forward;
+ delegation-only <boolean>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+};
diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt
new file mode 100644
index 0000000..d7ec16c
--- /dev/null
+++ b/doc/misc/hint.zoneopt
@@ -0,0 +1,6 @@
+zone <string> [ <class> ] {
+ type hint;
+ check-names ( fail | warn | ignore );
+ delegation-only <boolean>;
+ file <quoted_string>;
+};
diff --git a/doc/misc/in-view.zoneopt b/doc/misc/in-view.zoneopt
new file mode 100644
index 0000000..c63c427
--- /dev/null
+++ b/doc/misc/in-view.zoneopt
@@ -0,0 +1,3 @@
+zone <string> [ <class> ] {
+ in-view <string>;
+};
diff --git a/doc/misc/ipv6 b/doc/misc/ipv6
new file mode 100644
index 0000000..02cd19a
--- /dev/null
+++ b/doc/misc/ipv6
@@ -0,0 +1,111 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Currently, there are multiple interesting problems with ipv6
+implementations on various platforms. These problems range from not
+being able to use ipv6 with bind9 (or in particular the ISC socket
+library, contained in libisc) to listen-on lists not being respected,
+to strange warnings but seemingly correct behavior of named.
+
+COMPILE-TIME ISSUES
+-------------------
+
+The socket library requires a certain level of support from the
+operating system. In particular, it must follow the advanced ipv6
+socket API to be usable. The systems which do not follow this will
+currently not get any warnings or errors, but ipv6 will simply not
+function on them.
+
+These systems currently include, but are not limited to:
+
+ AIX 3.4 (with ipv6 patches)
+
+
+RUN-TIME ISSUES
+---------------
+
+In the original drafts of the ipv6 RFC documents, binding an ipv6
+socket to the ipv6 wildcard address would also cause the socket to
+accept ipv4 connections and datagrams. When an ipv4 packet is
+received on these systems, it is mapped into an ipv6 address. For
+example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4. The intent of
+this mapping was to make transition from an ipv4-only application into
+ipv6 easier, by only requiring one socket to be open on a given port.
+
+Later, it was discovered that this was generally a bad idea. For one,
+many firewalls will block connection to 1.2.3.4, but will let through
+::ffff:1.2.3.4. This, of course, is bad. Also, access control lists
+written to accept only ipv4 addresses were suddenly ignored unless
+they were rewritten to handle the ipv6 mapped addresses as well.
+
+Partly because of these problems, the latest IPv6 API introduces an
+explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
+mapped address usage.
+
+In bind9, we first check if both the advanced API and the IPV6_V6ONLY
+socket option are available. If both of them are available, bind9
+named will bind to the ipv6 wildcard port for both TCP and UDP.
+Otherwise named will make a warning and try to bind to all available
+ipv6 addresses separately.
+
+In any case, bind9 named binds to specific addresses for ipv4 sockets.
+
+The followings are historical notes when we always bound to the ipv6
+wildcard port regardless of the availability of the API support.
+These problems should not happen with the closer checks above.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
+---------------------------------------------------------------
+
+The only OS which seems to do this is (some kernel versions of) linux.
+If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
+ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
+will fail.
+
+What this means to bind9 is that the application will log warnings
+about being unable to bind to a socket because the address is already
+in use. Since the ipv6 socket will accept ipv4 packets and map them,
+however, the ipv4 addresses continue to function.
+
+The effect is that the config file listen-on directive will not be
+respected on these systems.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
+----------------------------------------------------------------
+
+In this case, the system allows opening an ipv6 wildcard address
+socket and then binding to a more specific ipv4 address later. An
+example of this type of system is Digital Unix with ipv6 patches
+applied.
+
+What this means to bind9 is that the application will respect
+listen-on in regards to ipv4 sockets, but it will use mapped ipv6
+addresses for any that do not match the listen-on list. This, in
+effect, makes listen-on useless for these machines as well.
+
+
+IPV6 Sockets Do Not Accept IPV4
+-------------------------------
+
+On these systems, opening an IPV6 socket does not implicitly open any
+ipv4 sockets. An example of these systems are NetBSD-current with the
+latest KAME patch, and other systems which use the latest KAME patches
+as their ipv6 implementation.
+
+On these systems, listen-on is fully functional, as the ipv6 socket
+only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
+packets.
+
+
+RELEVANT RFCs
+-------------
+
+3513: Internet Protocol Version 6 (IPv6) Addressing Architecture
+
+3493: Basic Socket Interface Extensions for IPv6
+
+3542: Advanced Sockets Application Program Interface (API) for IPv6
+
diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt
new file mode 100644
index 0000000..7152ed1
--- /dev/null
+++ b/doc/misc/master.zoneopt
@@ -0,0 +1,56 @@
+zone <string> [ <class> ] {
+ type ( master | primary );
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( fail | warn | ignore );
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ database <string>;
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ inline-signing <boolean>;
+ ixfr-from-differences <boolean>;
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ max-journal-size ( unlimited | <sizeval> );
+ max-records <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-out <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ serial-update-method ( date | increment | unixtime );
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ update-check-ksk <boolean>;
+ update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/migration b/doc/misc/migration
new file mode 100644
index 0000000..aa78a74
--- /dev/null
+++ b/doc/misc/migration
@@ -0,0 +1,264 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+ BIND 8 to BIND 9 Migration Notes
+
+BIND 9 is designed to be mostly upwards compatible with BIND 8, but
+there is still a number of caveats you should be aware of when
+upgrading an existing BIND 8 installation to use BIND 9.
+
+
+1. Configuration File Compatibility
+
+1.1. Unimplemented Options and Changed Defaults
+
+BIND 9 supports most, but not all of the named.conf options of BIND 8.
+For a complete list of implemented options, see doc/misc/options.
+
+If your named.conf file uses an unimplemented option, named will log a
+warning message. A message is also logged about each option whose
+default has changed unless the option is set explicitly in named.conf.
+
+The default of the "transfer-format" option has changed from
+"one-answer" to "many-answers". If you have slave servers that do not
+understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
+older) you need to explicitly specify "transfer-format one-answer;" in
+either the options block or a server statement.
+
+BIND 9.4 onwards implements "allow-query-cache". The "allow-query"
+option is no longer used to specify access to the cache. The
+"allow-query" option continues to specify which hosts are allowed
+to ask ordinary DNS questions. The new "allow-query-cache" option
+is used to specify which hosts are allowed to get answers from the
+cache. Since BIND 9.4.1, if "allow-query-cache" is not set then
+"allow-recursion" is used if it is set, otherwise "allow-query" is
+used if it is set, otherwise the default localnets and localhost
+is used.
+
+1.2. Handling of Configuration File Errors
+
+In BIND 9, named refuses to start if it detects an error in
+named.conf. Earlier versions would start despite errors, causing the
+server to run with a partial configuration. Errors detected during
+subsequent reloads do not cause the server to exit.
+
+Errors in master files do not cause the server to exit, but they
+do cause the zone not to load.
+
+1.3. Logging
+
+The set of logging categories in BIND 9 is different from that
+in BIND 8. If you have customised your logging on a per-category
+basis, you need to modify your logging statement to use the
+new categories.
+
+Another difference is that the "logging" statement only takes effect
+after the entire named.conf file has been read. This means that when
+the server starts up, any messages about errors in the configuration
+file are always logged to the default destination (syslog) when the
+server first starts up, regardless of the contents of the "logging"
+statement. In BIND 8, the new logging configuration took effect
+immediately after the "logging" statement was read.
+
+1.4. Notify messages and Refresh queries
+
+The source address and port for these is now controlled by
+"notify-source" and "transfer-source", respectively, rather that
+query-source as in BIND 8.
+
+1.5. Multiple Classes.
+
+Multiple classes have to be put into explicit views for each class.
+
+
+2. Zone File Compatibility
+
+2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
+
+BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
+omitted TTLs in zone files. Omitted TTLs are replaced by the value
+specified with the $TTL directive, or by the previous explicit TTL if
+there is no $TTL directive.
+
+If there is no $TTL directive and the first RR in the file does not
+have an explicit TTL field, the zone file is illegal according to
+RFC1035 since the TTL of the first RR is undefined. Unfortunately,
+BIND 4 and many versions of BIND 8 accept such files without warning
+and use the value of the SOA MINTTL field as a default for missing TTL
+values.
+
+BIND 9.0 and 9.1 completely refused to load such files. BIND 9.2
+emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
+files anyway (provided the SOA is the first record in the file), but
+will issue the warning message "no TTL specified; using SOA MINTTL
+instead".
+
+To avoid problems, we recommend that you use a $TTL directive in each
+zone file.
+
+2.2. Periods in SOA Serial Numbers Deprecated
+
+Some versions of BIND allow SOA serial numbers with an embedded
+period, like "3.002", and convert them into integers in a rather
+unintuitive way. This feature is not supported by BIND 9; serial
+numbers must be integers.
+
+2.3. Handling of Unbalanced Quotes
+
+TXT records with unbalanced quotes, like 'host TXT "foo', were not
+treated as errors in some versions of BIND. If your zone files
+contain such records, you will get potentially confusing error
+messages like "unexpected end of file" because BIND 9 will interpret
+everything up to the next quote character as a literal string.
+
+2.4. Handling of Line Breaks
+
+Some versions of BIND accept RRs containing line breaks that are not
+properly quoted with parentheses, like the following SOA:
+
+ @ IN SOA ns.example. hostmaster.example.
+ ( 1 3600 1800 1814400 3600 )
+
+This is not legal master file syntax and will be treated as an error
+by BIND 9. The fix is to move the opening parenthesis to the first
+line.
+
+2.5. Unimplemented BIND 8 Extensions
+
+$GENERATE: The "$$" construct for getting a literal $ into a domain
+name is deprecated. Use \$ instead.
+
+2.6. TXT records are no longer automatically split.
+
+Some versions of BIND accepted strings in TXT RDATA consisting of more
+than 255 characters and silently split them to be able to encode the
+strings in a protocol conformant way. You may now see errors like this
+ dns_rdata_fromtext: local.db:119: ran out of space
+if you have TXT RRs with too longs strings. Make sure to split the
+string in the zone data file at or before a single one reaches 255
+characters.
+
+3. Interoperability Impact of New Protocol Features
+
+3.1. EDNS0
+
+BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It
+also sets DO EDNS flag bit in queries to indicate that it wishes to
+receive DNSSEC responses.
+
+Most older servers that do not support EDNS0, including prior versions
+of BIND, will send a FORMERR or NOTIMP response to these queries.
+When this happens, BIND 9 will automatically retry the query without
+EDNS0.
+
+Unfortunately, there exists at least one non-BIND name server
+implementation that silently ignores these queries instead of sending
+an error response. Resolving names in zones where all or most
+authoritative servers use this server will be very slow or fail
+completely. We have contacted the manufacturer of the name server in
+case, and they are working on a solution.
+
+When BIND 9 communicates with a server that does support EDNS0, such as
+another BIND 9 server, responses of up to 4096 bytes may be
+transmitted as a single UDP datagram which is subject to fragmentation
+at the IP level. If a firewall incorrectly drops IP fragments, it can
+cause resolution to slow down dramatically or fail.
+
+3.2. Zone Transfers
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
+
+Zone transfers to Windows 2000 DNS servers sometimes fail due to a
+bug in the Windows 2000 DNS server where DNS messages larger than
+16K are not handled properly. Obtain the latest service pack for
+Windows 2000 from Microsoft to address this issue. In the meantime,
+the problem can be worked around by setting "transfer-format one-answer;".
+http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
+
+4. Unrestricted Character Set
+
+ BIND 9.2 only
+
+BIND 9 does not restrict the character set of domain names - it is
+fully 8-bit clean in accordance with RFC2181 section 11.
+
+It is strongly recommended that hostnames published in the DNS follow
+the RFC952 rules, but BIND 9 will not enforce this restriction.
+
+Historically, some applications have suffered from security flaws
+where data originating from the network, such as names returned by
+gethostbyaddr(), are used with insufficient checking and may cause a
+breach of security when containing unexpected characters; see
+<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
+for details. Some earlier versions of BIND attempt to protect these
+flawed applications from attack by discarding data containing
+characters deemed inappropriate in host names or mail addresses, under
+the control of the "check-names" option in named.conf and/or "options
+no-check-names" in resolv.conf. BIND 9 provides no such protection;
+if applications with these flaws are still being used, they should
+be upgraded.
+
+ BIND 9.3 onwards implements check-names.
+
+5. Server Administration Tools
+
+5.1 Ndc Replaced by Rndc
+
+The "ndc" program has been replaced by "rndc", which is capable of
+remote operation. Unlike ndc, rndc requires a configuration file.
+The easiest way to generate a configuration file is to run
+"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
+and rndc.conf(5) for details.
+
+5.2. Nsupdate Differences
+
+The BIND 8 implementation of nsupdate had an undocumented feature
+where an update request would be broken down into multiple requests
+based upon the discovered zones that contained the records. This
+behaviour has not been implemented in BIND 9. Each update request
+must pertain to a single zone, but it is still possible to do multiple
+updates in a single invocation of nsupdate by terminating each update
+with an empty line or a "send" command.
+
+
+6. No Information Leakage between Zones
+
+BIND 9 stores the authoritative data for each zone in a separate data
+structure, as recommended in RFC1035 and as required by DNSSEC and
+IXFR. When a BIND 9 server is authoritative for both a child zone and
+its parent, it will have two distinct sets of NS records at the
+delegation point: the authoritative NS records at the child's apex,
+and a set of glue NS records in the parent.
+
+BIND 8 was unable to properly distinguish between these two sets of NS
+records and would "leak" the child's NS records into the parent,
+effectively causing the parent zone to be silently modified: responses
+and zone transfers from the parent contained the child's NS records
+rather than the glue configured into the parent (if any). In the case
+of children of type "stub", this behaviour was documented as a feature,
+allowing the glue NS records to be omitted from the parent
+configuration.
+
+Sites that were relying on this BIND 8 behaviour need to add any
+omitted glue NS records, and any necessary glue A records, to the
+parent zone.
+
+Although stub zones can no longer be used as a mechanism for injecting
+NS records into their parent zones, they are still useful as a way of
+directing queries for a given domain to a particular set of name
+servers.
+
+
+7. Umask not Modified
+
+The BIND 8 named unconditionally sets the umask to 022. BIND 9 does
+not; the umask inherited from the parent process remains in effect.
+This may cause files created by named, such as journal files, to be
+created with different file permissions than they did in BIND 8. If
+necessary, the umask should be set explicitly in the script used to
+start the named process.
diff --git a/doc/misc/migration-4to9 b/doc/misc/migration-4to9
new file mode 100644
index 0000000..4d038a5
--- /dev/null
+++ b/doc/misc/migration-4to9
@@ -0,0 +1,55 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+ BIND 4 to BIND 9 Migration Notes
+
+To transition from BIND 4 to BIND 9 you first need to convert your
+configuration file to the new format. There is a conversion tool in
+contrib/named-bootconf that allows you to do this.
+
+ named-bootconf.sh < /etc/named.boot > /etc/named.conf
+
+BIND 9 uses a system assigned port for the UDP queries it makes rather
+than port 53 that BIND 4 uses. This may conflict with some firewalls.
+The following directives in /etc/named.conf allows you to specify
+a port to use.
+
+ query-source address * port 53;
+ transfer-source * port 53;
+ notify-source * port 53;
+
+BIND 9 no longer uses the minimum field to specify the TTL of records
+without a explicit TTL. Use the $TTL directive to specify a default TTL
+before the first record without a explicit TTL.
+
+ $TTL 3600
+ @ IN SOA ns1.example.com. hostmaster.example.com. (
+ 2001021100
+ 7200
+ 1200
+ 3600000
+ 7200 )
+
+BIND 9 does not support multiple CNAMEs with the same owner name.
+
+ Illegal:
+ www.example.com. CNAME host1.example.com.
+ www.example.com. CNAME host2.example.com.
+
+BIND 9 does not support "CNAMEs with other data" with the same owner name,
+ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
+
+ Illegal:
+ www.example.com. CNAME host1.example.com.
+ www.example.com. MX 10 host2.example.com.
+
+BIND 9 is less tolerant of errors in master files, so check your logs and
+fix any errors reported. The named-checkzone program can also be to check
+master files.
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
diff --git a/doc/misc/options b/doc/misc/options
new file mode 100644
index 0000000..ad6bbb2
--- /dev/null
+++ b/doc/misc/options
@@ -0,0 +1,883 @@
+
+This is a summary of the named.conf options supported by
+this version of BIND 9.
+
+acl <string> { <address_match_element>; ... }; // may occur multiple times
+
+controls {
+ inet ( <ipv4_address> | <ipv6_address> |
+ * ) [ port ( <integer> | * ) ] allow
+ { <address_match_element>; ... } [
+ keys { <string>; ... } ] [ read-only
+ <boolean> ]; // may occur multiple times
+ unix <quoted_string> perm <integer>
+ owner <integer> group <integer> [
+ keys { <string>; ... } ] [ read-only
+ <boolean> ]; // may occur multiple times
+}; // may occur multiple times
+
+dlz <string> {
+ database <string>;
+ search <boolean>;
+}; // may occur multiple times
+
+dyndb <string> <quoted_string> {
+ <unspecified-text> }; // may occur multiple times
+
+key <string> {
+ algorithm <string>;
+ secret <string>;
+}; // may occur multiple times
+
+logging {
+ category <string> { <string>; ... }; // may occur multiple times
+ channel <string> {
+ buffered <boolean>;
+ file <quoted_string> [ versions ( "unlimited" | <integer> )
+ ] [ size <size> ];
+ null;
+ print-category <boolean>;
+ print-severity <boolean>;
+ print-time <boolean>;
+ severity <log_severity>;
+ stderr;
+ syslog [ <syslog_facility> ];
+ }; // may occur multiple times
+};
+
+lwres {
+ listen-on [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ lwres-clients <integer>;
+ lwres-tasks <integer>;
+ ndots <integer>;
+ search { <string>; ... };
+ view <string> [ <class> ];
+}; // may occur multiple times
+
+managed-keys { <string> <string> <integer>
+ <integer> <integer> <quoted_string>; ... }; // may occur multiple times
+
+masters <string> [ port <integer> ] [ dscp
+ <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... }; // may occur multiple times
+
+options {
+ acache-cleaning-interval <integer>;
+ acache-enable <boolean>;
+ additional-from-auth <boolean>;
+ additional-from-cache <boolean>;
+ allow-new-zones <boolean>;
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-cache { <address_match_element>; ... };
+ allow-query-cache-on { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-recursion { <address_match_element>; ... };
+ allow-recursion-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ answer-cookie <boolean>;
+ attach-cache <string>;
+ auth-nxdomain <boolean>; // default changed
+ auto-dnssec ( allow | maintain | off );
+ automatic-interface-scan <boolean>;
+ avoid-v4-udp-ports { <portrange>; ... };
+ avoid-v6-udp-ports { <portrange>; ... };
+ bindkeys-file <quoted_string>;
+ blackhole { <address_match_element>; ... };
+ cache-file <quoted_string>;
+ catalog-zones { zone <quoted_string> [ default-masters [ port
+ <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+ in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( master | slave | response
+ ) ( fail | warn | ignore ); // may occur multiple times
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ cleaning-interval <integer>;
+ clients-per-query <integer>;
+ cookie-algorithm ( aes | sha1 | sha256 );
+ cookie-secret <string>; // may occur multiple times
+ coresize ( default | unlimited | <sizeval> );
+ datasize ( default | unlimited | <sizeval> );
+ deallocate-on-exit <boolean>; // obsolete
+ deny-answer-addresses { <address_match_element>; ... } [
+ except-from { <quoted_string>; ... } ];
+ deny-answer-aliases { <quoted_string>; ... } [ except-from {
+ <quoted_string>; ... } ];
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ directory <quoted_string>;
+ disable-algorithms <string> { <string>;
+ ... }; // may occur multiple times
+ disable-ds-digests <string> { <string>;
+ ... }; // may occur multiple times
+ disable-empty-zone <string>; // may occur multiple times
+ dns64 <netprefix> {
+ break-dnssec <boolean>;
+ clients { <address_match_element>; ... };
+ exclude { <address_match_element>; ... };
+ mapped { <address_match_element>; ... };
+ recursive-only <boolean>;
+ suffix <ipv6_address>;
+ }; // may occur multiple times
+ dns64-contact <string>;
+ dns64-server <string>;
+ dnssec-accept-expired <boolean>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-enable <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-lookaside ( <string> trust-anchor
+ <string> | auto | no ); // may occur multiple times
+ dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ dnssec-validation ( yes | no | auto );
+ dnstap { ( all | auth | client | forwarder |
+ resolver ) [ ( query | response ) ]; ... }; // not configured
+ dnstap-identity ( <quoted_string> | none |
+ hostname ); // not configured
+ dnstap-output ( file | unix ) <quoted_string>; // not configured
+ dnstap-version ( <quoted_string> | none ); // not configured
+ dscp <integer>;
+ dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+ <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+ <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+ <integer> ] [ dscp <integer> ] ); ... };
+ dump-file <quoted_string>;
+ edns-udp-size <integer>;
+ empty-contact <string>;
+ empty-server <string>;
+ empty-zones-enable <boolean>;
+ fake-iquery <boolean>; // obsolete
+ fetch-glue <boolean>; // obsolete
+ fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+ fetches-per-server <integer> [ ( drop | fail ) ];
+ fetches-per-zone <integer> [ ( drop | fail ) ];
+ files ( default | unlimited | <sizeval> );
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+ flush-zones-on-shutdown <boolean>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ fstrm-set-buffer-hint <integer>; // not configured
+ fstrm-set-flush-timeout <integer>; // not configured
+ fstrm-set-input-queue-size <integer>; // not configured
+ fstrm-set-output-notify-threshold <integer>; // not configured
+ fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
+ fstrm-set-output-queue-size <integer>; // not configured
+ fstrm-set-reopen-interval <integer>; // not configured
+ geoip-directory ( <quoted_string> | none ); // not configured
+ geoip-use-ecs <boolean>; // not configured
+ has-old-clients <boolean>; // obsolete
+ heartbeat-interval <integer>;
+ host-statistics <boolean>; // not implemented
+ host-statistics-max <integer>; // not implemented
+ hostname ( <quoted_string> | none );
+ inline-signing <boolean>;
+ interface-interval <integer>;
+ ixfr-from-differences ( master | slave | <boolean> );
+ keep-response-order { <address_match_element>; ... };
+ key-directory <quoted_string>;
+ lame-ttl <ttlval>;
+ listen-on [ port <integer> ] [ dscp
+ <integer> ] {
+ <address_match_element>; ... }; // may occur multiple times
+ listen-on-v6 [ port <integer> ] [ dscp
+ <integer> ] {
+ <address_match_element>; ... }; // may occur multiple times
+ lmdb-mapsize <sizeval>; // non-operational
+ lock-file ( <quoted_string> | none );
+ maintain-ixfr-base <boolean>; // obsolete
+ managed-keys-directory <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ match-mapped-addresses <boolean>;
+ max-acache-size ( unlimited | <sizeval> );
+ max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+ max-cache-ttl <integer>;
+ max-clients-per-query <integer>;
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( unlimited | <sizeval> );
+ max-ncache-ttl <integer>;
+ max-records <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-rsa-exponent-size <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-udp-size <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ memstatistics <boolean>;
+ memstatistics-file <quoted_string>;
+ message-compression <boolean>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ min-roots <integer>; // not implemented
+ minimal-any <boolean>;
+ minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ multi-master <boolean>;
+ multiple-cnames <boolean>; // obsolete
+ named-xfer <quoted_string>; // obsolete
+ no-case-compress { <address_match_element>; ... };
+ nocookie-udp-size <integer>;
+ nosit-udp-size <integer>; // obsolete
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-rate <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ nta-lifetime <ttlval>;
+ nta-recheck <ttlval>;
+ nxdomain-redirect <string>;
+ pid-file ( <quoted_string> | none );
+ port <integer>;
+ preferred-glue <string>;
+ prefetch <integer> [ <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ querylog <boolean>;
+ queryport-pool-ports <integer>; // obsolete
+ queryport-pool-updateinterval <integer>; // obsolete
+ random-device <quoted_string>;
+ rate-limit {
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ ipv4-prefix-length <integer>;
+ ipv6-prefix-length <integer>;
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nodata-per-second <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ referrals-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
+ recursing-file <quoted_string>;
+ recursion <boolean>;
+ recursive-clients <integer>;
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ require-server-cookie <boolean>;
+ reserved-sockets <integer>;
+ resolver-query-timeout <integer>;
+ response-policy { zone <quoted_string> [ log <boolean> ] [
+ max-policy-ttl <integer> ] [ policy ( cname | disabled | drop |
+ given | no-op | nodata | nxdomain | passthru | tcp-only
+ <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
+ break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
+ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
+ rfc2308-type1 <boolean>; // not yet implemented
+ root-delegation-only [ exclude { <quoted_string>; ... } ];
+ root-key-sentinel <boolean>;
+ rrset-order { [ class <string> ] [ type <string> ] [ name
+ <quoted_string> ] <string> <string>; ... };
+ secroots-file <quoted_string>;
+ send-cookie <boolean>;
+ serial-queries <integer>; // obsolete
+ serial-query-rate <integer>;
+ serial-update-method ( date | increment | unixtime );
+ server-id ( <quoted_string> | none | hostname );
+ servfail-ttl <ttlval>;
+ session-keyalg <string>;
+ session-keyfile ( <quoted_string> | none );
+ session-keyname <string>;
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ sit-secret <string>; // obsolete
+ sortlist { <address_match_element>; ... };
+ stacksize ( default | unlimited | <sizeval> );
+ startup-notify-rate <integer>;
+ statistics-file <quoted_string>;
+ statistics-interval <integer>; // not yet implemented
+ suppress-initial-notify <boolean>; // not yet implemented
+ tcp-clients <integer>;
+ tcp-listen-queue <integer>;
+ tkey-dhkey <quoted_string> <integer>;
+ tkey-domain <quoted_string>;
+ tkey-gssapi-credential <quoted_string>;
+ tkey-gssapi-keytab <quoted_string>;
+ topology { <address_match_element>; ... }; // not implemented
+ transfer-format ( many-answers | one-answer );
+ transfer-message-size <integer>;
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ transfers-in <integer>;
+ transfers-out <integer>;
+ transfers-per-ns <integer>;
+ treat-cr-as-space <boolean>; // obsolete
+ trust-anchor-telemetry <boolean>; // experimental
+ try-tcp-refresh <boolean>;
+ update-check-ksk <boolean>;
+ use-alt-transfer-source <boolean>;
+ use-id-pool <boolean>; // obsolete
+ use-ixfr <boolean>; // obsolete
+ use-queryport-pool <boolean>; // obsolete
+ use-v4-udp-ports { <portrange>; ... };
+ use-v6-udp-ports { <portrange>; ... };
+ v6-bias <integer>;
+ version ( <quoted_string> | none );
+ zero-no-soa-ttl <boolean>;
+ zero-no-soa-ttl-cache <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
+
+server <netprefix> {
+ bogus <boolean>;
+ edns <boolean>;
+ edns-udp-size <integer>;
+ edns-version <integer>;
+ keys <server_key>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ send-cookie <boolean>;
+ support-ixfr <boolean>; // obsolete
+ tcp-only <boolean>;
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ transfers <integer>;
+}; // may occur multiple times
+
+statistics-channels {
+ inet ( <ipv4_address> | <ipv6_address> |
+ * ) [ port ( <integer> | * ) ] [
+ allow { <address_match_element>; ...
+ } ]; // may occur multiple times
+}; // may occur multiple times
+
+trusted-keys { <string> <integer> <integer>
+ <integer> <quoted_string>; ... }; // may occur multiple times
+
+view <string> [ <class> ] {
+ acache-cleaning-interval <integer>;
+ acache-enable <boolean>;
+ additional-from-auth <boolean>;
+ additional-from-cache <boolean>;
+ allow-new-zones <boolean>;
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-cache { <address_match_element>; ... };
+ allow-query-cache-on { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-recursion { <address_match_element>; ... };
+ allow-recursion-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ attach-cache <string>;
+ auth-nxdomain <boolean>; // default changed
+ auto-dnssec ( allow | maintain | off );
+ cache-file <quoted_string>;
+ catalog-zones { zone <quoted_string> [ default-masters [ port
+ <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [
+ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
+ <string> ]; ... } ] [ zone-directory <quoted_string> ] [
+ in-memory <boolean> ] [ min-update-interval <integer> ]; ... };
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( master | slave | response
+ ) ( fail | warn | ignore ); // may occur multiple times
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ cleaning-interval <integer>;
+ clients-per-query <integer>;
+ deny-answer-addresses { <address_match_element>; ... } [
+ except-from { <quoted_string>; ... } ];
+ deny-answer-aliases { <quoted_string>; ... } [ except-from {
+ <quoted_string>; ... } ];
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ disable-algorithms <string> { <string>;
+ ... }; // may occur multiple times
+ disable-ds-digests <string> { <string>;
+ ... }; // may occur multiple times
+ disable-empty-zone <string>; // may occur multiple times
+ dlz <string> {
+ database <string>;
+ search <boolean>;
+ }; // may occur multiple times
+ dns64 <netprefix> {
+ break-dnssec <boolean>;
+ clients { <address_match_element>; ... };
+ exclude { <address_match_element>; ... };
+ mapped { <address_match_element>; ... };
+ recursive-only <boolean>;
+ suffix <ipv6_address>;
+ }; // may occur multiple times
+ dns64-contact <string>;
+ dns64-server <string>;
+ dnssec-accept-expired <boolean>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-enable <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-lookaside ( <string> trust-anchor
+ <string> | auto | no ); // may occur multiple times
+ dnssec-must-be-secure <string> <boolean>; // may occur multiple times
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ dnssec-validation ( yes | no | auto );
+ dnstap { ( all | auth | client | forwarder |
+ resolver ) [ ( query | response ) ]; ... }; // not configured
+ dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
+ <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
+ <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
+ <integer> ] [ dscp <integer> ] ); ... };
+ dyndb <string> <quoted_string> {
+ <unspecified-text> }; // may occur multiple times
+ edns-udp-size <integer>;
+ empty-contact <string>;
+ empty-server <string>;
+ empty-zones-enable <boolean>;
+ fetch-glue <boolean>; // obsolete
+ fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
+ fetches-per-server <integer> [ ( drop | fail ) ];
+ fetches-per-zone <integer> [ ( drop | fail ) ];
+ filter-aaaa { <address_match_element>; ... }; // not configured
+ filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured
+ filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ inline-signing <boolean>;
+ ixfr-from-differences ( master | slave | <boolean> );
+ key <string> {
+ algorithm <string>;
+ secret <string>;
+ }; // may occur multiple times
+ key-directory <quoted_string>;
+ lame-ttl <ttlval>;
+ lmdb-mapsize <sizeval>; // non-operational
+ maintain-ixfr-base <boolean>; // obsolete
+ managed-keys { <string> <string>
+ <integer> <integer> <integer>
+ <quoted_string>; ... }; // may occur multiple times
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ match-clients { <address_match_element>; ... };
+ match-destinations { <address_match_element>; ... };
+ match-recursive-only <boolean>;
+ max-acache-size ( unlimited | <sizeval> );
+ max-cache-size ( default | unlimited | <sizeval> | <percentage> );
+ max-cache-ttl <integer>;
+ max-clients-per-query <integer>;
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( unlimited | <sizeval> );
+ max-ncache-ttl <integer>;
+ max-records <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-udp-size <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ message-compression <boolean>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ min-roots <integer>; // not implemented
+ minimal-any <boolean>;
+ minimal-responses ( no-auth | no-auth-recursive | <boolean> );
+ multi-master <boolean>;
+ no-case-compress { <address_match_element>; ... };
+ nocookie-udp-size <integer>;
+ nosit-udp-size <integer>; // obsolete
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ nta-lifetime <ttlval>;
+ nta-recheck <ttlval>;
+ nxdomain-redirect <string>;
+ preferred-glue <string>;
+ prefetch <integer> [ <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
+ port ( <integer> | * ) ) ) [ dscp <integer> ];
+ queryport-pool-ports <integer>; // obsolete
+ queryport-pool-updateinterval <integer>; // obsolete
+ rate-limit {
+ all-per-second <integer>;
+ errors-per-second <integer>;
+ exempt-clients { <address_match_element>; ... };
+ ipv4-prefix-length <integer>;
+ ipv6-prefix-length <integer>;
+ log-only <boolean>;
+ max-table-size <integer>;
+ min-table-size <integer>;
+ nodata-per-second <integer>;
+ nxdomains-per-second <integer>;
+ qps-scale <integer>;
+ referrals-per-second <integer>;
+ responses-per-second <integer>;
+ slip <integer>;
+ window <integer>;
+ };
+ recursion <boolean>;
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ require-server-cookie <boolean>;
+ resolver-query-timeout <integer>;
+ response-policy { zone <quoted_string> [ log <boolean> ] [
+ max-policy-ttl <integer> ] [ policy ( cname | disabled | drop |
+ given | no-op | nodata | nxdomain | passthru | tcp-only
+ <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [
+ break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [
+ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [
+ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ];
+ rfc2308-type1 <boolean>; // not yet implemented
+ root-delegation-only [ exclude { <quoted_string>; ... } ];
+ root-key-sentinel <boolean>;
+ rrset-order { [ class <string> ] [ type <string> ] [ name
+ <quoted_string> ] <string> <string>; ... };
+ send-cookie <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server <netprefix> {
+ bogus <boolean>;
+ edns <boolean>;
+ edns-udp-size <integer>;
+ edns-version <integer>;
+ keys <server_key>;
+ max-udp-size <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+ ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+ | * ) ] [ dscp <integer> ];
+ provide-ixfr <boolean>;
+ query-source ( ( [ address ] ( <ipv4_address> | * ) [ port
+ ( <integer> | * ) ] ) | ( [ [ address ] (
+ <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [
+ dscp <integer> ];
+ query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [
+ port ( <integer> | * ) ] ) | ( [ [ address ] (
+ <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [
+ dscp <integer> ];
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ request-nsid <boolean>;
+ request-sit <boolean>; // obsolete
+ send-cookie <boolean>;
+ support-ixfr <boolean>; // obsolete
+ tcp-only <boolean>;
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ transfers <integer>;
+ }; // may occur multiple times
+ servfail-ttl <ttlval>;
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ sortlist { <address_match_element>; ... };
+ suppress-initial-notify <boolean>; // not yet implemented
+ topology { <address_match_element>; ... }; // not implemented
+ transfer-format ( many-answers | one-answer );
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ trust-anchor-telemetry <boolean>; // experimental
+ trusted-keys { <string> <integer>
+ <integer> <integer> <quoted_string>;
+ ... }; // may occur multiple times
+ try-tcp-refresh <boolean>;
+ update-check-ksk <boolean>;
+ use-alt-transfer-source <boolean>;
+ use-queryport-pool <boolean>; // obsolete
+ v6-bias <integer>;
+ zero-no-soa-ttl <boolean>;
+ zero-no-soa-ttl-cache <boolean>;
+ zone <string> [ <class> ] {
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { (
+ <masters> | <ipv4_address> [ port <integer> ] |
+ <ipv6_address> [ port <integer> ] ) [ key <string> ];
+ ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( fail | warn | ignore );
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ database <string>;
+ delegation-only <boolean>;
+ dialup ( notify | notify-passive | passive | refresh |
+ <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { (
+ <ipv4_address> | <ipv6_address> ) [ port <integer> ] [
+ dscp <integer> ]; ... };
+ in-view <string>;
+ inline-signing <boolean>;
+ ixfr-base <quoted_string>; // obsolete
+ ixfr-from-differences <boolean>;
+ ixfr-tmp-file <quoted_string>; // obsolete
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ maintain-ixfr-base <boolean>; // obsolete
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters>
+ | <ipv4_address> [ port <integer> ] | <ipv6_address> [
+ port <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-log-size ( default | unlimited |
+ <sizeval> ); // obsolete
+ max-journal-size ( unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+ ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+ | * ) ] [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ pubkey <integer>
+ <integer>
+ <integer>
+ <quoted_string>; // obsolete, may occur multiple times
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server-addresses { ( <ipv4_address> | <ipv6_address> ) [
+ port <integer> ]; ... };
+ server-names { <quoted_string>; ... };
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port (
+ <integer> | * ) ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ type ( delegation-only | forward | hint | master | redirect
+ | slave | static-stub | stub );
+ update-check-ksk <boolean>;
+ update-policy ( local | { ( deny | grant ) <string> (
+ 6to4-self | external | krb5-self | krb5-selfsub |
+ krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
+ name | self | selfsub | selfwild | subdomain | tcp-self
+ | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+ }; // may occur multiple times
+ zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
+zone <string> [ <class> ] {
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+ * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-dup-records ( fail | warn | ignore );
+ check-integrity <boolean>;
+ check-mx ( fail | warn | ignore );
+ check-mx-cname ( fail | warn | ignore );
+ check-names ( fail | warn | ignore );
+ check-sibling <boolean>;
+ check-spf ( warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
+ check-wildcard <boolean>;
+ database <string>;
+ delegation-only <boolean>;
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-secure-to-insecure <boolean>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
+ | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ in-view <string>;
+ inline-signing <boolean>;
+ ixfr-base <quoted_string>; // obsolete
+ ixfr-from-differences <boolean>;
+ ixfr-tmp-file <quoted_string>; // obsolete
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ maintain-ixfr-base <boolean>; // obsolete
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> |
+ <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
+ <integer> ] ) [ key <string> ]; ... };
+ max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete
+ max-journal-size ( unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
+ [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ pubkey <integer> <integer>
+ <integer> <quoted_string>; // obsolete, may occur multiple times
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ serial-update-method ( date | increment | unixtime );
+ server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port
+ <integer> ]; ... };
+ server-names { <quoted_string>; ... };
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
+ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
+ ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ type ( delegation-only | forward | hint | master | redirect | slave
+ | static-stub | stub );
+ update-check-ksk <boolean>;
+ update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
+ external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
+ | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
+ | subdomain | tcp-self | wildcard | zonesub ) [ <string> ]
+ <rrtypelist>; ... };
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+}; // may occur multiple times
+
diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt
new file mode 100644
index 0000000..a127de9
--- /dev/null
+++ b/doc/misc/redirect.zoneopt
@@ -0,0 +1,13 @@
+zone <string> [ <class> ] {
+ type redirect;
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ dlz <string>;
+ file <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-records <integer>;
+ max-zone-ttl ( unlimited | <ttlval> );
+ zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance
new file mode 100644
index 0000000..0dbc9d4
--- /dev/null
+++ b/doc/misc/rfc-compliance
@@ -0,0 +1,160 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+BIND 9 is striving for strict compliance with IETF standards. We
+believe this release of BIND 9 complies with the following RFCs, with
+the caveats and exceptions listed in the numbered notes below. Note
+that a number of these RFCs do not have the status of Internet
+standards but are proposed or draft standards, experimental RFCs,
+or Best Current Practice (BCP) documents. The list is non exhaustive.
+
+ RFC1034
+ RFC1035 [1] [2]
+ RFC1123
+ RFC1183
+ RFC1535
+ RFC1536
+ RFC1706
+ RFC1712
+ RFC1750
+ RFC1876
+ RFC1982
+ RFC1995
+ RFC1996
+ RFC2136
+ RFC2163
+ RFC2181
+ RFC2230
+ RFC2308
+ RFC2536
+ RFC2539
+ RFC2782
+ RFC2915
+ RFC2930
+ RFC2931 [5]
+ RFC3007
+ RFC3110
+ RFC3123
+ RFC3225
+ RFC3226
+ RFC3363 [6]
+ RFC3490 [7]
+ RFC3491 (Obsoleted by 5890, 5891) [7]
+ RFC3493
+ RFC3496
+ RFC3597
+ RFC3645
+ RFC4025
+ RFC4034
+ RFC4035
+ RFC4074
+ RFC4255
+ RFC4294 - Section 5.1 [8]
+ RFC4343
+ RFC4398
+ RFC4408
+ RFC4431
+ RFC4470 [9]
+ RFC4509
+ RFC4635
+ RFC4701
+ RFC4892
+ RFC4955 [10]
+ RFC5001
+ RFC5011
+ RFC5155
+ RFC5205
+ RFC5452 [11]
+ RFC5702
+ RFC5933 [12]
+ RFC5936
+ RFC5952
+ RFC5966
+ RFC6052
+ RFC6147 [13]
+ RFC6303
+ RFC6605 [14]
+ RFC6672
+ RFC6698
+ RFC6742
+ RFC6840 [15]
+ RFC6844
+ RFC6891
+ RFC7043
+ RFC7314
+ RFC7477
+ RFC7793
+ RFC7830 [16]
+
+The following DNS related RFC have been obsoleted
+
+ RFC2535 (Obsoleted by 4034, 4035) [3] [4]
+ RFC2537 (Obsoleted by 3110)
+ RFC2538 (Obsoleted by 4398)
+ RFC2671 (Obsoleted by 6891)
+ RFC2672 (Obsoleted by 6672)
+ RFC2673 (Obsoleted by 6891)
+ RFC3008 (Obsoleted by 4034, 4035)
+ RFC3152 (Obsoleted by 3596)
+ RFC3445 (Obsoleted by 4034, 4035)
+ RFC3655 (Obsoleted by 4034, 4035)
+ RFC3658 (Obsoleted by 4034, 4035)
+ RFC3755 (Obsoleted by 4034, 4035)
+ RFC3757 (Obsoleted by 4034, 4035)
+ RFC3845 (Obsoleted by 4034, 4035)
+
+[1] Queries to zones that have failed to load return SERVFAIL rather
+than a non-authoritative response. This is considered a feature.
+
+[2] CLASS ANY queries are not supported. This is considered a
+feature.
+
+[3] Wildcard records are not supported in DNSSEC secure zones.
+
+[4] Servers authoritative for secure zones being resolved by BIND
+9 must support EDNS0 (RFC2671), and must return all relevant SIGs
+and NXTs in responses rather than relying on the resolving server
+to perform separate queries for missing SIGs and NXTs.
+
+[5] When receiving a query signed with a SIG(0), the server will
+only be able to verify the signature if it has the key in its local
+authoritative data; it will not do recursion or validation to
+retrieve unknown keys.
+
+[6] Section 4 is ignored.
+
+[7] Requires --with-idn to enable entry of IDN labels within dig,
+host and nslookup at compile time. ACE labels are supported
+everywhere with or without --with-idn.
+
+[8] Section 5.1 - DNAME records are fully supported.
+
+[9] Minimally Covering NSEC Record are accepted but not generated.
+
+[10] Will interoperate with correctly designed experiments.
+
+[11] Named only uses ports to extend the id space, address are not
+used.
+
+[12] Conditional on the OpenSSL library being linked against
+supporting GOST.
+
+[13] Section 5.5 does not match reality. Named uses the presence
+of DO=1 to detect if validation may be occuring. CD has no bearing
+on whether validation is occuring or not.
+
+[14] Conditional on the OpenSSL library being linked against
+supporting ECDSA.
+
+[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
+it prevents DNSSEC working correctly through another recursive server.
+
+When talking to a recurive server the best algorithm to do is send
+CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
+server has a bad clock and/or bad trust anchor. Alternatively one
+can send CD=1 then CD=0 on validation failure in case the recursive
+server is under attack or there is stale / bogus authoritative data.
+
+[16] Named doesn't currently encrypt DNS requests so the PAD option
+is accepted but not returned in responses.
diff --git a/doc/misc/roadmap b/doc/misc/roadmap
new file mode 100644
index 0000000..3ce9dbc
--- /dev/null
+++ b/doc/misc/roadmap
@@ -0,0 +1,47 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $
+
+Road Map to the BIND 9 Source Tree
+
+bin/named The name server. This relies heavily on the
+ libraries in lib/isc and lib/dns.
+ client.c Handling of incoming client requests
+ query.c Query processing
+bin/rndc The remote name daemon control program
+bin/dig The "dig" program
+bin/dnssec The DNSSEC signer and other DNSSEC tools
+bin/nsupdate The "nsupdate" program
+bin/tests Test suites and miscellaneous test programs
+bin/tests/system System tests; see bin/tests/system/README
+lib/dns The DNS library
+ resolver.c The "full resolver" (performs recursive lookups)
+ validator.c The DNSSEC validator
+ db.c The database interface
+ sdb.c The simple database interface
+ rbtdb.c The red-black tree database
+lib/dns/rdata Routines for handling the various RR types
+lib/dns/sec Cryptographic libraries for DNSSEC
+lib/isc The ISC library
+ task.c Task library
+ unix/socket.c Unix implementation of socket library
+lib/isccfg Routines for reading and writing ISC-style
+ configuration files like named.conf and rndc.conf
+lib/isccc The command channel library, used by rndc.
+lib/tests Support code for the test suites.
+lib/lwres The lightweight resolver library.
+doc/draft Current internet-drafts pertaining to the DNS
+doc/rfc RFCs pertaining to the DNS
+doc/misc Miscellaneous documentation
+doc/arm The BIND 9 Administrator Reference Manual
+doc/man Man pages
+contrib Contributed and other auxiliary code
+contrib/idn/mdnkit The multilingual domain name evaluation kit
+contrib/sdb Sample drivers for the simple database interface
+make Makefile fragments, used by configure
+
+The library interfaces are mainly documented in the form of comments
+in the header files. For example, the task subsystem is documented in
+lib/isc/include/isc/task.h
diff --git a/doc/misc/sdb b/doc/misc/sdb
new file mode 100644
index 0000000..d36e79c
--- /dev/null
+++ b/doc/misc/sdb
@@ -0,0 +1,167 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Using the BIND 9 Simplified Database Interface
+
+This document describes the care and feeding of the BIND 9 Simplified
+Database Interface, which allows you to extend BIND 9 with new ways
+of obtaining the data that is published as DNS zones.
+
+
+The Original BIND 9 Database Interface
+
+BIND 9 has a well-defined "back-end database interface" that makes it
+possible to replace the component of the name server responsible for
+the storage and retrieval of zone data, called the "database", on a
+per-zone basis. The default database is an in-memory, red-black-tree
+data structure commonly referred to as "rbtdb", but it is possible to
+write drivers to support any number of alternative database
+technologies such as in-memory hash tables, application specific
+persistent on-disk databases, object databases, or relational
+databases.
+
+The original BIND 9 database interface defined in <dns/db.h> is
+designed to efficiently support the full set of database functionality
+needed by a name server that implements the complete DNS protocols,
+including features such as zone transfers, dynamic update, and DNSSEC.
+Each of these aspects of name server operations places its own set of
+demands on the data store, with the result that the database API is
+quite complex and contains operations that are highly specific to the
+DNS. For example, data are stored in a binary format, the name space
+is tree structured, and sets of data records are conceptually
+associated with DNSSEC signature sets. For these reasons, writing a
+driver using this interface is a highly nontrivial undertaking.
+
+
+The Simplified Database Interface
+
+Many BIND users wish to provide access to various data sources through
+the DNS, but are not necessarily interested in completely replacing
+the in-memory "rbt" database or in supporting features like dynamic
+update, DNSSEC, or even zone transfers.
+
+Often, all you want is limited, read-only DNS access to an existing
+system. For example, you may have an existing relational database
+containing hostname/address mappings and wish to provide forvard and
+reverse DNS lookups based on this information. Or perhaps you want to
+set up a simple DNS-based load balancing system where the name server
+answers queries about a single DNS name with a dynamically changing
+set of A records.
+
+BIND 9.1 introduced a new, simplified database interface, or "sdb",
+which greatly simplifies the writing of drivers for these kinds of
+applications.
+
+
+The sdb Driver
+
+An sdb driver is an object module, typically written in C, which is
+linked into the name server and registers itself with the sdb
+subsystem. It provides a set of callback functions, which also serve
+to advertise its capabilities. When the name server receives DNS
+queries, invokes the callback functions to obtain the data to respond
+with.
+
+Unlike the full database interface, the sdb interface represents all
+domain names and resource records as ASCII text.
+
+
+Writing an sdb Driver
+
+When a driver is registered, it specifies its name, a list of callback
+functions, and flags.
+
+The flags specify whether the driver wants to use relative domain
+names where possible.
+
+The callback functions are as follows. The only one that must be
+defined is lookup().
+
+ - create(zone, argc, argv, driverdata, dbdata)
+ Create a database object for "zone".
+
+ - destroy(zone, driverdata, dbdata)
+ Destroy the database object for "zone".
+
+ - lookup(zone, name, dbdata, lookup)
+ Return all the records at the domain name "name".
+
+ - authority(zone, dbdata, lookup)
+ Return the SOA and NS records at the zone apex.
+
+ - allnodes(zone, dbdata, allnodes)
+ Return all data in the zone, for zone transfers.
+
+For more detail about these functions and their parameters, see
+bind9/lib/dns/include/dns/sdb.h. For example drivers, see
+bind9/contrib/sdb.
+
+
+Rebuilding the Server
+
+The driver module and header file must be copied to (or linked into)
+the bind9/bin/named and bind9/bin/named/include directories
+respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS
+lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver,
+add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS). If
+the driver needs additional header files or libraries in nonstandard
+places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be
+updated.
+
+Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers,
+e.g. timedb_init() and timedb_clear() for the timedb sample sdb
+driver) must be inserted into the server, in bind9/bin/named/main.c.
+Registration should be in setup(), before the call to
+ns_server_create(). Unregistration should be in cleanup(),
+after the call to ns_server_destroy(). A #include should be added
+corresponding to the driver header file.
+
+You should try doing this with one or more of the sample drivers
+before attempting to write a driver of your own.
+
+
+Configuring the Server
+
+To make a zone use a new database driver, specify a "database" option
+in its "zone" statement in named.conf. For example, if the driver
+registers itself under the name "acmedb", you might say
+
+ zone "foo.com" {
+ database "acmedb";
+ };
+
+You can pass arbitrary arguments to the create() function of the
+driver by adding any number of whitespace-separated words after the
+driver name:
+
+ zone "foo.com" {
+ database "acmedb -mode sql -connect 10.0.0.1";
+ };
+
+
+Hints for Driver Writers
+
+ - If a driver is generating data on the fly, it probably should
+ not implement the allnodes() function, since a zone transfer
+ will not be meaningful. The allnodes() function is more relevant
+ with data from a database.
+
+ - The authority() function is necessary if and only if the lookup()
+ function will not add SOA and NS records at the zone apex. If
+ SOA and NS records are provided by the lookup() function,
+ the authority() function should be NULL.
+
+ - When a driver is registered, an opaque object can be provided. This
+ object is passed into the database create() and destroy() functions.
+
+ - When a database is created, an opaque object can be created that
+ is associated with that database. This object is passed into the
+ lookup(), authority(), and allnodes() functions, and is
+ destroyed by the destroy() function.
+
+
+Future Directions
+
+A future release may support dynamic loading of sdb drivers.
+
diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt
new file mode 100644
index 0000000..e4107b2
--- /dev/null
+++ b/doc/misc/slave.zoneopt
@@ -0,0 +1,59 @@
+zone <string> [ <class> ] {
+ type ( slave | secondary );
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ auto-dnssec ( allow | maintain | off );
+ check-names ( fail | warn | ignore );
+ database <string>;
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ dlz <string>;
+ dnssec-dnskey-kskonly <boolean>;
+ dnssec-loadkeys-interval <integer>;
+ dnssec-update-mode ( maintain | no-resign );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ inline-signing <boolean>;
+ ixfr-from-differences <boolean>;
+ journal <quoted_string>;
+ key-directory <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-journal-size ( unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ notify-to-soa <boolean>;
+ nsec3-test-zone <boolean>; // test only
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ sig-signing-nodes <integer>;
+ sig-signing-signatures <integer>;
+ sig-signing-type <integer>;
+ sig-validity-interval <integer> [ <integer> ];
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ update-check-ksk <boolean>;
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/sort-options.pl b/doc/misc/sort-options.pl
new file mode 100644
index 0000000..500f060
--- /dev/null
+++ b/doc/misc/sort-options.pl
@@ -0,0 +1,43 @@
+#!/bin/perl
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+sub sortlevel() {
+ my @options = ();
+ my $fin = "";
+ my $i = 0;
+ while (<>) {
+ if (/^\s*};$/ || /^\s*}; \/\/.*$/) {
+ $fin = $_;
+ # print 2, $_;
+ last;
+ }
+ next if (/^$/);
+ if (/{$/) {
+ # print 3, $_;
+ my $sec = $_;
+ push(@options, $sec . sortlevel());
+ } else {
+ push(@options, $_);
+ # print 1, $_;
+ }
+ $i++;
+ }
+ my $result = "";
+ foreach my $i (sort @options) {
+ $result = ${result}.${i};
+ $result = $result."\n" if ($i =~ /^[a-z]/i);
+ # print 5, ${i};
+ }
+ $result = ${result}.${fin};
+ return ($result);
+}
+
+print sortlevel();
diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt
new file mode 100644
index 0000000..74abe0b
--- /dev/null
+++ b/doc/misc/static-stub.zoneopt
@@ -0,0 +1,11 @@
+zone <string> [ <class> ] {
+ type static-stub;
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ max-records <integer>;
+ server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
+ server-names { <quoted_string>; ... };
+ zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt
new file mode 100644
index 0000000..b18b102
--- /dev/null
+++ b/doc/misc/stub.zoneopt
@@ -0,0 +1,27 @@
+zone <string> [ <class> ] {
+ type stub;
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ check-names ( fail | warn | ignore );
+ database <string>;
+ delegation-only <boolean>;
+ dialup ( notify | notify-passive | passive | refresh | <boolean> );
+ file <quoted_string>;
+ forward ( first | only );
+ forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-time-in <integer>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ use-alt-transfer-source <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
diff --git a/doc/misc/tcp-fast-open b/doc/misc/tcp-fast-open
new file mode 100644
index 0000000..020ec05
--- /dev/null
+++ b/doc/misc/tcp-fast-open
@@ -0,0 +1,32 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Some systems (Linux, FreeBSD, OS X/macOS and Windows 10) support
+the TCP Fast Open (RFC 7413) mechanism in their recent versions.
+
+BIND 9 supports this on the server side.
+
+When the TCP_FASTOPEN socket option is defined after the listen()
+system call the socket code in the libisc set the option with
+the half of the listen backlog (so the fast open maximum queue length
+is the half of the pending connection queue length).
+Any failure is logged and ignored.
+
+System specific notes:
+ - FreeBSD doesn't interpret the argument as a queue length but
+ only as an on/off switch.
+
+ - Using TCP Fast Open on FreeBSD, as of versions 10.3 and 11.0, requires
+ compiling a custom kernel and setting the "net.inet.tcp.fastopen.enabled"
+ sysctl to 1.
+
+ - Apple OS X/macOS allows only 0 or 1 so the code puts 1 for this system.
+
+ - Windows 10 uses a 0/1 char flag? Note that TCP_FASTOPEN is defined
+ only in SDK 10.0.14393.0 or higher (Visual Studio 2015 requires
+ extra setting of the "Target Platform Version" in all project
+ properties).
+
+ - the only other system known to support this is Linux.
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-24 19:26:39 +0000