src - FreeBSD source tree

diff options


context:
space:
mode:

author	Doug Barton <dougb@FreeBSD.org>	2008-12-23 18:35:21 +0000
committer	Doug Barton <dougb@FreeBSD.org>	2008-12-23 18:35:21 +0000
commit	2fabdf5789e562f51310270bef3cb863c0dc920b (patch)
tree	d25d756be8550df073eb3ed4e5b39831380291b5 /doc/arm/Bv9ARM-book.xml
parent	e086bf114fd88cb7f882d66afe4492fe5659bcf2 (diff)
download	src-2fabdf5789e562f51310270bef3cb863c0dc920b.tar.gz src-2fabdf5789e562f51310270bef3cb863c0dc920b.zip

Vendor import of BIND 9.4.3vendor/bind9/9.4.3

Notes

Notes: svn path=/vendor/bind9/dist/; revision=186448 svn path=/vendor/bind9/9.4.3/; revision=186449; tag=vendor/bind9/9.4.3

Diffstat (limited to 'doc/arm/Bv9ARM-book.xml')

-rw-r--r--

doc/arm/Bv9ARM-book.xml

302

1 files changed, 244 insertions, 58 deletions

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 24642c13c2b7..cdcb9d8a4108 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@

- PERFORMANCE OF THIS SOFTWARE.

-->

-

+

<title>BIND 9 Administrator Reference Manual</title>

@@ -639,13 +639,11 @@

<title>Supported Operating Systems</title>

<para>

ISC <acronym>BIND</acronym> 9 compiles and runs on a large

- number

- of Unix-like operating system and on NT-derived versions of

- Microsoft Windows such as Windows 2000 and Windows XP. For an

- up-to-date

- list of supported systems, see the README file in the top level

- directory

- of the BIND 9 source distribution.

+ number of Unix-like operating systems, and on some versions of

+ Microsoft Windows including Windows XP, Windows 2003, and

+ Windows 2008. For an up-to-date list of supported systems,

+ see the README file in the top level directory of the BIND 9

+ source distribution.

</para>

</sect1>

</chapter>

@@ -2930,6 +2928,33 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

<para>

+ <varname>port_list</varname>

+ </para>

+ </entry>

+ <entry colname="2">

+ <para>

+ A list of an <varname>ip_port</varname> or a port

+ range.

+ A port range is specified in the form of

+ <userinput>range</userinput> followed by

+ two <varname>ip_port</varname>s,

+ <varname>port_low</varname> and

+ <varname>port_high</varname>, which represents

+ port numbers from <varname>port_low</varname> through

+ <varname>port_high</varname>, inclusive.

+ <varname>port_low</varname> must not be larger than

+ <varname>port_high</varname>.

+ For example,

+ <userinput>range 1024 65535</userinput> represents

+ ports from 1024 through 65535.

+ In either case an asterisk (`*') character is not

+ allowed as a valid <varname>ip_port</varname>.

+ </para>

+ </entry>

+ </row>

+ <row rowsep="0">

+ <entry colname="1">

+ <para>

</para>

</entry>

@@ -3582,7 +3607,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

</sect2>

<sect2>

<title><command>include</command> Statement Grammar</title>

- <programlisting>include <replaceable>filename</replaceable>;</programlisting>

+ <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>

</sect2>

<sect2>

<title><command>include</command> Statement Definition and

@@ -3603,7 +3628,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

<sect2>

<title><command>key</command> Statement Grammar</title>

-<programlisting>key <replaceable>key_id</replaceable> {

+<programlisting><command>key</command> <replaceable>key_id</replaceable> {

algorithm <replaceable>string</replaceable>;

secret <replaceable>string</replaceable>;

};

@@ -4364,7 +4389,7 @@ category notify { null; };

statement in the <filename>named.conf</filename> file:

</para>

-<programlisting>options {

+<programlisting><command>options</command> {

<optional> version <replaceable>version_string</replaceable>; </optional>

<optional> hostname <replaceable>hostname_string</replaceable>; </optional>

<optional> server-id <replaceable>server_id_string</replaceable>; </optional>

@@ -4425,7 +4450,9 @@ category notify { null; };

<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>

<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>

<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>

+ <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>

<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>

+ <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>

<optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>

<optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>

<optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>

@@ -5627,11 +5654,12 @@ options {

to address (A or AAAA) records and that glue

address records exist for delegated zones. For

MX and SRV records only in-zone hostnames are

- checked (for out-of-zone hostnames use named-checkzone).

+ checked (for out-of-zone hostnames use

+ <command>named-checkzone</command>).

For NS records only names below top of zone are

checked (for out-of-zone names and glue consistency

- checks use named-checkzone). The default is

- <command>yes</command>.

+ checks use <command>named-checkzone</command>).

+ The default is <command>yes</command>.

</para>

</listitem>

</varlistentry>

@@ -6058,7 +6086,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };

</para>

</sect3>

- <sect3>

+ <sect3 id="query_address">

<title>Query Address</title>

<para>

If the server doesn't know the answer to a question, it will

@@ -6068,25 +6096,94 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };

If <command>address</command> is <command>*</command> (asterisk) or is omitted,

a wildcard IP address (<command>INADDR_ANY</command>)

will be used.

+ </para>

+ <para>

If <command>port</command> is <command>*</command> or is omitted,

- a random unprivileged port number is picked up and will be

- used for each query.

- It is generally strongly discouraged to

- specify a particular port for the

- <command>query-source</command> or

- <command>query-source-v6</command> options;

- it implicitly disables the use of randomized port numbers

- and leads to insecure operation.

- The <command>avoid-v4-udp-ports</command>

- and <command>avoid-v6-udp-ports</command> options can be used

- to prevent named

- from selecting certain ports. The defaults are:

+ a random port number from a pre-configured

+ range is picked up and will be used for each query.

+ The port range(s) is that specified in

+ the <command>use-v4-udp-ports</command> (for IPv4)

+ and <command>use-v6-udp-ports</command> (for IPv6)

+ options, excluding the ranges specified in

+ the <command>avoid-v4-udp-ports</command>

+ and <command>avoid-v6-udp-ports</command> options, respectively.

+ </para>

+ <para>

+ The defaults of the <command>query-source</command> and

+ <command>query-source-v6</command> options

+ are:

</para>

<programlisting>query-source address * port *;

query-source-v6 address * port *;

</programlisting>

+ <para>

+ If <command>use-v4-udp-ports</command> or

+ <command>use-v6-udp-ports</command> is unspecified,

+ <command>named</command> will check if the operating

+ system provides a programming interface to retrieve the

+ system's default range for ephemeral ports.

+ If such an interface is available,

+ <command>named</command> will use the corresponding system

+ default range; otherwise, it will use its own defaults:

+ </para>

+<programlisting>use-v4-udp-ports { range 1024 65535; };

+use-v6-udp-ports { range 1024 65535; };

+</programlisting>

+ <para>

+ Note: make sure the ranges be sufficiently large for

+ security. A desirable size depends on various parameters,

+ but we generally recommend it contain at least 16384 ports

+ (14 bits of entropy).

+ Note also that the system's default range when used may be

+ too small for this purpose, and that the range may even be

+ changed while <command>named</command> is running; the new

+ range will automatically be applied when <command>named</command>

+ is reloaded.

+ It is encouraged to

+ configure <command>use-v4-udp-ports</command> and

+ <command>use-v6-udp-ports</command> explicitly so that the

+ ranges are sufficiently large and are reasonably

+ independent from the ranges used by other applications.

+ </para>

+ <para>

+ Note: the operational configuration

+ where <command>named</command> runs may prohibit the use

+ of some ports. For example, UNIX systems will not allow

+ <command>named</command> running without a root privilege

+ to use ports less than 1024.

+ If such ports are included in the specified (or detected)

+ set of query ports, the corresponding query attempts will

+ fail, resulting in resolution failures or delay.

+ It is therefore important to configure the set of ports

+ that can be safely used in the expected operational environment.

+ </para>

+ <para>

+ The defaults of the <command>avoid-v4-udp-ports</command> and

+ <command>avoid-v6-udp-ports</command> options

+ are:

+ </para>

+<programlisting>avoid-v4-udp-ports {};

+avoid-v6-udp-ports {};

+</programlisting>

+ <para>

+ Note: it is generally strongly discouraged to

+ specify a particular port for the

+ <command>query-source</command> or

+ <command>query-source-v6</command> options;

+ it implicitly disables the use of randomized port numbers

+ and can be insecure.

+ </para>

<note>

<para>

The address specified in the <command>query-source</command> option

@@ -6432,17 +6529,48 @@ query-source-v6 address * port *;

</sect3>

<sect3>

- <title>Bad UDP Port Lists</title>

- <para><command>avoid-v4-udp-ports</command>

- and <command>avoid-v6-udp-ports</command> specify a list

- of IPv4 and IPv6 UDP ports that will not be used as system

- assigned source ports for UDP sockets. These lists

- prevent named from choosing as its random source port a

- port that is blocked by your firewall. If a query went

- out with such a source port, the answer would not get by

- the firewall and the name server would have to query

- again.

+ <title>UDP Port Lists</title>

+ <para>

+ <command>use-v4-udp-ports</command>,

+ <command>avoid-v4-udp-ports</command>,

+ <command>use-v6-udp-ports</command>, and

+ <command>avoid-v6-udp-ports</command>

+ specify a list of IPv4 and IPv6 UDP ports that will be

+ used or not used as source ports for UDP messages.

+ See <xref linkend="query_address"/> about how the

+ available ports are determined.

+ For example, with the following configuration

</para>

+<programlisting>

+use-v6-udp-ports { range 32768 65535; };

+avoid-v6-udp-ports { 40000; range 50000 60000; };

+</programlisting>

+ <para>

+ UDP ports of IPv6 messages sent

+ from <command>named</command> will be in one

+ of the following ranges: 32768 to 39999, 40001 to 49999,

+ and 60001 to 65535.

+ </para>

+ <para>

+ <command>avoid-v4-udp-ports</command> and

+ <command>avoid-v6-udp-ports</command> can be used

+ to prevent <command>named</command> from choosing as its random source port a

+ port that is blocked by your firewall or a port that is

+ used by other applications;

+ if a query went out with a source port blocked by a

+ firewall, the

+ answer would not get by the firewall and the name server would

+ have to query again.

+ Note: the desired range can also be represented only with

+ <command>use-v4-udp-ports</command> and

+ <command>use-v6-udp-ports</command>, and the

+ <command>avoid-</command> options are redundant in that

+ sense; they are provided for backward compatibility and

+ to possibly simplify the port specification.

+ </para>

</sect3>

<sect3>

@@ -6618,8 +6746,10 @@ query-source-v6 address * port *;

transfers. The default is <literal>512</literal>.

The minimum value is <literal>128</literal> and the

maximum value is <literal>128</literal> less than

- 'files' or FD_SETSIZE (whichever is smaller). This

- option may be removed in the future.

+ maxsockets (-S). This option may be removed in the future.

+ </para>

+ <para>

+ This option has little effect on Windows.

</para>

</listitem>

</varlistentry>

@@ -6629,16 +6759,23 @@ query-source-v6 address * port *;

<para>

The maximum amount of memory to use for the

- server's cache, in bytes. When the amount of data in the

- cache

+ server's cache, in bytes.

+ When the amount of data in the cache

reaches this limit, the server will cause records to expire

- prematurely so that the limit is not exceeded. In a server

- with

- multiple views, the limit applies separately to the cache of

- each

- view. The default is <literal>unlimited</literal>, meaning that

- records are purged from the cache only when their TTLs

- expire.

+ prematurely so that the limit is not exceeded.

+ A value of 0 is special, meaning that

+ records are purged from the cache only when their

+ TTLs expire.

+ Another special keyword <userinput>unlimited</userinput>

+ means the maximum value of 32-bit unsigned integers

+ (0xffffffff), which may not have the same effect as

+ 0 on machines that support more than 32 bits of

+ memory space.

+ Any positive values less than 2MB will be ignored reset

+ to 2MB.

+ In a server with multiple views, the limit applies

+ separately to the cache of each view.

+ The default is 0.

</para>

</listitem>

</varlistentry>

@@ -7041,6 +7178,10 @@ query-source-v6 address * port *;

Sets the maximum time for which the server will

cache ordinary (positive) answers. The default is

one week (7 days).

+ A value of zero may cause all queries to return

+ SERVFAIL, because of lost caches of intermediate

+ RRsets (such as NS and glue AAAA/A records) in the

+ resolution process.

</para>

</listitem>

</varlistentry>

@@ -7320,9 +7461,8 @@ query-source-v6 address * port *;

<para>

The current list of empty zones is:

+<!-- XXX: The RFC1918 addresses are #defined out in sources currently.

- <listitem>127.IN-ADDR.ARPA</listitem>

- <listitem>254.169.IN-ADDR.ARPA</listitem>

@@ -7340,7 +7480,12 @@ query-source-v6 address * port *;

+XXX: end of RFC1918 addresses #defined out -->

+ <listitem>0.IN-ADDR.ARPA</listitem>

+ <listitem>127.IN-ADDR.ARPA</listitem>

+ <listitem>254.169.IN-ADDR.ARPA</listitem>

+ <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>

@@ -7567,8 +7712,10 @@ query-source-v6 address * port *;

<command>success</command>,

<command>referral</command>,

<command>nxrrset</command>,

- <command>nxdomain</command>, or

- <command>failure</command>

+ <command>nxdomain</command>,

+ <command>failure</command>,

+ <command>duplicate</command>, or

+ <command>dropped</command>

to be incremented, and may additionally cause the

<command>recursion</command> counter to be

incremented.

@@ -7699,7 +7846,7 @@ query-source-v6 address * port *;

<title><command>server</command> Statement Grammar</title>

-<programlisting>server <replaceable>ip_addr[/prefixlen]</replaceable> {

+<programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {

<optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>

<optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>

<optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>

@@ -7908,7 +8055,7 @@ query-source-v6 address * port *;

<sect2>

<title><command>trusted-keys</command> Statement Grammar</title>

-<programlisting>trusted-keys {

+<programlisting><command>trusted-keys</command> {

<replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;

<optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>

};

@@ -7949,7 +8096,7 @@ query-source-v6 address * port *;

<title><command>view</command> Statement Grammar</title>

-<programlisting>view <replaceable>view_name</replaceable>

+<programlisting><command>view</command> <replaceable>view_name</replaceable>

<optional><replaceable>class</replaceable></optional> {

match-clients { <replaceable>address_match_list</replaceable> };

match-destinations { <replaceable>address_match_list</replaceable> };

@@ -8005,7 +8152,7 @@ query-source-v6 address * port *;

<para>

Zones defined within a <command>view</command>

statement will

- be only be accessible to clients that match the <command>view</command>.

+ only be accessible to clients that match the <command>view</command>.

By defining a zone of the same name in multiple views, different

zone data can be given to different clients, for example,

"internal"

@@ -8090,7 +8237,7 @@ view "external" {

Statement Grammar</title>

-<programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {

+<programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {

type master;

<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>

<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>

@@ -9436,6 +9583,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea

<para>

+ IPSECKEY

+ </para>

+ </entry>

+ <entry colname="2">

+ <para>

+ Provides a method for storing IPsec keying material in

+ DNS. Described in RFC 4025.

+ </para>

+ </entry>

+ </row>

+ <row rowsep="0">

+ <entry colname="1">

+ <para>

ISDN

</para>

</entry>

@@ -9674,6 +9834,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea

<para>

+ SPF

+ </para>

+ </entry>

+ <entry colname="2">

+ <para>

+ Contains the Sender Policy Framework information

+ for a given email domain. Described in RFC 4408.

+ </para>

+ </entry>

+ </row>

+ <row rowsep="0">

+ <entry colname="1">

+ <para>

SRV

</para>

</entry>

@@ -9687,6 +9860,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea

<para>

+ SSHFP

+ </para>

+ </entry>

+ <entry colname="2">

+ <para>

+ Provides a way to securly publish a secure shell key's

+ fingerprint. Described in RFC 4255.

+ </para>

+ </entry>

+ </row>

+ <row rowsep="0">

+ <entry colname="1">

+ <para>

TXT

</para>

</entry>

@@ -10469,7 +10655,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>

is equivalent to

</para>

-<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.

+<programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.

0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.

1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.

2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.