diff options
Diffstat (limited to 'doc/misc')
-rw-r--r-- | doc/misc/Makefile.in | 73 | ||||
-rw-r--r-- | doc/misc/delegation-only.zoneopt | 3 | ||||
-rw-r--r-- | doc/misc/dnssec | 81 | ||||
-rw-r--r-- | doc/misc/docbook-grammars.pl | 85 | ||||
-rw-r--r-- | doc/misc/docbook-options.pl | 184 | ||||
-rw-r--r-- | doc/misc/docbook-zoneopt.pl | 64 | ||||
-rw-r--r-- | doc/misc/format-options.pl | 41 | ||||
-rw-r--r-- | doc/misc/forward.zoneopt | 6 | ||||
-rw-r--r-- | doc/misc/hint.zoneopt | 6 | ||||
-rw-r--r-- | doc/misc/in-view.zoneopt | 3 | ||||
-rw-r--r-- | doc/misc/ipv6 | 111 | ||||
-rw-r--r-- | doc/misc/master.zoneopt | 56 | ||||
-rw-r--r-- | doc/misc/migration | 264 | ||||
-rw-r--r-- | doc/misc/migration-4to9 | 55 | ||||
-rw-r--r-- | doc/misc/options | 883 | ||||
-rw-r--r-- | doc/misc/redirect.zoneopt | 13 | ||||
-rw-r--r-- | doc/misc/rfc-compliance | 160 | ||||
-rw-r--r-- | doc/misc/roadmap | 47 | ||||
-rw-r--r-- | doc/misc/sdb | 167 | ||||
-rw-r--r-- | doc/misc/slave.zoneopt | 59 | ||||
-rw-r--r-- | doc/misc/sort-options.pl | 43 | ||||
-rw-r--r-- | doc/misc/static-stub.zoneopt | 11 | ||||
-rw-r--r-- | doc/misc/stub.zoneopt | 27 | ||||
-rw-r--r-- | doc/misc/tcp-fast-open | 32 |
24 files changed, 2474 insertions, 0 deletions
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in new file mode 100644 index 0000000..c4967ff --- /dev/null +++ b/doc/misc/Makefile.in @@ -0,0 +1,73 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ + +@BIND9_MAKE_RULES@ + +PERL = @PERL@ + +MANOBJS = options + +doc man:: ${MANOBJS} + +docclean manclean maintainer-clean:: + rm -f options + +# Do not make options depend on ../../bin/tests/cfg_test, doing so +# will cause excessively clever versions of make to attempt to build +# that program right here, right now, if it is missing, which will +# cause make doc to bomb. + +CFG_TEST = ../../bin/tests/cfg_test + +options: FORCE + if test -x ${CFG_TEST} ; \ + then \ + ${CFG_TEST} --named --grammar > $@.raw ; \ + ${CFG_TEST} --zonegrammar master > master.zoneopt ; \ + ${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \ + ${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \ + ${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \ + ${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \ + ${CFG_TEST} --zonegrammar static-stub > static-stub.zoneopt ; \ + ${CFG_TEST} --zonegrammar redirect > redirect.zoneopt ; \ + ${CFG_TEST} --zonegrammar delegation-only > delegation-only.zoneopt ; \ + ${CFG_TEST} --zonegrammar in-view > in-view.zoneopt ; \ + ${PERL} ${srcdir}/sort-options.pl < $@.raw > $@.sorted ; \ + ${PERL} ${srcdir}/format-options.pl < $@.sorted > $@.new ; \ + mv -f $@.new $@ ; \ + rm -f $@.raw $@.sorted ; \ + else \ + rm -f $@.new $@.raw $@.sorted ; \ + fi + +docbook: options + ${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook + ${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml + ${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml + ${PERL} docbook-zoneopt.pl forward.zoneopt > ${top_srcdir}/doc/arm/forward.zoneopt.xml + ${PERL} docbook-zoneopt.pl hint.zoneopt > ${top_srcdir}/doc/arm/hint.zoneopt.xml + ${PERL} docbook-zoneopt.pl stub.zoneopt > ${top_srcdir}/doc/arm/stub.zoneopt.xml + ${PERL} docbook-zoneopt.pl static-stub.zoneopt > ${top_srcdir}/doc/arm/static-stub.zoneopt.xml + ${PERL} docbook-zoneopt.pl redirect.zoneopt > ${top_srcdir}/doc/arm/redirect.zoneopt.xml + ${PERL} docbook-zoneopt.pl delegation-only.zoneopt > ${top_srcdir}/doc/arm/delegation-only.zoneopt.xml + ${PERL} docbook-zoneopt.pl in-view.zoneopt > ${top_srcdir}/doc/arm/in-view.zoneopt.xml + ${PERL} docbook-grammars.pl options acl > ${top_srcdir}/doc/arm/acl.grammar.xml + ${PERL} docbook-grammars.pl options controls > ${top_srcdir}/doc/arm/controls.grammar.xml + ${PERL} docbook-grammars.pl options key > ${top_srcdir}/doc/arm/key.grammar.xml + ${PERL} docbook-grammars.pl options logging > ${top_srcdir}/doc/arm/logging.grammar.xml + ${PERL} docbook-grammars.pl options masters > ${top_srcdir}/doc/arm/masters.grammar.xml + ${PERL} docbook-grammars.pl options options > ${top_srcdir}/doc/arm/options.grammar.xml + ${PERL} docbook-grammars.pl options server > ${top_srcdir}/doc/arm/server.grammar.xml + ${PERL} docbook-grammars.pl options statistics-channels > ${top_srcdir}/doc/arm/statistics-channels.grammar.xml + ${PERL} docbook-grammars.pl options trusted-keys > ${top_srcdir}/doc/arm/trusted-keys.grammar.xml + ${PERL} docbook-grammars.pl options managed-keys > ${top_srcdir}/doc/arm/managed-keys.grammar.xml diff --git a/doc/misc/delegation-only.zoneopt b/doc/misc/delegation-only.zoneopt new file mode 100644 index 0000000..ab86327 --- /dev/null +++ b/doc/misc/delegation-only.zoneopt @@ -0,0 +1,3 @@ +zone <string> [ <class> ] { + type delegation-only; +}; diff --git a/doc/misc/dnssec b/doc/misc/dnssec new file mode 100644 index 0000000..84db388 --- /dev/null +++ b/doc/misc/dnssec @@ -0,0 +1,81 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +DNSSEC Release Notes + +This document summarizes the state of the DNSSEC implementation in +this release of BIND9. + + +OpenSSL Library Required + +To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of +the OpenSSL library. As of BIND 9.2, the library is no longer +included in the distribution - it must be provided by the operating +system or installed separately. + +To build BIND 9 with OpenSSL, use "configure --with-openssl". If +the OpenSSL library is installed in a nonstandard location, you can +specify a path as in "configure --with-openssl=/var". + + +Key Generation and Signing + +The tools for generating DNSSEC keys and signatures are now in the +bin/dnssec directory. Documentation for these programs can be found +in doc/arm/Bv9ARM.4.html and the man pages. + +The random data used in generating DNSSEC keys and signatures comes +from either /dev/random (if the OS supports it) or keyboard input. +Alternatively, a device or file containing entropy/random data can be +specified. + + +Serving Secure Zones + +When acting as an authoritative name server, BIND9 includes KEY, SIG +and NXT records in responses as specified in RFC2535 when the request +has the DO flag set in the query. + + +Secure Resolution + +Basic support for validation of DNSSEC signatures in responses has +been implemented but should still be considered experimental. + +When acting as a caching name server, BIND9 is capable of performing +basic DNSSEC validation of positive as well as nonexistence responses. +This functionality is enabled by including a "trusted-keys" clause +in the configuration file, containing the top-level zone key of the +the DNSSEC tree. + +Validation of wildcard responses is not currently supported. In +particular, a "name does not exist" response will validate +successfully even if it does not contain the NXT records to prove the +nonexistence of a matching wildcard. + +Proof of insecure status for insecure zones delegated from secure +zones works when the zones are completely insecure. Privately +secured zones delegated from secure zones will not work in all cases, +such as when the privately secured zone is served by the same server +as an ancestor (but not parent) zone. + +Handling of the CD bit in queries is now fully implemented. Validation +is not attempted for recursive queries if CD is set. + + +Secure Dynamic Update + +Dynamic update of secure zones has been implemented, but may not be +complete. Affected NXT and SIG records are updated by the server when +an update occurs. Advanced access control is possible using the +"update-policy" statement in the zone definition. + + +Secure Zone Transfers + +BIND 9 does not implement the zone transfer security mechanisms of +RFC2535 section 5.6, and we have no plans to implement them in the +future as we consider them inferior to the use of TSIG or SIG(0) to +ensure the integrity of zone transfers. diff --git a/doc/misc/docbook-grammars.pl b/doc/misc/docbook-grammars.pl new file mode 100644 index 0000000..43f47e8 --- /dev/null +++ b/doc/misc/docbook-grammars.pl @@ -0,0 +1,85 @@ +#!/usr/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use warnings; +use strict; +use Time::Piece; + +if (@ARGV < 2) { + print STDERR <<'END'; +usage: + perl docbook-options.pl options_file section > section.grammar.xml +END + exit 1; +} + +my $FILE = shift; +my $SECTION = shift; + +open (FH, "<", $FILE) or die "Can't open $FILE"; + +my $t = Time::Piece->new(); +my $year = $t->year; + +print <<END; +<!-- + - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. +--> + +<!-- Generated by doc/misc/docbook-options.pl --> + +<programlisting> +END + +# skip preamble +my $preamble = 0; +while (<FH>) { + if (m{^\s*$}) { + last if $preamble > 0; + } else { + $preamble++; + } +} + +my $display = 0; +while (<FH>) { + if (m{^$SECTION\b}) { + $display = 1 + } + + if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) { + next; + } + + s{ // not configured}{}; + s{ // non-operational}{}; + s{ // may occur multiple times}{}; + s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; + s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>}; + s{[[]}{[}g; + s{[]]}{]}g; + s{ }{\t}g; + + if (m{^\s*$} && $display) { + last; + } + if ($display) { + print; + } +} + +print <<END; +</programlisting> +END diff --git a/doc/misc/docbook-options.pl b/doc/misc/docbook-options.pl new file mode 100644 index 0000000..6495b53 --- /dev/null +++ b/doc/misc/docbook-options.pl @@ -0,0 +1,184 @@ +#!/usr/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use warnings; +use strict; +use Time::Piece; + +if (@ARGV < 1) { + print STDERR <<'END'; +usage: + perl docbook-options.pl options_file [YYYY/MM/DD] >named.conf.docbook +END + exit 1; +} + +my $FILE = shift; + +my $DATE; +if (@ARGV >= 2) { + $DATE = shift +} else { + $DATE = `git log --max-count=1 --date=short --format='%cd' $FILE` or die "unable to determine last modification date of '$FILE'; specify on command line\nexiting"; +} +chomp $DATE; + +open (FH, "<", $FILE) or die "Can't open $FILE"; + +my $t = Time::Piece->new(); +my $year = $t->year; + +print <<END; +<!-- + - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. +--> + +<!-- Generated by doc/misc/docbook-options.pl --> + +<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf"> + <info> + <date>$DATE</date> + </info> + <refentryinfo> + <corpname>ISC</corpname> + <corpauthor>Internet Systems Consortium, Inc.</corpauthor> + </refentryinfo> + + <refmeta> + <refentrytitle><filename>named.conf</filename></refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo>BIND9</refmiscinfo> + </refmeta> + + <refnamediv> + <refname><filename>named.conf</filename></refname> + <refpurpose>configuration file for <command>named</command></refpurpose> + </refnamediv> + + <docinfo> + <copyright> +END + +for (my $y = 2004; $y <= $year; $y++) { + print " <year>$y</year>\n"; +} + +print <<END; + <holder>Internet Systems Consortium, Inc. ("ISC")</holder> + </copyright> + </docinfo> + + <refsynopsisdiv> + <cmdsynopsis sepchar=" "> + <command>named.conf</command> + </cmdsynopsis> + </refsynopsisdiv> + + <refsection><info><title>DESCRIPTION</title></info> + + <para><filename>named.conf</filename> is the configuration file + for + <command>named</command>. Statements are enclosed + in braces and terminated with a semi-colon. Clauses in + the statements are also semi-colon terminated. The usual + comment styles are supported: + </para> + <para> + C style: /* */ + </para> + <para> + C++ style: // to end of line + </para> + <para> + Unix style: # to end of line + </para> + </refsection> + +END + +# skip preamble +my $preamble = 0; +while (<FH>) { + if (m{^\s*$}) { + last if $preamble > 0; + } else { + $preamble++; + } +} + +my $blank = 0; +while (<FH>) { + if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) { + next; + } + + s{ // not configured}{}; + s{ // non-operational}{}; + s{ // may occur multiple times}{}; + s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; + s{[[]}{[}g; + s{[]]}{]}g; + s{ }{\t}g; + if (m{^([a-z0-9-]+) }) { + my $HEADING = uc $1; + print <<END; + <refsection><info><title>$HEADING</title></info> + + <literallayout class="normal"> +END + } + + if (m{^\s*$} && !$blank) { + $blank = 1; + print <<END; +</literallayout> + </refsection> +END + } else { + $blank = 0; + } + print; +} + +print <<END; + <refsection><info><title>FILES</title></info> + + <para><filename>/etc/named.conf</filename> + </para> + </refsection> + + <refsection><info><title>SEE ALSO</title></info> + + <para><citerefentry> + <refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citetitle>BIND 9 Administrator Reference Manual</citetitle>. + </para> + </refsection> + +</refentry> +END diff --git a/doc/misc/docbook-zoneopt.pl b/doc/misc/docbook-zoneopt.pl new file mode 100644 index 0000000..295fc28 --- /dev/null +++ b/doc/misc/docbook-zoneopt.pl @@ -0,0 +1,64 @@ +#!/usr/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +use warnings; +use strict; +use Time::Piece; + +if (@ARGV < 1) { + print STDERR <<'END'; +usage: + perl docbook-zoneopt.pl zoneopt_file [YYYY] +END + exit 1; +} + +my $FILE = shift; + +my $t = Time::Piece->new(); +my $year; +$year = `git log --max-count=1 --date=format:%Y --format='%cd' -- $FILE` or $year = $t->year; +chomp $year; + +open (FH, "<", $FILE) or die "Can't open $FILE"; + +print <<END; +<!-- + - Copyright (C) 2004-$year Internet Systems Consortium, Inc. ("ISC") + - + - This Source Code Form is subject to the terms of the Mozilla Public + - License, v. 2.0. If a copy of the MPL was not distributed with this + - file, You can obtain one at http://mozilla.org/MPL/2.0/. +--> + +<!-- Generated by doc/misc/docbook-zoneopt.pl --> +<programlisting> +END + +while (<FH>) { + if (m{// not.*implemented} || m{// obsolete} || m{// test.*only}) { + next; + } + + s{ // not configured}{}; + s{ // may occur multiple times}{}; + s{<([a-z0-9_-]+)>}{<replaceable>$1</replaceable>}g; + s{^(\s*)([a-z0-9_-]+)\b}{$1<command>$2</command>}; + s{[[]}{[}g; + s{[]]}{]}g; + s{ }{\t}g; + + print; +} + +print <<END; +</programlisting> +END diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl new file mode 100644 index 0000000..338d61e --- /dev/null +++ b/doc/misc/format-options.pl @@ -0,0 +1,41 @@ +#!/usr/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +print <<END; + +This is a summary of the named.conf options supported by +this version of BIND 9. + +END + +# Break long lines +while (<>) { + chomp; + s/\t/ /g; + my $line = $_; + m!^( *)!; + my $indent = $1; + my $comment = ""; + if ( $line =~ m!//.*! ) { + $comment = $&; + $line =~ s!//.*!!; + } + my $start = ""; + while (length($line) >= 79 - length($comment)) { + $_ = $line; + # this makes sure that the comment has something in front of it + $len = 75 - length($comment); + m!^(.{0,$len}) (.*)$!; + $start = $start.$1."\n"; + $line = $indent." ".$2; + } + print $start.$line.$comment."\n"; +} diff --git a/doc/misc/forward.zoneopt b/doc/misc/forward.zoneopt new file mode 100644 index 0000000..e694813 --- /dev/null +++ b/doc/misc/forward.zoneopt @@ -0,0 +1,6 @@ +zone <string> [ <class> ] { + type forward; + delegation-only <boolean>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; +}; diff --git a/doc/misc/hint.zoneopt b/doc/misc/hint.zoneopt new file mode 100644 index 0000000..d7ec16c --- /dev/null +++ b/doc/misc/hint.zoneopt @@ -0,0 +1,6 @@ +zone <string> [ <class> ] { + type hint; + check-names ( fail | warn | ignore ); + delegation-only <boolean>; + file <quoted_string>; +}; diff --git a/doc/misc/in-view.zoneopt b/doc/misc/in-view.zoneopt new file mode 100644 index 0000000..c63c427 --- /dev/null +++ b/doc/misc/in-view.zoneopt @@ -0,0 +1,3 @@ +zone <string> [ <class> ] { + in-view <string>; +}; diff --git a/doc/misc/ipv6 b/doc/misc/ipv6 new file mode 100644 index 0000000..02cd19a --- /dev/null +++ b/doc/misc/ipv6 @@ -0,0 +1,111 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +Currently, there are multiple interesting problems with ipv6 +implementations on various platforms. These problems range from not +being able to use ipv6 with bind9 (or in particular the ISC socket +library, contained in libisc) to listen-on lists not being respected, +to strange warnings but seemingly correct behavior of named. + +COMPILE-TIME ISSUES +------------------- + +The socket library requires a certain level of support from the +operating system. In particular, it must follow the advanced ipv6 +socket API to be usable. The systems which do not follow this will +currently not get any warnings or errors, but ipv6 will simply not +function on them. + +These systems currently include, but are not limited to: + + AIX 3.4 (with ipv6 patches) + + +RUN-TIME ISSUES +--------------- + +In the original drafts of the ipv6 RFC documents, binding an ipv6 +socket to the ipv6 wildcard address would also cause the socket to +accept ipv4 connections and datagrams. When an ipv4 packet is +received on these systems, it is mapped into an ipv6 address. For +example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4. The intent of +this mapping was to make transition from an ipv4-only application into +ipv6 easier, by only requiring one socket to be open on a given port. + +Later, it was discovered that this was generally a bad idea. For one, +many firewalls will block connection to 1.2.3.4, but will let through +::ffff:1.2.3.4. This, of course, is bad. Also, access control lists +written to accept only ipv4 addresses were suddenly ignored unless +they were rewritten to handle the ipv6 mapped addresses as well. + +Partly because of these problems, the latest IPv6 API introduces an +explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6 +mapped address usage. + +In bind9, we first check if both the advanced API and the IPV6_V6ONLY +socket option are available. If both of them are available, bind9 +named will bind to the ipv6 wildcard port for both TCP and UDP. +Otherwise named will make a warning and try to bind to all available +ipv6 addresses separately. + +In any case, bind9 named binds to specific addresses for ipv4 sockets. + +The followings are historical notes when we always bound to the ipv6 +wildcard port regardless of the availability of the API support. +These problems should not happen with the closer checks above. + + +IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail +--------------------------------------------------------------- + +The only OS which seems to do this is (some kernel versions of) linux. +If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific +ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding +will fail. + +What this means to bind9 is that the application will log warnings +about being unable to bind to a socket because the address is already +in use. Since the ipv6 socket will accept ipv4 packets and map them, +however, the ipv4 addresses continue to function. + +The effect is that the config file listen-on directive will not be +respected on these systems. + + +IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed +---------------------------------------------------------------- + +In this case, the system allows opening an ipv6 wildcard address +socket and then binding to a more specific ipv4 address later. An +example of this type of system is Digital Unix with ipv6 patches +applied. + +What this means to bind9 is that the application will respect +listen-on in regards to ipv4 sockets, but it will use mapped ipv6 +addresses for any that do not match the listen-on list. This, in +effect, makes listen-on useless for these machines as well. + + +IPV6 Sockets Do Not Accept IPV4 +------------------------------- + +On these systems, opening an IPV6 socket does not implicitly open any +ipv4 sockets. An example of these systems are NetBSD-current with the +latest KAME patch, and other systems which use the latest KAME patches +as their ipv6 implementation. + +On these systems, listen-on is fully functional, as the ipv6 socket +only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4 +packets. + + +RELEVANT RFCs +------------- + +3513: Internet Protocol Version 6 (IPv6) Addressing Architecture + +3493: Basic Socket Interface Extensions for IPv6 + +3542: Advanced Sockets Application Program Interface (API) for IPv6 + diff --git a/doc/misc/master.zoneopt b/doc/misc/master.zoneopt new file mode 100644 index 0000000..7152ed1 --- /dev/null +++ b/doc/misc/master.zoneopt @@ -0,0 +1,56 @@ +zone <string> [ <class> ] { + type ( master | primary ); + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update { <address_match_element>; ... }; + also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + auto-dnssec ( allow | maintain | off ); + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( fail | warn | ignore ); + check-sibling <boolean>; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard <boolean>; + database <string>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + dlz <string>; + dnssec-dnskey-kskonly <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-secure-to-insecure <boolean>; + dnssec-update-mode ( maintain | no-resign ); + file <quoted_string>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + inline-signing <boolean>; + ixfr-from-differences <boolean>; + journal <quoted_string>; + key-directory <quoted_string>; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + max-journal-size ( unlimited | <sizeval> ); + max-records <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-out <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + serial-update-method ( date | increment | unixtime ); + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + update-check-ksk <boolean>; + update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; + zero-no-soa-ttl <boolean>; + zone-statistics ( full | terse | none | <boolean> ); +}; diff --git a/doc/misc/migration b/doc/misc/migration new file mode 100644 index 0000000..aa78a74 --- /dev/null +++ b/doc/misc/migration @@ -0,0 +1,264 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + + BIND 8 to BIND 9 Migration Notes + +BIND 9 is designed to be mostly upwards compatible with BIND 8, but +there is still a number of caveats you should be aware of when +upgrading an existing BIND 8 installation to use BIND 9. + + +1. Configuration File Compatibility + +1.1. Unimplemented Options and Changed Defaults + +BIND 9 supports most, but not all of the named.conf options of BIND 8. +For a complete list of implemented options, see doc/misc/options. + +If your named.conf file uses an unimplemented option, named will log a +warning message. A message is also logged about each option whose +default has changed unless the option is set explicitly in named.conf. + +The default of the "transfer-format" option has changed from +"one-answer" to "many-answers". If you have slave servers that do not +understand the many-answers zone transfer format (e.g., BIND 4.9.5 or +older) you need to explicitly specify "transfer-format one-answer;" in +either the options block or a server statement. + +BIND 9.4 onwards implements "allow-query-cache". The "allow-query" +option is no longer used to specify access to the cache. The +"allow-query" option continues to specify which hosts are allowed +to ask ordinary DNS questions. The new "allow-query-cache" option +is used to specify which hosts are allowed to get answers from the +cache. Since BIND 9.4.1, if "allow-query-cache" is not set then +"allow-recursion" is used if it is set, otherwise "allow-query" is +used if it is set, otherwise the default localnets and localhost +is used. + +1.2. Handling of Configuration File Errors + +In BIND 9, named refuses to start if it detects an error in +named.conf. Earlier versions would start despite errors, causing the +server to run with a partial configuration. Errors detected during +subsequent reloads do not cause the server to exit. + +Errors in master files do not cause the server to exit, but they +do cause the zone not to load. + +1.3. Logging + +The set of logging categories in BIND 9 is different from that +in BIND 8. If you have customised your logging on a per-category +basis, you need to modify your logging statement to use the +new categories. + +Another difference is that the "logging" statement only takes effect +after the entire named.conf file has been read. This means that when +the server starts up, any messages about errors in the configuration +file are always logged to the default destination (syslog) when the +server first starts up, regardless of the contents of the "logging" +statement. In BIND 8, the new logging configuration took effect +immediately after the "logging" statement was read. + +1.4. Notify messages and Refresh queries + +The source address and port for these is now controlled by +"notify-source" and "transfer-source", respectively, rather that +query-source as in BIND 8. + +1.5. Multiple Classes. + +Multiple classes have to be put into explicit views for each class. + + +2. Zone File Compatibility + +2.1. Strict RFC1035 Interpretation of TTLs in Zone Files + +BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding +omitted TTLs in zone files. Omitted TTLs are replaced by the value +specified with the $TTL directive, or by the previous explicit TTL if +there is no $TTL directive. + +If there is no $TTL directive and the first RR in the file does not +have an explicit TTL field, the zone file is illegal according to +RFC1035 since the TTL of the first RR is undefined. Unfortunately, +BIND 4 and many versions of BIND 8 accept such files without warning +and use the value of the SOA MINTTL field as a default for missing TTL +values. + +BIND 9.0 and 9.1 completely refused to load such files. BIND 9.2 +emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the +files anyway (provided the SOA is the first record in the file), but +will issue the warning message "no TTL specified; using SOA MINTTL +instead". + +To avoid problems, we recommend that you use a $TTL directive in each +zone file. + +2.2. Periods in SOA Serial Numbers Deprecated + +Some versions of BIND allow SOA serial numbers with an embedded +period, like "3.002", and convert them into integers in a rather +unintuitive way. This feature is not supported by BIND 9; serial +numbers must be integers. + +2.3. Handling of Unbalanced Quotes + +TXT records with unbalanced quotes, like 'host TXT "foo', were not +treated as errors in some versions of BIND. If your zone files +contain such records, you will get potentially confusing error +messages like "unexpected end of file" because BIND 9 will interpret +everything up to the next quote character as a literal string. + +2.4. Handling of Line Breaks + +Some versions of BIND accept RRs containing line breaks that are not +properly quoted with parentheses, like the following SOA: + + @ IN SOA ns.example. hostmaster.example. + ( 1 3600 1800 1814400 3600 ) + +This is not legal master file syntax and will be treated as an error +by BIND 9. The fix is to move the opening parenthesis to the first +line. + +2.5. Unimplemented BIND 8 Extensions + +$GENERATE: The "$$" construct for getting a literal $ into a domain +name is deprecated. Use \$ instead. + +2.6. TXT records are no longer automatically split. + +Some versions of BIND accepted strings in TXT RDATA consisting of more +than 255 characters and silently split them to be able to encode the +strings in a protocol conformant way. You may now see errors like this + dns_rdata_fromtext: local.db:119: ran out of space +if you have TXT RRs with too longs strings. Make sure to split the +string in the zone data file at or before a single one reaches 255 +characters. + +3. Interoperability Impact of New Protocol Features + +3.1. EDNS0 + +BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It +also sets DO EDNS flag bit in queries to indicate that it wishes to +receive DNSSEC responses. + +Most older servers that do not support EDNS0, including prior versions +of BIND, will send a FORMERR or NOTIMP response to these queries. +When this happens, BIND 9 will automatically retry the query without +EDNS0. + +Unfortunately, there exists at least one non-BIND name server +implementation that silently ignores these queries instead of sending +an error response. Resolving names in zones where all or most +authoritative servers use this server will be very slow or fail +completely. We have contacted the manufacturer of the name server in +case, and they are working on a solution. + +When BIND 9 communicates with a server that does support EDNS0, such as +another BIND 9 server, responses of up to 4096 bytes may be +transmitted as a single UDP datagram which is subject to fragmentation +at the IP level. If a firewall incorrectly drops IP fragments, it can +cause resolution to slow down dramatically or fail. + +3.2. Zone Transfers + +Outgoing zone transfers now use the "many-answers" format by default. +This format is not understood by certain old versions of BIND 4. +You can work around this problem using the option "transfer-format +one-answer;", but since these old versions all have known security +problems, the correct fix is to upgrade the slave servers. + +Zone transfers to Windows 2000 DNS servers sometimes fail due to a +bug in the Windows 2000 DNS server where DNS messages larger than +16K are not handled properly. Obtain the latest service pack for +Windows 2000 from Microsoft to address this issue. In the meantime, +the problem can be worked around by setting "transfer-format one-answer;". +http://support.microsoft.com/default.aspx?scid=kb;en-us;297936 + +4. Unrestricted Character Set + + BIND 9.2 only + +BIND 9 does not restrict the character set of domain names - it is +fully 8-bit clean in accordance with RFC2181 section 11. + +It is strongly recommended that hostnames published in the DNS follow +the RFC952 rules, but BIND 9 will not enforce this restriction. + +Historically, some applications have suffered from security flaws +where data originating from the network, such as names returned by +gethostbyaddr(), are used with insufficient checking and may cause a +breach of security when containing unexpected characters; see +<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html> +for details. Some earlier versions of BIND attempt to protect these +flawed applications from attack by discarding data containing +characters deemed inappropriate in host names or mail addresses, under +the control of the "check-names" option in named.conf and/or "options +no-check-names" in resolv.conf. BIND 9 provides no such protection; +if applications with these flaws are still being used, they should +be upgraded. + + BIND 9.3 onwards implements check-names. + +5. Server Administration Tools + +5.1 Ndc Replaced by Rndc + +The "ndc" program has been replaced by "rndc", which is capable of +remote operation. Unlike ndc, rndc requires a configuration file. +The easiest way to generate a configuration file is to run +"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8), +and rndc.conf(5) for details. + +5.2. Nsupdate Differences + +The BIND 8 implementation of nsupdate had an undocumented feature +where an update request would be broken down into multiple requests +based upon the discovered zones that contained the records. This +behaviour has not been implemented in BIND 9. Each update request +must pertain to a single zone, but it is still possible to do multiple +updates in a single invocation of nsupdate by terminating each update +with an empty line or a "send" command. + + +6. No Information Leakage between Zones + +BIND 9 stores the authoritative data for each zone in a separate data +structure, as recommended in RFC1035 and as required by DNSSEC and +IXFR. When a BIND 9 server is authoritative for both a child zone and +its parent, it will have two distinct sets of NS records at the +delegation point: the authoritative NS records at the child's apex, +and a set of glue NS records in the parent. + +BIND 8 was unable to properly distinguish between these two sets of NS +records and would "leak" the child's NS records into the parent, +effectively causing the parent zone to be silently modified: responses +and zone transfers from the parent contained the child's NS records +rather than the glue configured into the parent (if any). In the case +of children of type "stub", this behaviour was documented as a feature, +allowing the glue NS records to be omitted from the parent +configuration. + +Sites that were relying on this BIND 8 behaviour need to add any +omitted glue NS records, and any necessary glue A records, to the +parent zone. + +Although stub zones can no longer be used as a mechanism for injecting +NS records into their parent zones, they are still useful as a way of +directing queries for a given domain to a particular set of name +servers. + + +7. Umask not Modified + +The BIND 8 named unconditionally sets the umask to 022. BIND 9 does +not; the umask inherited from the parent process remains in effect. +This may cause files created by named, such as journal files, to be +created with different file permissions than they did in BIND 8. If +necessary, the umask should be set explicitly in the script used to +start the named process. diff --git a/doc/misc/migration-4to9 b/doc/misc/migration-4to9 new file mode 100644 index 0000000..4d038a5 --- /dev/null +++ b/doc/misc/migration-4to9 @@ -0,0 +1,55 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + + BIND 4 to BIND 9 Migration Notes + +To transition from BIND 4 to BIND 9 you first need to convert your +configuration file to the new format. There is a conversion tool in +contrib/named-bootconf that allows you to do this. + + named-bootconf.sh < /etc/named.boot > /etc/named.conf + +BIND 9 uses a system assigned port for the UDP queries it makes rather +than port 53 that BIND 4 uses. This may conflict with some firewalls. +The following directives in /etc/named.conf allows you to specify +a port to use. + + query-source address * port 53; + transfer-source * port 53; + notify-source * port 53; + +BIND 9 no longer uses the minimum field to specify the TTL of records +without a explicit TTL. Use the $TTL directive to specify a default TTL +before the first record without a explicit TTL. + + $TTL 3600 + @ IN SOA ns1.example.com. hostmaster.example.com. ( + 2001021100 + 7200 + 1200 + 3600000 + 7200 ) + +BIND 9 does not support multiple CNAMEs with the same owner name. + + Illegal: + www.example.com. CNAME host1.example.com. + www.example.com. CNAME host2.example.com. + +BIND 9 does not support "CNAMEs with other data" with the same owner name, +ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support. + + Illegal: + www.example.com. CNAME host1.example.com. + www.example.com. MX 10 host2.example.com. + +BIND 9 is less tolerant of errors in master files, so check your logs and +fix any errors reported. The named-checkzone program can also be to check +master files. + +Outgoing zone transfers now use the "many-answers" format by default. +This format is not understood by certain old versions of BIND 4. +You can work around this problem using the option "transfer-format +one-answer;", but since these old versions all have known security +problems, the correct fix is to upgrade the slave servers. diff --git a/doc/misc/options b/doc/misc/options new file mode 100644 index 0000000..ad6bbb2 --- /dev/null +++ b/doc/misc/options @@ -0,0 +1,883 @@ + +This is a summary of the named.conf options supported by +this version of BIND 9. + +acl <string> { <address_match_element>; ... }; // may occur multiple times + +controls { + inet ( <ipv4_address> | <ipv6_address> | + * ) [ port ( <integer> | * ) ] allow + { <address_match_element>; ... } [ + keys { <string>; ... } ] [ read-only + <boolean> ]; // may occur multiple times + unix <quoted_string> perm <integer> + owner <integer> group <integer> [ + keys { <string>; ... } ] [ read-only + <boolean> ]; // may occur multiple times +}; // may occur multiple times + +dlz <string> { + database <string>; + search <boolean>; +}; // may occur multiple times + +dyndb <string> <quoted_string> { + <unspecified-text> }; // may occur multiple times + +key <string> { + algorithm <string>; + secret <string>; +}; // may occur multiple times + +logging { + category <string> { <string>; ... }; // may occur multiple times + channel <string> { + buffered <boolean>; + file <quoted_string> [ versions ( "unlimited" | <integer> ) + ] [ size <size> ]; + null; + print-category <boolean>; + print-severity <boolean>; + print-time <boolean>; + severity <log_severity>; + stderr; + syslog [ <syslog_facility> ]; + }; // may occur multiple times +}; + +lwres { + listen-on [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> + | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + lwres-clients <integer>; + lwres-tasks <integer>; + ndots <integer>; + search { <string>; ... }; + view <string> [ <class> ]; +}; // may occur multiple times + +managed-keys { <string> <string> <integer> + <integer> <integer> <quoted_string>; ... }; // may occur multiple times + +masters <string> [ port <integer> ] [ dscp + <integer> ] { ( <masters> | <ipv4_address> [ + port <integer> ] | <ipv6_address> [ port + <integer> ] ) [ key <string> ]; ... }; // may occur multiple times + +options { + acache-cleaning-interval <integer>; + acache-enable <boolean>; + additional-from-auth <boolean>; + additional-from-cache <boolean>; + allow-new-zones <boolean>; + allow-notify { <address_match_element>; ... }; + allow-query { <address_match_element>; ... }; + allow-query-cache { <address_match_element>; ... }; + allow-query-cache-on { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-recursion { <address_match_element>; ... }; + allow-recursion-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update { <address_match_element>; ... }; + allow-update-forwarding { <address_match_element>; ... }; + allow-v6-synthesis { <address_match_element>; ... }; // obsolete + also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | + <ipv4_address> [ port <integer> ] | <ipv6_address> [ port + <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | + * ) ] [ dscp <integer> ]; + answer-cookie <boolean>; + attach-cache <string>; + auth-nxdomain <boolean>; // default changed + auto-dnssec ( allow | maintain | off ); + automatic-interface-scan <boolean>; + avoid-v4-udp-ports { <portrange>; ... }; + avoid-v6-udp-ports { <portrange>; ... }; + bindkeys-file <quoted_string>; + blackhole { <address_match_element>; ... }; + cache-file <quoted_string>; + catalog-zones { zone <quoted_string> [ default-masters [ port + <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ + port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key + <string> ]; ... } ] [ zone-directory <quoted_string> ] [ + in-memory <boolean> ] [ min-update-interval <integer> ]; ... }; + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( master | slave | response + ) ( fail | warn | ignore ); // may occur multiple times + check-sibling <boolean>; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard <boolean>; + cleaning-interval <integer>; + clients-per-query <integer>; + cookie-algorithm ( aes | sha1 | sha256 ); + cookie-secret <string>; // may occur multiple times + coresize ( default | unlimited | <sizeval> ); + datasize ( default | unlimited | <sizeval> ); + deallocate-on-exit <boolean>; // obsolete + deny-answer-addresses { <address_match_element>; ... } [ + except-from { <quoted_string>; ... } ]; + deny-answer-aliases { <quoted_string>; ... } [ except-from { + <quoted_string>; ... } ]; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + directory <quoted_string>; + disable-algorithms <string> { <string>; + ... }; // may occur multiple times + disable-ds-digests <string> { <string>; + ... }; // may occur multiple times + disable-empty-zone <string>; // may occur multiple times + dns64 <netprefix> { + break-dnssec <boolean>; + clients { <address_match_element>; ... }; + exclude { <address_match_element>; ... }; + mapped { <address_match_element>; ... }; + recursive-only <boolean>; + suffix <ipv6_address>; + }; // may occur multiple times + dns64-contact <string>; + dns64-server <string>; + dnssec-accept-expired <boolean>; + dnssec-dnskey-kskonly <boolean>; + dnssec-enable <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-lookaside ( <string> trust-anchor + <string> | auto | no ); // may occur multiple times + dnssec-must-be-secure <string> <boolean>; // may occur multiple times + dnssec-secure-to-insecure <boolean>; + dnssec-update-mode ( maintain | no-resign ); + dnssec-validation ( yes | no | auto ); + dnstap { ( all | auth | client | forwarder | + resolver ) [ ( query | response ) ]; ... }; // not configured + dnstap-identity ( <quoted_string> | none | + hostname ); // not configured + dnstap-output ( file | unix ) <quoted_string>; // not configured + dnstap-version ( <quoted_string> | none ); // not configured + dscp <integer>; + dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port + <integer> ] [ dscp <integer> ] | <ipv4_address> [ port + <integer> ] [ dscp <integer> ] | <ipv6_address> [ port + <integer> ] [ dscp <integer> ] ); ... }; + dump-file <quoted_string>; + edns-udp-size <integer>; + empty-contact <string>; + empty-server <string>; + empty-zones-enable <boolean>; + fake-iquery <boolean>; // obsolete + fetch-glue <boolean>; // obsolete + fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; + fetches-per-server <integer> [ ( drop | fail ) ]; + fetches-per-zone <integer> [ ( drop | fail ) ]; + files ( default | unlimited | <sizeval> ); + filter-aaaa { <address_match_element>; ... }; // not configured + filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured + filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured + flush-zones-on-shutdown <boolean>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> + | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + fstrm-set-buffer-hint <integer>; // not configured + fstrm-set-flush-timeout <integer>; // not configured + fstrm-set-input-queue-size <integer>; // not configured + fstrm-set-output-notify-threshold <integer>; // not configured + fstrm-set-output-queue-model ( mpsc | spsc ); // not configured + fstrm-set-output-queue-size <integer>; // not configured + fstrm-set-reopen-interval <integer>; // not configured + geoip-directory ( <quoted_string> | none ); // not configured + geoip-use-ecs <boolean>; // not configured + has-old-clients <boolean>; // obsolete + heartbeat-interval <integer>; + host-statistics <boolean>; // not implemented + host-statistics-max <integer>; // not implemented + hostname ( <quoted_string> | none ); + inline-signing <boolean>; + interface-interval <integer>; + ixfr-from-differences ( master | slave | <boolean> ); + keep-response-order { <address_match_element>; ... }; + key-directory <quoted_string>; + lame-ttl <ttlval>; + listen-on [ port <integer> ] [ dscp + <integer> ] { + <address_match_element>; ... }; // may occur multiple times + listen-on-v6 [ port <integer> ] [ dscp + <integer> ] { + <address_match_element>; ... }; // may occur multiple times + lmdb-mapsize <sizeval>; // non-operational + lock-file ( <quoted_string> | none ); + maintain-ixfr-base <boolean>; // obsolete + managed-keys-directory <quoted_string>; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + match-mapped-addresses <boolean>; + max-acache-size ( unlimited | <sizeval> ); + max-cache-size ( default | unlimited | <sizeval> | <percentage> ); + max-cache-ttl <integer>; + max-clients-per-query <integer>; + max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete + max-journal-size ( unlimited | <sizeval> ); + max-ncache-ttl <integer>; + max-records <integer>; + max-recursion-depth <integer>; + max-recursion-queries <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-rsa-exponent-size <integer>; + max-transfer-idle-in <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-in <integer>; + max-transfer-time-out <integer>; + max-udp-size <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + memstatistics <boolean>; + memstatistics-file <quoted_string>; + message-compression <boolean>; + min-refresh-time <integer>; + min-retry-time <integer>; + min-roots <integer>; // not implemented + minimal-any <boolean>; + minimal-responses ( no-auth | no-auth-recursive | <boolean> ); + multi-master <boolean>; + multiple-cnames <boolean>; // obsolete + named-xfer <quoted_string>; // obsolete + no-case-compress { <address_match_element>; ... }; + nocookie-udp-size <integer>; + nosit-udp-size <integer>; // obsolete + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-rate <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] + [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + nta-lifetime <ttlval>; + nta-recheck <ttlval>; + nxdomain-redirect <string>; + pid-file ( <quoted_string> | none ); + port <integer>; + preferred-glue <string>; + prefetch <integer> [ <integer> ]; + provide-ixfr <boolean>; + query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + querylog <boolean>; + queryport-pool-ports <integer>; // obsolete + queryport-pool-updateinterval <integer>; // obsolete + random-device <quoted_string>; + rate-limit { + all-per-second <integer>; + errors-per-second <integer>; + exempt-clients { <address_match_element>; ... }; + ipv4-prefix-length <integer>; + ipv6-prefix-length <integer>; + log-only <boolean>; + max-table-size <integer>; + min-table-size <integer>; + nodata-per-second <integer>; + nxdomains-per-second <integer>; + qps-scale <integer>; + referrals-per-second <integer>; + responses-per-second <integer>; + slip <integer>; + window <integer>; + }; + recursing-file <quoted_string>; + recursion <boolean>; + recursive-clients <integer>; + request-expire <boolean>; + request-ixfr <boolean>; + request-nsid <boolean>; + request-sit <boolean>; // obsolete + require-server-cookie <boolean>; + reserved-sockets <integer>; + resolver-query-timeout <integer>; + response-policy { zone <quoted_string> [ log <boolean> ] [ + max-policy-ttl <integer> ] [ policy ( cname | disabled | drop | + given | no-op | nodata | nxdomain | passthru | tcp-only + <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [ + break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [ + min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ + qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]; + rfc2308-type1 <boolean>; // not yet implemented + root-delegation-only [ exclude { <quoted_string>; ... } ]; + root-key-sentinel <boolean>; + rrset-order { [ class <string> ] [ type <string> ] [ name + <quoted_string> ] <string> <string>; ... }; + secroots-file <quoted_string>; + send-cookie <boolean>; + serial-queries <integer>; // obsolete + serial-query-rate <integer>; + serial-update-method ( date | increment | unixtime ); + server-id ( <quoted_string> | none | hostname ); + servfail-ttl <ttlval>; + session-keyalg <string>; + session-keyfile ( <quoted_string> | none ); + session-keyname <string>; + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + sit-secret <string>; // obsolete + sortlist { <address_match_element>; ... }; + stacksize ( default | unlimited | <sizeval> ); + startup-notify-rate <integer>; + statistics-file <quoted_string>; + statistics-interval <integer>; // not yet implemented + suppress-initial-notify <boolean>; // not yet implemented + tcp-clients <integer>; + tcp-listen-queue <integer>; + tkey-dhkey <quoted_string> <integer>; + tkey-domain <quoted_string>; + tkey-gssapi-credential <quoted_string>; + tkey-gssapi-keytab <quoted_string>; + topology { <address_match_element>; ... }; // not implemented + transfer-format ( many-answers | one-answer ); + transfer-message-size <integer>; + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + transfers-in <integer>; + transfers-out <integer>; + transfers-per-ns <integer>; + treat-cr-as-space <boolean>; // obsolete + trust-anchor-telemetry <boolean>; // experimental + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; + use-alt-transfer-source <boolean>; + use-id-pool <boolean>; // obsolete + use-ixfr <boolean>; // obsolete + use-queryport-pool <boolean>; // obsolete + use-v4-udp-ports { <portrange>; ... }; + use-v6-udp-ports { <portrange>; ... }; + v6-bias <integer>; + version ( <quoted_string> | none ); + zero-no-soa-ttl <boolean>; + zero-no-soa-ttl-cache <boolean>; + zone-statistics ( full | terse | none | <boolean> ); +}; + +server <netprefix> { + bogus <boolean>; + edns <boolean>; + edns-udp-size <integer>; + edns-version <integer>; + keys <server_key>; + max-udp-size <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] + [ dscp <integer> ]; + provide-ixfr <boolean>; + query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + request-expire <boolean>; + request-ixfr <boolean>; + request-nsid <boolean>; + request-sit <boolean>; // obsolete + send-cookie <boolean>; + support-ixfr <boolean>; // obsolete + tcp-only <boolean>; + transfer-format ( many-answers | one-answer ); + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + transfers <integer>; +}; // may occur multiple times + +statistics-channels { + inet ( <ipv4_address> | <ipv6_address> | + * ) [ port ( <integer> | * ) ] [ + allow { <address_match_element>; ... + } ]; // may occur multiple times +}; // may occur multiple times + +trusted-keys { <string> <integer> <integer> + <integer> <quoted_string>; ... }; // may occur multiple times + +view <string> [ <class> ] { + acache-cleaning-interval <integer>; + acache-enable <boolean>; + additional-from-auth <boolean>; + additional-from-cache <boolean>; + allow-new-zones <boolean>; + allow-notify { <address_match_element>; ... }; + allow-query { <address_match_element>; ... }; + allow-query-cache { <address_match_element>; ... }; + allow-query-cache-on { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-recursion { <address_match_element>; ... }; + allow-recursion-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update { <address_match_element>; ... }; + allow-update-forwarding { <address_match_element>; ... }; + allow-v6-synthesis { <address_match_element>; ... }; // obsolete + also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | + <ipv4_address> [ port <integer> ] | <ipv6_address> [ port + <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | + * ) ] [ dscp <integer> ]; + attach-cache <string>; + auth-nxdomain <boolean>; // default changed + auto-dnssec ( allow | maintain | off ); + cache-file <quoted_string>; + catalog-zones { zone <quoted_string> [ default-masters [ port + <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ + port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key + <string> ]; ... } ] [ zone-directory <quoted_string> ] [ + in-memory <boolean> ] [ min-update-interval <integer> ]; ... }; + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( master | slave | response + ) ( fail | warn | ignore ); // may occur multiple times + check-sibling <boolean>; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard <boolean>; + cleaning-interval <integer>; + clients-per-query <integer>; + deny-answer-addresses { <address_match_element>; ... } [ + except-from { <quoted_string>; ... } ]; + deny-answer-aliases { <quoted_string>; ... } [ except-from { + <quoted_string>; ... } ]; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + disable-algorithms <string> { <string>; + ... }; // may occur multiple times + disable-ds-digests <string> { <string>; + ... }; // may occur multiple times + disable-empty-zone <string>; // may occur multiple times + dlz <string> { + database <string>; + search <boolean>; + }; // may occur multiple times + dns64 <netprefix> { + break-dnssec <boolean>; + clients { <address_match_element>; ... }; + exclude { <address_match_element>; ... }; + mapped { <address_match_element>; ... }; + recursive-only <boolean>; + suffix <ipv6_address>; + }; // may occur multiple times + dns64-contact <string>; + dns64-server <string>; + dnssec-accept-expired <boolean>; + dnssec-dnskey-kskonly <boolean>; + dnssec-enable <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-lookaside ( <string> trust-anchor + <string> | auto | no ); // may occur multiple times + dnssec-must-be-secure <string> <boolean>; // may occur multiple times + dnssec-secure-to-insecure <boolean>; + dnssec-update-mode ( maintain | no-resign ); + dnssec-validation ( yes | no | auto ); + dnstap { ( all | auth | client | forwarder | + resolver ) [ ( query | response ) ]; ... }; // not configured + dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port + <integer> ] [ dscp <integer> ] | <ipv4_address> [ port + <integer> ] [ dscp <integer> ] | <ipv6_address> [ port + <integer> ] [ dscp <integer> ] ); ... }; + dyndb <string> <quoted_string> { + <unspecified-text> }; // may occur multiple times + edns-udp-size <integer>; + empty-contact <string>; + empty-server <string>; + empty-zones-enable <boolean>; + fetch-glue <boolean>; // obsolete + fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; + fetches-per-server <integer> [ ( drop | fail ) ]; + fetches-per-zone <integer> [ ( drop | fail ) ]; + filter-aaaa { <address_match_element>; ... }; // not configured + filter-aaaa-on-v4 ( break-dnssec | <boolean> ); // not configured + filter-aaaa-on-v6 ( break-dnssec | <boolean> ); // not configured + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> + | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + inline-signing <boolean>; + ixfr-from-differences ( master | slave | <boolean> ); + key <string> { + algorithm <string>; + secret <string>; + }; // may occur multiple times + key-directory <quoted_string>; + lame-ttl <ttlval>; + lmdb-mapsize <sizeval>; // non-operational + maintain-ixfr-base <boolean>; // obsolete + managed-keys { <string> <string> + <integer> <integer> <integer> + <quoted_string>; ... }; // may occur multiple times + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + match-clients { <address_match_element>; ... }; + match-destinations { <address_match_element>; ... }; + match-recursive-only <boolean>; + max-acache-size ( unlimited | <sizeval> ); + max-cache-size ( default | unlimited | <sizeval> | <percentage> ); + max-cache-ttl <integer>; + max-clients-per-query <integer>; + max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete + max-journal-size ( unlimited | <sizeval> ); + max-ncache-ttl <integer>; + max-records <integer>; + max-recursion-depth <integer>; + max-recursion-queries <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-transfer-idle-in <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-in <integer>; + max-transfer-time-out <integer>; + max-udp-size <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + message-compression <boolean>; + min-refresh-time <integer>; + min-retry-time <integer>; + min-roots <integer>; // not implemented + minimal-any <boolean>; + minimal-responses ( no-auth | no-auth-recursive | <boolean> ); + multi-master <boolean>; + no-case-compress { <address_match_element>; ... }; + nocookie-udp-size <integer>; + nosit-udp-size <integer>; // obsolete + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] + [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + nta-lifetime <ttlval>; + nta-recheck <ttlval>; + nxdomain-redirect <string>; + preferred-glue <string>; + prefetch <integer> [ <integer> ]; + provide-ixfr <boolean>; + query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] + port ( <integer> | * ) ) ) [ dscp <integer> ]; + queryport-pool-ports <integer>; // obsolete + queryport-pool-updateinterval <integer>; // obsolete + rate-limit { + all-per-second <integer>; + errors-per-second <integer>; + exempt-clients { <address_match_element>; ... }; + ipv4-prefix-length <integer>; + ipv6-prefix-length <integer>; + log-only <boolean>; + max-table-size <integer>; + min-table-size <integer>; + nodata-per-second <integer>; + nxdomains-per-second <integer>; + qps-scale <integer>; + referrals-per-second <integer>; + responses-per-second <integer>; + slip <integer>; + window <integer>; + }; + recursion <boolean>; + request-expire <boolean>; + request-ixfr <boolean>; + request-nsid <boolean>; + request-sit <boolean>; // obsolete + require-server-cookie <boolean>; + resolver-query-timeout <integer>; + response-policy { zone <quoted_string> [ log <boolean> ] [ + max-policy-ttl <integer> ] [ policy ( cname | disabled | drop | + given | no-op | nodata | nxdomain | passthru | tcp-only + <quoted_string> ) ] [ recursive-only <boolean> ]; ... } [ + break-dnssec <boolean> ] [ max-policy-ttl <integer> ] [ + min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ + qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]; + rfc2308-type1 <boolean>; // not yet implemented + root-delegation-only [ exclude { <quoted_string>; ... } ]; + root-key-sentinel <boolean>; + rrset-order { [ class <string> ] [ type <string> ] [ name + <quoted_string> ] <string> <string>; ... }; + send-cookie <boolean>; + serial-update-method ( date | increment | unixtime ); + server <netprefix> { + bogus <boolean>; + edns <boolean>; + edns-udp-size <integer>; + edns-version <integer>; + keys <server_key>; + max-udp-size <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * + ) ] [ dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> + | * ) ] [ dscp <integer> ]; + provide-ixfr <boolean>; + query-source ( ( [ address ] ( <ipv4_address> | * ) [ port + ( <integer> | * ) ] ) | ( [ [ address ] ( + <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ + dscp <integer> ]; + query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ + port ( <integer> | * ) ] ) | ( [ [ address ] ( + <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ + dscp <integer> ]; + request-expire <boolean>; + request-ixfr <boolean>; + request-nsid <boolean>; + request-sit <boolean>; // obsolete + send-cookie <boolean>; + support-ixfr <boolean>; // obsolete + tcp-only <boolean>; + transfer-format ( many-answers | one-answer ); + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | + * ) ] [ dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] [ dscp <integer> ]; + transfers <integer>; + }; // may occur multiple times + servfail-ttl <ttlval>; + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + sortlist { <address_match_element>; ... }; + suppress-initial-notify <boolean>; // not yet implemented + topology { <address_match_element>; ... }; // not implemented + transfer-format ( many-answers | one-answer ); + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + trust-anchor-telemetry <boolean>; // experimental + trusted-keys { <string> <integer> + <integer> <integer> <quoted_string>; + ... }; // may occur multiple times + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; + use-alt-transfer-source <boolean>; + use-queryport-pool <boolean>; // obsolete + v6-bias <integer>; + zero-no-soa-ttl <boolean>; + zero-no-soa-ttl-cache <boolean>; + zone <string> [ <class> ] { + allow-notify { <address_match_element>; ... }; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update { <address_match_element>; ... }; + allow-update-forwarding { <address_match_element>; ... }; + also-notify [ port <integer> ] [ dscp <integer> ] { ( + <masters> | <ipv4_address> [ port <integer> ] | + <ipv6_address> [ port <integer> ] ) [ key <string> ]; + ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( + <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] [ dscp <integer> ]; + auto-dnssec ( allow | maintain | off ); + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( fail | warn | ignore ); + check-sibling <boolean>; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard <boolean>; + database <string>; + delegation-only <boolean>; + dialup ( notify | notify-passive | passive | refresh | + <boolean> ); + dlz <string>; + dnssec-dnskey-kskonly <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-secure-to-insecure <boolean>; + dnssec-update-mode ( maintain | no-resign ); + file <quoted_string>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( + <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ + dscp <integer> ]; ... }; + in-view <string>; + inline-signing <boolean>; + ixfr-base <quoted_string>; // obsolete + ixfr-from-differences <boolean>; + ixfr-tmp-file <quoted_string>; // obsolete + journal <quoted_string>; + key-directory <quoted_string>; + maintain-ixfr-base <boolean>; // obsolete + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port <integer> ] [ dscp <integer> ] { ( <masters> + | <ipv4_address> [ port <integer> ] | <ipv6_address> [ + port <integer> ] ) [ key <string> ]; ... }; + max-ixfr-log-size ( default | unlimited | + <sizeval> ); // obsolete + max-journal-size ( unlimited | <sizeval> ); + max-records <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-transfer-idle-in <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-in <integer>; + max-transfer-time-out <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + min-refresh-time <integer>; + min-retry-time <integer>; + multi-master <boolean>; + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * + ) ] [ dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> + | * ) ] [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + pubkey <integer> + <integer> + <integer> + <quoted_string>; // obsolete, may occur multiple times + request-expire <boolean>; + request-ixfr <boolean>; + serial-update-method ( date | increment | unixtime ); + server-addresses { ( <ipv4_address> | <ipv6_address> ) [ + port <integer> ]; ... }; + server-names { <quoted_string>; ... }; + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | + * ) ] [ dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( + <integer> | * ) ] [ dscp <integer> ]; + try-tcp-refresh <boolean>; + type ( delegation-only | forward | hint | master | redirect + | slave | static-stub | stub ); + update-check-ksk <boolean>; + update-policy ( local | { ( deny | grant ) <string> ( + 6to4-self | external | krb5-self | krb5-selfsub | + krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | + name | self | selfsub | selfwild | subdomain | tcp-self + | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; + use-alt-transfer-source <boolean>; + zero-no-soa-ttl <boolean>; + zone-statistics ( full | terse | none | <boolean> ); + }; // may occur multiple times + zone-statistics ( full | terse | none | <boolean> ); +}; // may occur multiple times + +zone <string> [ <class> ] { + allow-notify { <address_match_element>; ... }; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update { <address_match_element>; ... }; + allow-update-forwarding { <address_match_element>; ... }; + also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | + <ipv4_address> [ port <integer> ] | <ipv6_address> [ port + <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | + * ) ] [ dscp <integer> ]; + auto-dnssec ( allow | maintain | off ); + check-dup-records ( fail | warn | ignore ); + check-integrity <boolean>; + check-mx ( fail | warn | ignore ); + check-mx-cname ( fail | warn | ignore ); + check-names ( fail | warn | ignore ); + check-sibling <boolean>; + check-spf ( warn | ignore ); + check-srv-cname ( fail | warn | ignore ); + check-wildcard <boolean>; + database <string>; + delegation-only <boolean>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + dlz <string>; + dnssec-dnskey-kskonly <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-secure-to-insecure <boolean>; + dnssec-update-mode ( maintain | no-resign ); + file <quoted_string>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> + | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + in-view <string>; + inline-signing <boolean>; + ixfr-base <quoted_string>; // obsolete + ixfr-from-differences <boolean>; + ixfr-tmp-file <quoted_string>; // obsolete + journal <quoted_string>; + key-directory <quoted_string>; + maintain-ixfr-base <boolean>; // obsolete + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | + <ipv4_address> [ port <integer> ] | <ipv6_address> [ port + <integer> ] ) [ key <string> ]; ... }; + max-ixfr-log-size ( default | unlimited | <sizeval> ); // obsolete + max-journal-size ( unlimited | <sizeval> ); + max-records <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-transfer-idle-in <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-in <integer>; + max-transfer-time-out <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + min-refresh-time <integer>; + min-retry-time <integer>; + multi-master <boolean>; + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] + [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + pubkey <integer> <integer> + <integer> <quoted_string>; // obsolete, may occur multiple times + request-expire <boolean>; + request-ixfr <boolean>; + serial-update-method ( date | increment | unixtime ); + server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port + <integer> ]; ... }; + server-names { <quoted_string>; ... }; + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ + dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) + ] [ dscp <integer> ]; + try-tcp-refresh <boolean>; + type ( delegation-only | forward | hint | master | redirect | slave + | static-stub | stub ); + update-check-ksk <boolean>; + update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | + external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self + | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild + | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] + <rrtypelist>; ... }; + use-alt-transfer-source <boolean>; + zero-no-soa-ttl <boolean>; + zone-statistics ( full | terse | none | <boolean> ); +}; // may occur multiple times + diff --git a/doc/misc/redirect.zoneopt b/doc/misc/redirect.zoneopt new file mode 100644 index 0000000..a127de9 --- /dev/null +++ b/doc/misc/redirect.zoneopt @@ -0,0 +1,13 @@ +zone <string> [ <class> ] { + type redirect; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + dlz <string>; + file <quoted_string>; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + max-records <integer>; + max-zone-ttl ( unlimited | <ttlval> ); + zone-statistics ( full | terse | none | <boolean> ); +}; diff --git a/doc/misc/rfc-compliance b/doc/misc/rfc-compliance new file mode 100644 index 0000000..0dbc9d4 --- /dev/null +++ b/doc/misc/rfc-compliance @@ -0,0 +1,160 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +BIND 9 is striving for strict compliance with IETF standards. We +believe this release of BIND 9 complies with the following RFCs, with +the caveats and exceptions listed in the numbered notes below. Note +that a number of these RFCs do not have the status of Internet +standards but are proposed or draft standards, experimental RFCs, +or Best Current Practice (BCP) documents. The list is non exhaustive. + + RFC1034 + RFC1035 [1] [2] + RFC1123 + RFC1183 + RFC1535 + RFC1536 + RFC1706 + RFC1712 + RFC1750 + RFC1876 + RFC1982 + RFC1995 + RFC1996 + RFC2136 + RFC2163 + RFC2181 + RFC2230 + RFC2308 + RFC2536 + RFC2539 + RFC2782 + RFC2915 + RFC2930 + RFC2931 [5] + RFC3007 + RFC3110 + RFC3123 + RFC3225 + RFC3226 + RFC3363 [6] + RFC3490 [7] + RFC3491 (Obsoleted by 5890, 5891) [7] + RFC3493 + RFC3496 + RFC3597 + RFC3645 + RFC4025 + RFC4034 + RFC4035 + RFC4074 + RFC4255 + RFC4294 - Section 5.1 [8] + RFC4343 + RFC4398 + RFC4408 + RFC4431 + RFC4470 [9] + RFC4509 + RFC4635 + RFC4701 + RFC4892 + RFC4955 [10] + RFC5001 + RFC5011 + RFC5155 + RFC5205 + RFC5452 [11] + RFC5702 + RFC5933 [12] + RFC5936 + RFC5952 + RFC5966 + RFC6052 + RFC6147 [13] + RFC6303 + RFC6605 [14] + RFC6672 + RFC6698 + RFC6742 + RFC6840 [15] + RFC6844 + RFC6891 + RFC7043 + RFC7314 + RFC7477 + RFC7793 + RFC7830 [16] + +The following DNS related RFC have been obsoleted + + RFC2535 (Obsoleted by 4034, 4035) [3] [4] + RFC2537 (Obsoleted by 3110) + RFC2538 (Obsoleted by 4398) + RFC2671 (Obsoleted by 6891) + RFC2672 (Obsoleted by 6672) + RFC2673 (Obsoleted by 6891) + RFC3008 (Obsoleted by 4034, 4035) + RFC3152 (Obsoleted by 3596) + RFC3445 (Obsoleted by 4034, 4035) + RFC3655 (Obsoleted by 4034, 4035) + RFC3658 (Obsoleted by 4034, 4035) + RFC3755 (Obsoleted by 4034, 4035) + RFC3757 (Obsoleted by 4034, 4035) + RFC3845 (Obsoleted by 4034, 4035) + +[1] Queries to zones that have failed to load return SERVFAIL rather +than a non-authoritative response. This is considered a feature. + +[2] CLASS ANY queries are not supported. This is considered a +feature. + +[3] Wildcard records are not supported in DNSSEC secure zones. + +[4] Servers authoritative for secure zones being resolved by BIND +9 must support EDNS0 (RFC2671), and must return all relevant SIGs +and NXTs in responses rather than relying on the resolving server +to perform separate queries for missing SIGs and NXTs. + +[5] When receiving a query signed with a SIG(0), the server will +only be able to verify the signature if it has the key in its local +authoritative data; it will not do recursion or validation to +retrieve unknown keys. + +[6] Section 4 is ignored. + +[7] Requires --with-idn to enable entry of IDN labels within dig, +host and nslookup at compile time. ACE labels are supported +everywhere with or without --with-idn. + +[8] Section 5.1 - DNAME records are fully supported. + +[9] Minimally Covering NSEC Record are accepted but not generated. + +[10] Will interoperate with correctly designed experiments. + +[11] Named only uses ports to extend the id space, address are not +used. + +[12] Conditional on the OpenSSL library being linked against +supporting GOST. + +[13] Section 5.5 does not match reality. Named uses the presence +of DO=1 to detect if validation may be occuring. CD has no bearing +on whether validation is occuring or not. + +[14] Conditional on the OpenSSL library being linked against +supporting ECDSA. + +[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as +it prevents DNSSEC working correctly through another recursive server. + +When talking to a recurive server the best algorithm to do is send +CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive +server has a bad clock and/or bad trust anchor. Alternatively one +can send CD=1 then CD=0 on validation failure in case the recursive +server is under attack or there is stale / bogus authoritative data. + +[16] Named doesn't currently encrypt DNS requests so the PAD option +is accepted but not returned in responses. diff --git a/doc/misc/roadmap b/doc/misc/roadmap new file mode 100644 index 0000000..3ce9dbc --- /dev/null +++ b/doc/misc/roadmap @@ -0,0 +1,47 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +$Id: roadmap,v 1.2 2004/03/05 05:04:54 marka Exp $ + +Road Map to the BIND 9 Source Tree + +bin/named The name server. This relies heavily on the + libraries in lib/isc and lib/dns. + client.c Handling of incoming client requests + query.c Query processing +bin/rndc The remote name daemon control program +bin/dig The "dig" program +bin/dnssec The DNSSEC signer and other DNSSEC tools +bin/nsupdate The "nsupdate" program +bin/tests Test suites and miscellaneous test programs +bin/tests/system System tests; see bin/tests/system/README +lib/dns The DNS library + resolver.c The "full resolver" (performs recursive lookups) + validator.c The DNSSEC validator + db.c The database interface + sdb.c The simple database interface + rbtdb.c The red-black tree database +lib/dns/rdata Routines for handling the various RR types +lib/dns/sec Cryptographic libraries for DNSSEC +lib/isc The ISC library + task.c Task library + unix/socket.c Unix implementation of socket library +lib/isccfg Routines for reading and writing ISC-style + configuration files like named.conf and rndc.conf +lib/isccc The command channel library, used by rndc. +lib/tests Support code for the test suites. +lib/lwres The lightweight resolver library. +doc/draft Current internet-drafts pertaining to the DNS +doc/rfc RFCs pertaining to the DNS +doc/misc Miscellaneous documentation +doc/arm The BIND 9 Administrator Reference Manual +doc/man Man pages +contrib Contributed and other auxiliary code +contrib/idn/mdnkit The multilingual domain name evaluation kit +contrib/sdb Sample drivers for the simple database interface +make Makefile fragments, used by configure + +The library interfaces are mainly documented in the form of comments +in the header files. For example, the task subsystem is documented in +lib/isc/include/isc/task.h diff --git a/doc/misc/sdb b/doc/misc/sdb new file mode 100644 index 0000000..d36e79c --- /dev/null +++ b/doc/misc/sdb @@ -0,0 +1,167 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +Using the BIND 9 Simplified Database Interface + +This document describes the care and feeding of the BIND 9 Simplified +Database Interface, which allows you to extend BIND 9 with new ways +of obtaining the data that is published as DNS zones. + + +The Original BIND 9 Database Interface + +BIND 9 has a well-defined "back-end database interface" that makes it +possible to replace the component of the name server responsible for +the storage and retrieval of zone data, called the "database", on a +per-zone basis. The default database is an in-memory, red-black-tree +data structure commonly referred to as "rbtdb", but it is possible to +write drivers to support any number of alternative database +technologies such as in-memory hash tables, application specific +persistent on-disk databases, object databases, or relational +databases. + +The original BIND 9 database interface defined in <dns/db.h> is +designed to efficiently support the full set of database functionality +needed by a name server that implements the complete DNS protocols, +including features such as zone transfers, dynamic update, and DNSSEC. +Each of these aspects of name server operations places its own set of +demands on the data store, with the result that the database API is +quite complex and contains operations that are highly specific to the +DNS. For example, data are stored in a binary format, the name space +is tree structured, and sets of data records are conceptually +associated with DNSSEC signature sets. For these reasons, writing a +driver using this interface is a highly nontrivial undertaking. + + +The Simplified Database Interface + +Many BIND users wish to provide access to various data sources through +the DNS, but are not necessarily interested in completely replacing +the in-memory "rbt" database or in supporting features like dynamic +update, DNSSEC, or even zone transfers. + +Often, all you want is limited, read-only DNS access to an existing +system. For example, you may have an existing relational database +containing hostname/address mappings and wish to provide forvard and +reverse DNS lookups based on this information. Or perhaps you want to +set up a simple DNS-based load balancing system where the name server +answers queries about a single DNS name with a dynamically changing +set of A records. + +BIND 9.1 introduced a new, simplified database interface, or "sdb", +which greatly simplifies the writing of drivers for these kinds of +applications. + + +The sdb Driver + +An sdb driver is an object module, typically written in C, which is +linked into the name server and registers itself with the sdb +subsystem. It provides a set of callback functions, which also serve +to advertise its capabilities. When the name server receives DNS +queries, invokes the callback functions to obtain the data to respond +with. + +Unlike the full database interface, the sdb interface represents all +domain names and resource records as ASCII text. + + +Writing an sdb Driver + +When a driver is registered, it specifies its name, a list of callback +functions, and flags. + +The flags specify whether the driver wants to use relative domain +names where possible. + +The callback functions are as follows. The only one that must be +defined is lookup(). + + - create(zone, argc, argv, driverdata, dbdata) + Create a database object for "zone". + + - destroy(zone, driverdata, dbdata) + Destroy the database object for "zone". + + - lookup(zone, name, dbdata, lookup) + Return all the records at the domain name "name". + + - authority(zone, dbdata, lookup) + Return the SOA and NS records at the zone apex. + + - allnodes(zone, dbdata, allnodes) + Return all data in the zone, for zone transfers. + +For more detail about these functions and their parameters, see +bind9/lib/dns/include/dns/sdb.h. For example drivers, see +bind9/contrib/sdb. + + +Rebuilding the Server + +The driver module and header file must be copied to (or linked into) +the bind9/bin/named and bind9/bin/named/include directories +respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS +lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver, +add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS). If +the driver needs additional header files or libraries in nonstandard +places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be +updated. + +Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers, +e.g. timedb_init() and timedb_clear() for the timedb sample sdb +driver) must be inserted into the server, in bind9/bin/named/main.c. +Registration should be in setup(), before the call to +ns_server_create(). Unregistration should be in cleanup(), +after the call to ns_server_destroy(). A #include should be added +corresponding to the driver header file. + +You should try doing this with one or more of the sample drivers +before attempting to write a driver of your own. + + +Configuring the Server + +To make a zone use a new database driver, specify a "database" option +in its "zone" statement in named.conf. For example, if the driver +registers itself under the name "acmedb", you might say + + zone "foo.com" { + database "acmedb"; + }; + +You can pass arbitrary arguments to the create() function of the +driver by adding any number of whitespace-separated words after the +driver name: + + zone "foo.com" { + database "acmedb -mode sql -connect 10.0.0.1"; + }; + + +Hints for Driver Writers + + - If a driver is generating data on the fly, it probably should + not implement the allnodes() function, since a zone transfer + will not be meaningful. The allnodes() function is more relevant + with data from a database. + + - The authority() function is necessary if and only if the lookup() + function will not add SOA and NS records at the zone apex. If + SOA and NS records are provided by the lookup() function, + the authority() function should be NULL. + + - When a driver is registered, an opaque object can be provided. This + object is passed into the database create() and destroy() functions. + + - When a database is created, an opaque object can be created that + is associated with that database. This object is passed into the + lookup(), authority(), and allnodes() functions, and is + destroyed by the destroy() function. + + +Future Directions + +A future release may support dynamic loading of sdb drivers. + diff --git a/doc/misc/slave.zoneopt b/doc/misc/slave.zoneopt new file mode 100644 index 0000000..e4107b2 --- /dev/null +++ b/doc/misc/slave.zoneopt @@ -0,0 +1,59 @@ +zone <string> [ <class> ] { + type ( slave | secondary ); + allow-notify { <address_match_element>; ... }; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + allow-transfer { <address_match_element>; ... }; + allow-update-forwarding { <address_match_element>; ... }; + also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + auto-dnssec ( allow | maintain | off ); + check-names ( fail | warn | ignore ); + database <string>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + dlz <string>; + dnssec-dnskey-kskonly <boolean>; + dnssec-loadkeys-interval <integer>; + dnssec-update-mode ( maintain | no-resign ); + file <quoted_string>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + inline-signing <boolean>; + ixfr-from-differences <boolean>; + journal <quoted_string>; + key-directory <quoted_string>; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + max-journal-size ( unlimited | <sizeval> ); + max-records <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-transfer-idle-in <integer>; + max-transfer-idle-out <integer>; + max-transfer-time-in <integer>; + max-transfer-time-out <integer>; + min-refresh-time <integer>; + min-retry-time <integer>; + multi-master <boolean>; + notify ( explicit | master-only | <boolean> ); + notify-delay <integer>; + notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + notify-to-soa <boolean>; + nsec3-test-zone <boolean>; // test only + request-expire <boolean>; + request-ixfr <boolean>; + sig-signing-nodes <integer>; + sig-signing-signatures <integer>; + sig-signing-type <integer>; + sig-validity-interval <integer> [ <integer> ]; + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + try-tcp-refresh <boolean>; + update-check-ksk <boolean>; + use-alt-transfer-source <boolean>; + zero-no-soa-ttl <boolean>; + zone-statistics ( full | terse | none | <boolean> ); +}; diff --git a/doc/misc/sort-options.pl b/doc/misc/sort-options.pl new file mode 100644 index 0000000..500f060 --- /dev/null +++ b/doc/misc/sort-options.pl @@ -0,0 +1,43 @@ +#!/bin/perl +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +sub sortlevel() { + my @options = (); + my $fin = ""; + my $i = 0; + while (<>) { + if (/^\s*};$/ || /^\s*}; \/\/.*$/) { + $fin = $_; + # print 2, $_; + last; + } + next if (/^$/); + if (/{$/) { + # print 3, $_; + my $sec = $_; + push(@options, $sec . sortlevel()); + } else { + push(@options, $_); + # print 1, $_; + } + $i++; + } + my $result = ""; + foreach my $i (sort @options) { + $result = ${result}.${i}; + $result = $result."\n" if ($i =~ /^[a-z]/i); + # print 5, ${i}; + } + $result = ${result}.${fin}; + return ($result); +} + +print sortlevel(); diff --git a/doc/misc/static-stub.zoneopt b/doc/misc/static-stub.zoneopt new file mode 100644 index 0000000..74abe0b --- /dev/null +++ b/doc/misc/static-stub.zoneopt @@ -0,0 +1,11 @@ +zone <string> [ <class> ] { + type static-stub; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + max-records <integer>; + server-addresses { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; + server-names { <quoted_string>; ... }; + zone-statistics ( full | terse | none | <boolean> ); +}; diff --git a/doc/misc/stub.zoneopt b/doc/misc/stub.zoneopt new file mode 100644 index 0000000..b18b102 --- /dev/null +++ b/doc/misc/stub.zoneopt @@ -0,0 +1,27 @@ +zone <string> [ <class> ] { + type stub; + allow-query { <address_match_element>; ... }; + allow-query-on { <address_match_element>; ... }; + check-names ( fail | warn | ignore ); + database <string>; + delegation-only <boolean>; + dialup ( notify | notify-passive | passive | refresh | <boolean> ); + file <quoted_string>; + forward ( first | only ); + forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; + masterfile-format ( map | raw | text ); + masterfile-style ( full | relative ); + masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; + max-records <integer>; + max-refresh-time <integer>; + max-retry-time <integer>; + max-transfer-idle-in <integer>; + max-transfer-time-in <integer>; + min-refresh-time <integer>; + min-retry-time <integer>; + multi-master <boolean>; + transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; + use-alt-transfer-source <boolean>; + zone-statistics ( full | terse | none | <boolean> ); +}; diff --git a/doc/misc/tcp-fast-open b/doc/misc/tcp-fast-open new file mode 100644 index 0000000..020ec05 --- /dev/null +++ b/doc/misc/tcp-fast-open @@ -0,0 +1,32 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. + +Some systems (Linux, FreeBSD, OS X/macOS and Windows 10) support +the TCP Fast Open (RFC 7413) mechanism in their recent versions. + +BIND 9 supports this on the server side. + +When the TCP_FASTOPEN socket option is defined after the listen() +system call the socket code in the libisc set the option with +the half of the listen backlog (so the fast open maximum queue length +is the half of the pending connection queue length). +Any failure is logged and ignored. + +System specific notes: + - FreeBSD doesn't interpret the argument as a queue length but + only as an on/off switch. + + - Using TCP Fast Open on FreeBSD, as of versions 10.3 and 11.0, requires + compiling a custom kernel and setting the "net.inet.tcp.fastopen.enabled" + sysctl to 1. + + - Apple OS X/macOS allows only 0 or 1 so the code puts 1 for this system. + + - Windows 10 uses a 0/1 char flag? Note that TCP_FASTOPEN is defined + only in SDK 10.0.14393.0 or higher (Visual Studio 2015 requires + extra setting of the "Target Platform Version" in all project + properties). + + - the only other system known to support this is Linux. + |