aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
committerDoug Barton <dougb@FreeBSD.org>2009-05-31 00:11:36 +0000
commitb0e69f719c1db2c19fcfba96f0dac9a5a2277350 (patch)
tree72d567a9bc3fb8adcfcbaa9baedc122d53071209 /doc
parentfe9c1406ede29d1f2b9969c75785beef87a4bf87 (diff)
downloadsrc-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.tar.gz
src-b0e69f719c1db2c19fcfba96f0dac9a5a2277350.zip
Vendor import of BIND 9.6.1rc1
Notes
Notes: svn path=/vendor/bind9/dist/; revision=193141
Diffstat (limited to 'doc')
-rw-r--r--doc/Makefile.in8
-rw-r--r--doc/arm/Bv9ARM-book.xml3183
-rw-r--r--doc/arm/Bv9ARM.ch01.html76
-rw-r--r--doc/arm/Bv9ARM.ch02.html36
-rw-r--r--doc/arm/Bv9ARM.ch03.html54
-rw-r--r--doc/arm/Bv9ARM.ch04.html140
-rw-r--r--doc/arm/Bv9ARM.ch05.html8
-rw-r--r--doc/arm/Bv9ARM.ch06.html2887
-rw-r--r--doc/arm/Bv9ARM.ch07.html35
-rw-r--r--doc/arm/Bv9ARM.ch08.html20
-rw-r--r--doc/arm/Bv9ARM.ch09.html190
-rw-r--r--doc/arm/Bv9ARM.ch10.html13
-rw-r--r--doc/arm/Bv9ARM.html162
-rw-r--r--doc/arm/Bv9ARM.pdf14761
-rw-r--r--doc/arm/Makefile.in8
-rw-r--r--doc/arm/man.dig.html44
-rw-r--r--doc/arm/man.dnssec-dsfromkey.html170
-rw-r--r--doc/arm/man.dnssec-keyfromlabel.html210
-rw-r--r--doc/arm/man.dnssec-keygen.html37
-rw-r--r--doc/arm/man.dnssec-signzone.html33
-rw-r--r--doc/arm/man.host.html24
-rw-r--r--doc/arm/man.named-checkconf.html20
-rw-r--r--doc/arm/man.named-checkzone.html24
-rw-r--r--doc/arm/man.named.html34
-rw-r--r--doc/arm/man.nsupdate.html569
-rw-r--r--doc/arm/man.rndc-confgen.html14
-rw-r--r--doc/arm/man.rndc.conf.html14
-rw-r--r--doc/arm/man.rndc.html22
-rw-r--r--doc/misc/Makefile.in2
-rw-r--r--doc/misc/format-options.pl2
-rw-r--r--doc/misc/ipv62
-rw-r--r--doc/misc/migration2
-rw-r--r--doc/misc/options64
-rwxr-xr-xdoc/misc/sort-options.pl2
34 files changed, 14619 insertions, 8251 deletions
diff --git a/doc/Makefile.in b/doc/Makefile.in
index f307f416486b..14d35bc2d648 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000, 2001 Internet Software Consortium.
#
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $
+# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $
# This Makefile is a placeholder. It exists merely to make
# sure that its directory gets created in the object directory
@@ -23,7 +23,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = arm misc xsl
+SUBDIRS = arm misc xsl doxygen
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index cdcb9d8a4108..f3bfe0d29ffc 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1,8 +1,8 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
- "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.97 2008/10/17 19:37:35 jreed Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.14 2009/04/02 15:30:12 jreed Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
@@ -29,6 +29,7 @@
<year>2006</year>
<year>2007</year>
<year>2008</year>
+ <year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
@@ -67,30 +68,30 @@
</para>
<para>
- This version of the manual corresponds to BIND version 9.4.
+ This version of the manual corresponds to BIND version 9.6.
</para>
</sect1>
<sect1>
<title>Organization of This Document</title>
<para>
- In this document, <emphasis>Section 1</emphasis> introduces
- the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+ In this document, <emphasis>Chapter 1</emphasis> introduces
+ the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
describes resource requirements for running <acronym>BIND</acronym> in various
- environments. Information in <emphasis>Section 3</emphasis> is
+ environments. Information in <emphasis>Chapter 3</emphasis> is
<emphasis>task-oriented</emphasis> in its presentation and is
organized functionally, to aid in the process of installing the
<acronym>BIND</acronym> 9 software. The task-oriented
section is followed by
- <emphasis>Section 4</emphasis>, which contains more advanced
+ <emphasis>Chapter 4</emphasis>, which contains more advanced
concepts that the system administrator may need for implementing
- certain options. <emphasis>Section 5</emphasis>
+ certain options. <emphasis>Chapter 5</emphasis>
describes the <acronym>BIND</acronym> 9 lightweight
- resolver. The contents of <emphasis>Section 6</emphasis> are
+ resolver. The contents of <emphasis>Chapter 6</emphasis> are
organized as in a reference manual to aid in the ongoing
- maintenance of the software. <emphasis>Section 7</emphasis> addresses
+ maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
security considerations, and
- <emphasis>Section 8</emphasis> contains troubleshooting help. The
+ <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
main body of the document is followed by several
<emphasis>appendices</emphasis> which contain useful reference
information, such as a <emphasis>bibliography</emphasis> and
@@ -253,8 +254,10 @@
more <emphasis>name servers</emphasis> and interprets the responses.
The <acronym>BIND</acronym> 9 software distribution
contains a
- name server, <command>named</command>, and two resolver
- libraries, <command>liblwres</command> and <command>libbind</command>.
+ name server, <command>named</command>, and a resolver
+ library, <command>liblwres</command>. The older
+ <command>libbind</command> resolver library is also available
+ from ISC as a separate download.
</para>
</sect2><sect2>
@@ -639,11 +642,13 @@
<title>Supported Operating Systems</title>
<para>
ISC <acronym>BIND</acronym> 9 compiles and runs on a large
- number of Unix-like operating systems, and on some versions of
- Microsoft Windows including Windows XP, Windows 2003, and
- Windows 2008. For an up-to-date list of supported systems,
- see the README file in the top level directory of the BIND 9
- source distribution.
+ number
+ of Unix-like operating systems and on NT-derived versions of
+ Microsoft Windows such as Windows 2000 and Windows XP. For an
+ up-to-date
+ list of supported systems, see the README file in the top level
+ directory
+ of the BIND 9 source distribution.
</para>
</sect1>
</chapter>
@@ -651,7 +656,7 @@
<chapter id="Bv9ARM.ch03">
<title>Name Server Configuration</title>
<para>
- In this section we provide some suggested configurations along
+ In this chapter we provide some suggested configurations along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</para>
@@ -928,7 +933,7 @@ zone "eng.example.com" {
<arg>%<replaceable>comment</replaceable></arg>
</cmdsynopsis>
<para>
- The usual simple use of dig will take the form
+ The usual simple use of <command>dig</command> will take the form
</para>
<simpara>
<command>dig @server domain query-type query-class</command>
@@ -1068,7 +1073,7 @@ zone "eng.example.com" {
</cmdsynopsis>
</listitem>
</varlistentry>
- <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
+ <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
<term><command>named-compilezone</command></term>
<listitem>
<para>
@@ -1271,8 +1276,8 @@ zone "eng.example.com" {
Stop the server, making sure any recent changes
made through dynamic update or IXFR are first saved to
the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <option>-p</option> is specified <command>named</command>'s process id is returned.
+ This allows an external process to determine when <command>named</command>
had completed stopping.
</para>
</listitem>
@@ -1286,8 +1291,8 @@ zone "eng.example.com" {
made through dynamic update or IXFR are not saved to
the master files, but will be rolled forward from the
journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <option>-p</option> is specified <command>named</command>'s process id is returned.
+ This allows an external process to determine when <command>named</command>
had completed halting.
</para>
</listitem>
@@ -1356,12 +1361,27 @@ zone "eng.example.com" {
<term><userinput>recursing</userinput></term>
<listitem>
<para>
- Dump the list of queries named is currently recursing
+ Dump the list of queries <command>named</command> is currently recursing
on.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><userinput>validation
+ <optional>on|off</optional>
+ <optional><replaceable>view ...</replaceable></optional>
+ </userinput></term>
+ <listitem>
+ <para>
+ Enable or disable DNSSEC validation.
+ Note <command>dnssec-enable</command> also needs to be
+ set to <userinput>yes</userinput> to be effective.
+ It defaults to enabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
<para>
@@ -1426,7 +1446,7 @@ zone "eng.example.com" {
with
<command>named</command>. Its syntax is
identical to the
- <command>key</command> statement in named.conf.
+ <command>key</command> statement in <filename>named.conf</filename>.
The keyword <userinput>key</userinput> is
followed by a key name, which must be a valid
domain name, though it need not actually be hierarchical;
@@ -1599,10 +1619,10 @@ controls {
</para>
<note>
- As a slave zone can also be a master to other slaves, named,
+ As a slave zone can also be a master to other slaves, <command>named</command>,
by default, sends <command>NOTIFY</command> messages for every zone
it loads. Specifying <command>notify master-only;</command> will
- cause named to only send <command>NOTIFY</command> for master
+ cause <command>named</command> to only send <command>NOTIFY</command> for master
zones that it loads.
</note>
@@ -1619,18 +1639,23 @@ controls {
</para>
<para>
- Dynamic update is enabled by
- including an <command>allow-update</command> or
- <command>update-policy</command> clause in the
- <command>zone</command> statement.
+ Dynamic update is enabled by including an
+ <command>allow-update</command> or <command>update-policy</command>
+ clause in the <command>zone</command> statement. The
+ <command>tkey-gssapi-credential</command> and
+ <command>tkey-domain</command> clauses in the
+ <command>options</command> statement enable the
+ server to negotiate keys that can be matched against those
+ in <command>update-policy</command> or
+ <command>allow-update</command>.
</para>
<para>
- Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: RRSIG and NSEC records affected by updates are automatically
- regenerated by the server using an online zone key.
- Update authorization is based
- on transaction signatures and an explicit server policy.
+ Updating of secure zones (zones using DNSSEC) follows RFC
+ 3007: RRSIG, NSEC and NSEC3 records affected by updates are
+ automatically regenerated by the server using an online
+ zone key. Update authorization is based on transaction
+ signatures and an explicit server policy.
</para>
<sect2 id="journal">
@@ -2086,7 +2111,7 @@ key host1-host2. {
</programlisting>
<para>
- The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+ The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <filename>named.conf</filename> be non-world
readable, or the key directive be added to a non-world readable
@@ -2146,22 +2171,23 @@ server 10.1.2.3 {
be denoted <command>key host1-host2.</command>
</para>
<para>
- An example of an allow-update directive would be:
+ An example of an <command>allow-update</command> directive would be:
</para>
<programlisting>
allow-update { key host1-host2. ;};
</programlisting>
- <para>
- This allows dynamic updates to succeed only if the request
- was signed by a key named
- "<command>host1-host2.</command>".
- </para>
<para>
- You may want to read about the more
- powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
- </para>
+ This allows dynamic updates to succeed only if the request
+ was signed by a key named "<command>host1-host2.</command>".
+ </para>
+
+ <para>
+ You may want to read about the more powerful
+ <command>update-policy</command> statement in
+ <xref linkend="dynamic_update_policies"/>.
+ </para>
</sect2>
<sect2>
@@ -2235,7 +2261,7 @@ allow-update { key host1-host2. ;};
<para>
<acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931.
+ transaction signatures as specified in RFC 2535 and RFC 2931.
SIG(0)
uses public/private keys to authenticate messages. Access control
is performed in the same manner as TSIG keys; privileges can be
@@ -2351,6 +2377,12 @@ allow-update { key host1-host2. ;};
</para>
<para>
+ The <command>dnssec-keyfromlabel</command> program is used
+ to get a key pair from a crypto hardware and build the key
+ files. Its usage is similar to <command>dnssec-keygen</command>.
+ </para>
+
+ <para>
The public keys should be inserted into the zone file by
including the <filename>.key</filename> files using
<command>$INCLUDE</command> statements.
@@ -2360,23 +2392,21 @@ allow-update { key host1-host2. ;};
<sect2>
<title>Signing the Zone</title>
- <para>
- The <command>dnssec-signzone</command> program is used
- to
- sign a zone.
- </para>
+ <para>
+ The <command>dnssec-signzone</command> program is used
+ to sign a zone.
+ </para>
- <para>
- Any <filename>keyset</filename> files corresponding
- to secure subzones should be present. The zone signer will
- generate <literal>NSEC</literal> and <literal>RRSIG</literal>
- records for the zone, as well as <literal>DS</literal>
- for
- the child zones if <literal>'-d'</literal> is specified.
- If <literal>'-d'</literal> is not specified, then
- DS RRsets for
- the secure child zones need to be added manually.
- </para>
+ <para>
+ Any <filename>keyset</filename> files corresponding to
+ secure subzones should be present. The zone signer will
+ generate <literal>NSEC</literal>, <literal>NSEC3</literal>
+ and <literal>RRSIG</literal> records for the zone, as
+ well as <literal>DS</literal> for the child zones if
+ <literal>'-g'</literal> is specified. If <literal>'-g'</literal>
+ is not specified, then DS RRsets for the secure child
+ zones need to be added manually.
+ </para>
<para>
The following command signs the zone, assuming it is in a
@@ -2452,7 +2482,7 @@ allow-update { key host1-host2. ;};
more public keys for the root. This allows answers from
outside the organization to be validated. It will also
have several keys for parts of the namespace the organization
- controls. These are here to ensure that named is immune
+ controls. These are here to ensure that <command>named</command> is immune
to compromises in the DNSSEC components of the security
of parent zones.
</para>
@@ -2791,33 +2821,29 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<varname>ip6_addr</varname>
</para>
</entry>
- <entry colname="2">
- <para>
- An IPv6 address, such as <command>2001:db8::1234</command>.
- IPv6 scoped addresses that have ambiguity on their scope
- zones must be
- disambiguated by an appropriate zone ID with the percent
- character
- (`%') as delimiter.
- It is strongly recommended to use string zone names rather
- than
- numeric identifiers, in order to be robust against system
- configuration changes.
- However, since there is no standard mapping for such names
- and
- identifier values, currently only interface names as link
- identifiers
- are supported, assuming one-to-one mapping between
- interfaces and links.
- For example, a link-local address <command>fe80::1</command> on the
- link attached to the interface <command>ne0</command>
- can be specified as <command>fe80::1%ne0</command>.
- Note that on most systems link-local addresses always have
- the
- ambiguity, and need to be disambiguated.
- </para>
- </entry>
- </row>
+ <entry colname="2">
+ <para>
+ An IPv6 address, such as <command>2001:db8::1234</command>.
+ IPv6 scoped addresses that have ambiguity on their
+ scope zones must be disambiguated by an appropriate
+ zone ID with the percent character (`%') as
+ delimiter. It is strongly recommended to use
+ string zone names rather than numeric identifiers,
+ in order to be robust against system configuration
+ changes. However, since there is no standard
+ mapping for such names and identifier values,
+ currently only interface names as link identifiers
+ are supported, assuming one-to-one mapping between
+ interfaces and links. For example, a link-local
+ address <command>fe80::1</command> on the link
+ attached to the interface <command>ne0</command>
+ can be specified as <command>fe80::1%ne0</command>.
+ Note that on most systems link-local addresses
+ always have the ambiguity, and need to be
+ disambiguated.
+ </para>
+ </entry>
+ </row>
<row rowsep="0">
<entry colname="1">
<para>
@@ -2867,6 +2893,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
</para>
+ <para>
+ When specifying a prefix involving a IPv6 scoped address
+ the scope may be omitted. In that case the prefix will
+ match packets from any scope.
+ </para>
</entry>
</row>
<row rowsep="0">
@@ -3042,9 +3073,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
Address match lists are primarily used to determine access
control for various server operations. They are also used in
the <command>listen-on</command> and <command>sortlist</command>
- statements. The elements
- which constitute an address match list can be any of the
- following:
+ statements. The elements which constitute an address match
+ list can be any of the following:
</para>
<itemizedlist>
<listitem>
@@ -3072,28 +3102,30 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
Elements can be negated with a leading exclamation mark (`!'),
and the match list names "any", "none", "localhost", and
- "localnets"
- are predefined. More information on those names can be found in
- the description of the acl statement.
+ "localnets" are predefined. More information on those names
+ can be found in the description of the acl statement.
</para>
<para>
The addition of the key clause made the name of this syntactic
element something of a misnomer, since security keys can be used
to validate access without regard to a host or network address.
- Nonetheless,
- the term "address match list" is still used throughout the
- documentation.
+ Nonetheless, the term "address match list" is still used
+ throughout the documentation.
</para>
<para>
When a given IP address or prefix is compared to an address
- match list, the list is traversed in order until an element
- matches.
+ match list, the comparison takes place in approximately O(1)
+ time. However, key comparisons require that the list of keys
+ be traversed until a matching key is found, and therefore may
+ be somewhat slower.
+ </para>
+
+ <para>
The interpretation of a match depends on whether the list is being
- used
- for access control, defining listen-on ports, or in a sortlist,
- and whether the element was negated.
+ used for access control, defining <command>listen-on</command> ports, or in a
+ <command>sortlist</command>, and whether the element was negated.
</para>
<para>
@@ -3101,30 +3133,36 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
allows access and a negated match denies access. If
there is no match, access is denied. The clauses
<command>allow-notify</command>,
+ <command>allow-recursion</command>,
+ <command>allow-recursion-on</command>,
<command>allow-query</command>,
+ <command>allow-query-on</command>,
<command>allow-query-cache</command>,
+ <command>allow-query-cache-on</command>,
<command>allow-transfer</command>,
<command>allow-update</command>,
<command>allow-update-forwarding</command>, and
<command>blackhole</command> all use address match
- lists. Similarly, the listen-on option will cause the
- server to not accept queries on any of the machine's
+ lists. Similarly, the <command>listen-on</command> option will cause the
+ server to refuse queries on any of the machine's
addresses which do not match the list.
</para>
<para>
- Because of the first-match aspect of the algorithm, an element
- that defines a subset of another element in the list should come
- before the broader element, regardless of whether either is
- negated. For
- example, in
- <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
- element is
- completely useless because the algorithm will match any lookup for
- 1.2.3.13 to the 1.2.3/24 element.
- Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
- that problem by having 1.2.3.13 blocked by the negation but all
- other 1.2.3.* hosts fall through.
+ Order of insertion is significant. If more than one element
+ in an ACL is found to match a given IP address or prefix,
+ preference will be given to the one that came
+ <emphasis>first</emphasis> in the ACL definition.
+ Because of this first-match behavior, an element that
+ defines a subset of another element in the list should
+ come before the broader element, regardless of whether
+ either is negated. For example, in
+ <command>1.2.3/24; ! 1.2.3.13;</command>
+ the 1.2.3.13 element is completely useless because the
+ algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+ element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+ that problem by having 1.2.3.13 blocked by the negation, but
+ all other 1.2.3.* hosts fall through.
</para>
</sect3>
</sect2>
@@ -3180,8 +3218,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
slash) and continue to the end of the physical line. They cannot
be continued across multiple physical lines; to have one logical
comment span multiple lines, each line must use the // pair.
- </para>
- <para>
For example:
</para>
<para>
@@ -3197,8 +3233,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
with the character <literal>#</literal> (number sign)
and continue to the end of the
physical line, as in C++ comments.
- </para>
- <para>
For example:
</para>
@@ -3344,6 +3378,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
</row>
<row rowsep="0">
<entry colname="1">
+ <para><command>statistics-channels</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ declares communication channels to get access to
+ <command>named</command> statistics.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
<para><command>trusted-keys</command></para>
</entry>
<entry colname="2">
@@ -3405,8 +3450,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<para>
Note that an address match list's name must be defined
with <command>acl</command> before it can be used
- elsewhere; no
- forward references are allowed.
+ elsewhere; no forward references are allowed.
</para>
<para>
@@ -3688,7 +3732,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<programlisting><command>logging</command> {
[ <command>channel</command> <replaceable>channel_name</replaceable> {
- ( <command>file</command> <replaceable>path name</replaceable>
+ ( <command>file</command> <replaceable>path_name</replaceable>
[ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
[ <command>size</command> <replaceable>size spec</replaceable> ]
| <command>syslog</command> <replaceable>syslog_facility</replaceable>
@@ -3922,7 +3966,7 @@ notrace</command>. All debugging messages in the server have a debug
the date and time will be logged. <command>print-time</command> may
be specified for a <command>syslog</command> channel,
but is usually
- pointless since <command>syslog</command> also prints
+ pointless since <command>syslog</command> also logs
the date and
time. If <command>print-category</command> is
requested, then the
@@ -4168,7 +4212,7 @@ category notify { null; };
</entry>
<entry colname="2">
<para>
- Messages that named was unable to determine the
+ Messages that <command>named</command> was unable to determine the
class of or for which there was no matching <command>view</command>.
A one line summary is also logged to the <command>client</command> category.
This category is best sent to a file or stderr, by
@@ -4220,15 +4264,18 @@ category notify { null; };
enable query logging unless <command>querylog</command> option has been
specified.
</para>
- <para>
- The query log entry reports the client's IP address and
- port number, and the
- query name, class and type. It also reports whether the
- Recursion Desired
- flag was set (+ if set, - if not set), EDNS was in use
- (E) or if the
- query was signed (S).
- </para>
+
+ <para>
+ The query log entry reports the client's IP
+ address and port number, and the query name,
+ class and type. It also reports whether the
+ Recursion Desired flag was set (+ if set, -
+ if not set), if the query was signed (S),
+ EDNS was in use (E), if DO (DNSSEC Ok) was
+ set (D), or if CD (Checking Disabled) was set
+ (C).
+ </para>
+
<para>
<computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
</para>
@@ -4239,6 +4286,17 @@ category notify { null; };
</row>
<row rowsep="0">
<entry colname="1">
+ <para><command>query-errors</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Information about queries that resulted in some
+ failure.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
<para><command>dispatch</command></para>
</entry>
<entry colname="2">
@@ -4277,7 +4335,7 @@ category notify { null; };
</entry>
<entry colname="2">
<para>
- Delegation only. Logs queries that have have
+ Delegation only. Logs queries that have
been forced to NXDOMAIN as the result of a
delegation-only zone or
a <command>delegation-only</command> in a
@@ -4285,10 +4343,264 @@ category notify { null; };
</para>
</entry>
</row>
- </tbody>
- </tgroup>
- </informaltable>
- </sect3>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>edns-disabled</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Log queries that have been forced to use plain
+ DNS due to timeouts. This is often due to
+ the remote servers not being RFC 1034 compliant
+ (not always returning FORMERR or similar to
+ EDNS queries and other extensions to the DNS
+ when they are not understood). In other words, this is
+ targeted at servers that fail to respond to
+ DNS queries that they don't understand.
+ </para>
+ <para>
+ Note: the log message can also be due to
+ packet loss. Before reporting servers for
+ non-RFC 1034 compliance they should be re-tested
+ to determine the nature of the non-compliance.
+ This testing should prevent or reduce the
+ number of false-positive reports.
+ </para>
+ <para>
+ Note: eventually <command>named</command> will have to stop
+ treating such timeouts as due to RFC 1034 non
+ compliance and start treating it as plain
+ packet loss. Falsely classifying packet
+ loss as due to RFC 1034 non compliance impacts
+ on DNSSEC validation which requires EDNS for
+ the DNSSEC records to be returned.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+ <sect3>
+ <title>The <command>query-errors</command> Category</title>
+ <para>
+ The <command>query-errors</command> category is
+ specifically intended for debugging purposes: To identify
+ why and how specific queries result in responses which
+ indicate an error.
+ Messages of this category are therefore only logged
+ with <command>debug</command> levels.
+ </para>
+
+ <para>
+ At the debug levels of 1 or higher, each response with the
+ rcode of SERVFAIL is logged as follows:
+ </para>
+ <para>
+ <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
+ </para>
+ <para>
+ This means an error resulting in SERVFAIL was
+ detected at line 3880 of source file
+ <filename>query.c</filename>.
+ Log messages of this level will particularly
+ help identify the cause of SERVFAIL for an
+ authoritative server.
+ </para>
+ <para>
+ At the debug levels of 2 or higher, detailed context
+ information of recursive resolutions that resulted in
+ SERVFAIL is logged.
+ The log message will look like as follows:
+ </para>
+ <para>
+ <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
+ </para>
+ <para>
+ The first part before the colon shows that a recursive
+ resolution for AAAA records of www.example.com completed
+ in 30.000183 seconds and the final result that led to the
+ SERVFAIL was determined at line 2970 of source file
+ <filename>resolver.c</filename>.
+ </para>
+ <para>
+ The following part shows the detected final result and the
+ latest result of DNSSEC validation.
+ The latter is always success when no validation attempt
+ is made.
+ In this example, this query resulted in SERVFAIL probably
+ because all name servers are down or unreachable, leading
+ to a timeout in 30 seconds.
+ DNSSEC validation was probably not attempted.
+ </para>
+ <para>
+ The last part enclosed in square brackets shows statistics
+ information collected for this particular resolution
+ attempt.
+ The <varname>domain</varname> field shows the deepest zone
+ that the resolver reached;
+ it is the zone where the error was finally detected.
+ The meaning of the other fields is summarized in the
+ following table.
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" />
+ <colspec colname="2" colnum="2" colsep="0" />
+ <tbody>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>referral</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of referrals the resolver received
+ throughout the resolution process.
+ In the above example this is 2, which are most
+ likely com and example.com.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>restart</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of cycles that the resolver tried
+ remote servers at the <varname>domain</varname>
+ zone.
+ In each cycle the resolver sends one query
+ (possibly resending it, depending on the response)
+ to each known name server of
+ the <varname>domain</varname> zone.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>qrysent</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of queries the resolver sent at the
+ <varname>domain</varname> zone.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>timeout</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of timeouts since the resolver
+ received the last response.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>lame</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of lame servers the resolver detected
+ at the <varname>domain</varname> zone.
+ A server is detected to be lame either by an
+ invalid response or as a result of lookup in
+ BIND9's address database (ADB), where lame
+ servers are cached.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>neterr</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of erroneous results that the
+ resolver encountered in sending queries
+ at the <varname>domain</varname> zone.
+ One common case is the remote server is
+ unreachable and the resolver receives an ICMP
+ unreachable error message.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>badresp</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of unexpected responses (other than
+ <varname>lame</varname>) to queries sent by the
+ resolver at the <varname>domain</varname> zone.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>adberr</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures in finding remote server addresses
+ of the <varname>domain</varname> zone in the ADB.
+ One common case of this is that the remote
+ server's name does not have any address records.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>findfail</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of resolving remote server addresses.
+ This is a total number of failures throughout
+ the resolution process.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><varname>valfail</varname></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of DNSSEC validation.
+ Validation failures are counted throughout
+ the resolution process (not limited to
+ the <varname>domain</varname> zone), but should
+ only happen in <varname>domain</varname>.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ <para>
+ At the debug levels of 3 or higher, the same messages
+ as those at the debug 1 level are logged for other errors
+ than SERVFAIL.
+ Note that negative responses such as NXDOMAIN are not
+ regarded as errors here.
+ </para>
+ <para>
+ At the debug levels of 4 or higher, the same messages
+ as those at the debug 2 level are logged for other errors
+ than SERVFAIL.
+ Unlike the above case of level 3, messages are logged for
+ negative responses.
+ This is because any unexpected results can be difficult to
+ debug in the recursion case.
+ </para>
+ </sect3>
</sect2>
<sect2>
@@ -4396,10 +4708,12 @@ category notify { null; };
<optional> directory <replaceable>path_name</replaceable>; </optional>
<optional> key-directory <replaceable>path_name</replaceable>; </optional>
<optional> named-xfer <replaceable>path_name</replaceable>; </optional>
+ <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
<optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
<optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
<optional> cache-file <replaceable>path_name</replaceable>; </optional>
<optional> dump-file <replaceable>path_name</replaceable>; </optional>
+ <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
<optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
<optional> pid-file <replaceable>path_name</replaceable>; </optional>
<optional> recursing-file <replaceable>path_name</replaceable>; </optional>
@@ -4421,6 +4735,7 @@ category notify { null; };
<optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
<optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
<optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
@@ -4442,12 +4757,16 @@ category notify { null; };
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
@@ -4464,6 +4783,9 @@ category notify { null; };
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+ <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+ <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
<optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
<optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -4486,6 +4808,7 @@ category notify { null; };
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+ <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
<optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
@@ -4504,6 +4827,9 @@ category notify { null; };
<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
<optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> min-roots <replaceable>number</replaceable>; </optional>
<optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
@@ -4594,39 +4920,57 @@ category notify { null; };
<varlistentry>
<term><command>named-xfer</command></term>
- <listitem>
- <para>
- <emphasis>This option is obsolete.</emphasis>
- It was used in <acronym>BIND</acronym> 8 to
- specify the pathname to the <command>named-xfer</command> program.
- In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
- needed; its functionality is built into the name server.
- </para>
+ <listitem>
+ <para>
+ <emphasis>This option is obsolete.</emphasis> It
+ was used in <acronym>BIND</acronym> 8 to specify
+ the pathname to the <command>named-xfer</command>
+ program. In <acronym>BIND</acronym> 9, no separate
+ <command>named-xfer</command> program is needed;
+ its functionality is built into the name server.
+ </para>
+ </listitem>
+ </varlistentry>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><command>tkey-gssapi-credential</command></term>
+ <listitem>
+ <para>
+ The security credential with which the server should
+ authenticate keys requested by the GSS-TSIG protocol.
+ Currently only Kerberos 5 authentication is available
+ and the credential is a Kerberos principal which
+ the server can acquire through the default system
+ key file, normally <filename>/etc/krb5.keytab</filename>.
+ Normally this principal is of the form
+ "<userinput>dns/</userinput><varname>server.domain</varname>".
+ To use GSS-TSIG, <command>tkey-domain</command>
+ must also be set.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>tkey-domain</command></term>
- <listitem>
- <para>
- The domain appended to the names of all
- shared keys generated with
- <command>TKEY</command>. When a client
- requests a <command>TKEY</command> exchange, it
- may or may not specify
- the desired name for the key. If present, the name of the
- shared
- key will be "<varname>client specified part</varname>" +
- "<varname>tkey-domain</varname>".
- Otherwise, the name of the shared key will be "<varname>random hex
-digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
- the <command>domainname</command> should be the
- server's domain
- name.
- </para>
- </listitem>
- </varlistentry>
+ <listitem>
+ <para>
+ The domain appended to the names of all shared keys
+ generated with <command>TKEY</command>. When a
+ client requests a <command>TKEY</command> exchange,
+ it may or may not specify the desired name for the
+ key. If present, the name of the shared key will
+ be <varname>client specified part</varname> +
+ <varname>tkey-domain</varname>. Otherwise, the
+ name of the shared key will be <varname>random hex
+ digits</varname> + <varname>tkey-domain</varname>.
+ In most cases, the <command>domainname</command>
+ should be the server's domain name, or an otherwise
+ non-existent subdomain like
+ "_tkey.<varname>domainname</varname>". If you are
+ using GSS-TSIG, this variable must be defined.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>tkey-dhkey</command></term>
@@ -4670,26 +5014,20 @@ digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
<listitem>
<para>
The pathname of the file the server writes memory
- usage statistics to on exit. If specified the
- statistics will be written to the file on exit.
+ usage statistics to on exit. If not specified,
+ the default is <filename>named.memstats</filename>.
</para>
- <para>
- In <acronym>BIND</acronym> 9.5 and later this will
- default to <filename>named.memstats</filename>.
- <acronym>BIND</acronym> 9.5 will also introduce
- <command>memstatistics</command> to control the
- writing.
- </para>
- </listitem>
- </varlistentry>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>pid-file</command></term>
<listitem>
<para>
The pathname of the file the server writes its process ID
- in. If not specified, the default is <filename>/var/run/named.pid</filename>.
- The pid-file is used by programs that want to send signals to
+ in. If not specified, the default is
+ <filename>/var/run/named/named.pid</filename>.
+ The PID file is used by programs that want to send signals to
the running
name server. Specifying <command>pid-file none</command> disables the
use of a PID file &mdash; no file will be written and any
@@ -4824,7 +5162,7 @@ options {
top of a zone. When a DNSKEY is at or below a domain
specified by the
deepest <command>dnssec-lookaside</command>, and
- the normal dnssec validation
+ the normal DNSSEC validation
has left the key untrusted, the trust-anchor will be append to
the key
name and a DLV record will be looked up to see if it can
@@ -4842,10 +5180,10 @@ options {
<para>
Specify hierarchies which must be or may not be secure (signed and
validated).
- If <userinput>yes</userinput>, then named will only accept
+ If <userinput>yes</userinput>, then <command>named</command> will only accept
answers if they
are secure.
- If <userinput>no</userinput>, then normal dnssec validation
+ If <userinput>no</userinput>, then normal DNSSEC validation
applies
allowing for insecure answers to be accepted.
The specified domain must be under a <command>trusted-key</command> or
@@ -4891,6 +5229,19 @@ options {
</varlistentry>
<varlistentry>
+ <term><command>memstatistics</command></term>
+ <listitem>
+ <para>
+ Write memory statistics to the file specified by
+ <command>memstatistics-file</command> at exit.
+ The default is <userinput>no</userinput> unless
+ '-m record' is specified on the command line in
+ which case it is <userinput>yes</userinput>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>dialup</command></term>
<listitem>
<para>
@@ -5259,6 +5610,22 @@ options {
</varlistentry>
<varlistentry>
+ <term><command>notify-to-soa</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput> do not check the nameservers
+ in the NS RRset against the SOA MNAME. Normally a NOTIFY
+ message is not sent to the SOA MNAME (SOA ORIGIN) as it is
+ supposed to contain the name of the ultimate master.
+ Sometimes, however, a slave is listed as the SOA MNAME in
+ hidden master configurations and in that case you would
+ want the ultimate master to still send NOTIFY messages to
+ all the nameservers listed in the NS RRset.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>recursion</command></term>
<listitem>
<para>
@@ -5518,9 +5885,10 @@ options {
also accepts <command>master</command> and
<command>slave</command> at the view and options
levels which causes
- <command>ixfr-from-differences</command> to apply to
+ <command>ixfr-from-differences</command> to be enabled for
all <command>master</command> or
<command>slave</command> zones respectively.
+ It is off by default.
</para>
</listitem>
</varlistentry>
@@ -5531,9 +5899,9 @@ options {
<para>
This should be set when you have multiple masters for a zone
and the
- addresses refer to different machines. If <userinput>yes</userinput>, named will
+ addresses refer to different machines. If <userinput>yes</userinput>, <command>named</command> will
not log
- when the serial number on the master is less than what named
+ when the serial number on the master is less than what <command>named</command>
currently
has. The default is <userinput>no</userinput>.
</para>
@@ -5544,8 +5912,8 @@ options {
<term><command>dnssec-enable</command></term>
<listitem>
<para>
- Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
- named behaves as if it does not support DNSSEC.
+ Enable DNSSEC support in <command>named</command>. Unless set to <userinput>yes</userinput>,
+ <command>named</command> behaves as if it does not support DNSSEC.
The default is <userinput>yes</userinput>.
</para>
</listitem>
@@ -5555,10 +5923,10 @@ options {
<term><command>dnssec-validation</command></term>
<listitem>
<para>
- Enable DNSSEC validation in named.
+ Enable DNSSEC validation in <command>named</command>.
Note <command>dnssec-enable</command> also needs to be
set to <userinput>yes</userinput> to be effective.
- The default is <userinput>no</userinput>.
+ The default is <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>
@@ -5569,7 +5937,7 @@ options {
<para>
Accept expired signatures when verifying DNSSEC signatures.
The default is <userinput>no</userinput>.
- Setting this option to "yes" leaves named vulnerable to replay attacks.
+ Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
</para>
</listitem>
</varlistentry>
@@ -5578,7 +5946,7 @@ options {
<term><command>querylog</command></term>
<listitem>
<para>
- Specify whether query logging should be started when named
+ Specify whether query logging should be started when <command>named</command>
starts.
If <command>querylog</command> is not specified,
then the query logging
@@ -5608,9 +5976,9 @@ options {
from RFC 952 and RFC 821 as modified by RFC 1123.
</para>
<para><command>check-names</command>
- applies to the owner names of A, AAA and MX records.
- It also applies to the domain names in the RDATA of NS, SOA
- and MX records.
+ applies to the owner names of A, AAAA and MX records.
+ It also applies to the domain names in the RDATA of NS, SOA,
+ MX, and SRV records.
It also applies to the RDATA of PTR records where the owner
name indicated that it is a reverse lookup of a hostname
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
@@ -5701,7 +6069,7 @@ options {
<listitem>
<para>
When returning authoritative negative responses to
- SOA queries set the TTL of the SOA recored returned in
+ SOA queries set the TTL of the SOA record returned in
the authority section to zero.
The default is <command>yes</command>.
</para>
@@ -5734,6 +6102,17 @@ options {
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>try-tcp-refresh</command></term>
+ <listitem>
+ <para>
+ Try to refresh the zone using TCP if UDP queries fail.
+ For BIND 8 compatibility, the default is
+ <command>yes</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</sect3>
@@ -5874,6 +6253,35 @@ options {
</varlistentry>
<varlistentry>
+ <term><command>allow-query-on</command></term>
+ <listitem>
+ <para>
+ Specifies which local addresses can accept ordinary
+ DNS questions. This makes it possible, for instance,
+ to allow queries on internal-facing interfaces but
+ disallow them on external-facing ones, without
+ necessarily knowing the internal network's addresses.
+ </para>
+ <para>
+ <command>allow-query-on</command> may
+ also be specified in the <command>zone</command>
+ statement, in which case it overrides the
+ <command>options allow-query-on</command> statement.
+ </para>
+ <para>
+ If not specified, the default is to allow queries
+ on all addresses.
+ </para>
+ <note>
+ <para>
+ <command>allow-query-cache</command> is
+ used to specify access to the cache.
+ </para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
@@ -5881,13 +6289,27 @@ options {
from the cache. If <command>allow-query-cache</command>
is not set then <command>allow-recursion</command>
is used if set, otherwise <command>allow-query</command>
- is used if set, otherwise the default
- (<command>localnets;</command>
+ is used if set unless <command>recursion no;</command> is
+ set in which case <command>none;</command> is used,
+ otherwise the default (<command>localnets;</command>
<command>localhost;</command>) is used.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>allow-query-cache-on</command></term>
+ <listitem>
+ <para>
+ Specifies which local addresses can give answers
+ from the cache. If not specified, the default is
+ to allow cache queries on any address,
+ <command>localnets</command> and
+ <command>localhost</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>allow-recursion</command></term>
<listitem>
@@ -5905,6 +6327,17 @@ options {
</varlistentry>
<varlistentry>
+ <term><command>allow-recursion-on</command></term>
+ <listitem>
+ <para>
+ Specifies which local addresses can accept recursive
+ queries. If not specified, the default is to allow
+ recursive queries on all addresses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>allow-update</command></term>
<listitem>
<para>
@@ -6001,7 +6434,7 @@ options {
<para>
The interfaces and ports that the server will answer queries
from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
- an optional port, and an <varname>address_match_list</varname>.
+ an optional port and an <varname>address_match_list</varname>.
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
</para>
@@ -6023,7 +6456,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
<para>
If no <command>listen-on</command> is specified, the
- server will listen on port 53 on all interfaces.
+ server will listen on port 53 on all IPv4 interfaces.
</para>
<para>
@@ -6081,8 +6514,10 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
<para>
If no <command>listen-on-v6</command> option is
- specified,
- the server will not listen on any IPv6 address.
+ specified, the server will not listen on any IPv6 address
+ unless <command>-6</command> is specified when <command>named</command> is
+ invoked. If <command>-6</command> is specified then
+ <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
</para>
</sect3>
@@ -6176,20 +6611,52 @@ avoid-v6-udp-ports {};
</programlisting>
<para>
- Note: it is generally strongly discouraged to
+ Note: BIND 9.5.0 introduced
+ the <command>use-queryport-pool</command>
+ option to support a pool of such random ports, but this
+ option is now obsolete because reusing the same ports in
+ the pool may not be sufficiently secure.
+ For the same reason, it is generally strongly discouraged to
specify a particular port for the
<command>query-source</command> or
<command>query-source-v6</command> options;
- it implicitly disables the use of randomized port numbers
- and can be insecure.
+ it implicitly disables the use of randomized port numbers.
</para>
+ <variablelist>
+ <varlistentry>
+ <term><command>use-queryport-pool</command></term>
+ <listitem>
+ <para>
+ This option is obsolete.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>queryport-pool-ports</command></term>
+ <listitem>
+ <para>
+ This option is obsolete.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>queryport-pool-updateinterval</command></term>
+ <listitem>
+ <para>
+ This option is obsolete.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
<note>
<para>
The address specified in the <command>query-source</command> option
is used for both UDP and TCP queries, but the port applies only
- to
- UDP queries. TCP queries always use a random
+ to UDP queries. TCP queries always use a random
unprivileged port.
</para>
</note>
@@ -6228,7 +6695,12 @@ avoid-v6-udp-ports {};
zone is loaded, in addition to the servers listed in the
zone's NS records.
This helps to ensure that copies of the zones will
- quickly converge on stealth servers. If an <command>also-notify</command> list
+ quickly converge on stealth servers.
+ Optionally, a port may be specified with each
+ <command>also-notify</command> address to send
+ the notify messages to a port other than the
+ default of 53.
+ If an <command>also-notify</command> list
is given in a <command>zone</command> statement,
it will override
the <command>options also-notify</command>
@@ -6457,7 +6929,7 @@ avoid-v6-udp-ports {};
to be used, you should set
<command>use-alt-transfer-source</command>
appropriately and you should not depend upon
- getting a answer back to the first refresh
+ getting an answer back to the first refresh
query.
</note>
</listitem>
@@ -6657,7 +7129,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</sect3>
- <sect3>
+ <sect3 id="server_resource_limits">
<title>Server Resource Limits</title>
<para>
@@ -6691,6 +7163,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
journal
will be automatically removed. The default is
<literal>unlimited</literal>.
+ This may also be set on a per-zone basis.
</para>
</listitem>
</varlistentry>
@@ -6741,7 +7214,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces named listens on, tcp-clients as well as
+ interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <literal>512</literal>.
The minimum value is <literal>128</literal> and the
@@ -6762,7 +7235,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
server's cache, in bytes.
When the amount of data in the cache
reaches this limit, the server will cause records to expire
- prematurely so that the limit is not exceeded.
+ prematurely based on an LRU based strategy so that
+ the limit is not exceeded.
A value of 0 is special, meaning that
records are purged from the cache only when their
TTLs expire.
@@ -6809,11 +7283,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>cleaning-interval</command></term>
<listitem>
<para>
- The server will remove expired resource records
+ This interval is effectively obsolete. Previously,
+ the server would remove expired resource records
from the cache every <command>cleaning-interval</command> minutes.
- The default is 60 minutes. The maximum value is 28 days
- (40320 minutes).
- If set to 0, no periodic cleaning will occur.
+ <acronym>BIND</acronym> 9 now manages cache
+ memory in a more sophisticated manner and does not
+ rely on the periodic cleaning any more.
+ Specifying this option therefore has no effect on
+ the server's behavior.
</para>
</listitem>
</varlistentry>
@@ -7095,8 +7572,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</entry>
<entry colname="2">
<para>
- Records are returned in a round-robin
- order.
+ Records are returned in a cyclic round-robin order.
+ </para>
+ <para>
+ If <acronym>BIND</acronym> is configured with the
+ "--enable-fixed-rrset" option at compile time, then
+ the initial ordering of the RRset will match the
+ one specified in the zone file.
</para>
</entry>
</row>
@@ -7127,9 +7609,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<note>
<simpara>
- The <command>rrset-order</command> statement
- is not yet fully implemented in <acronym>BIND</acronym> 9.
- BIND 9 currently does not fully support "fixed" ordering.
+ In this release of <acronym>BIND</acronym> 9, the
+ <command>rrset-order</command> statement does not support
+ "fixed" ordering by default. Fixed ordering can be enabled
+ at compile time by specifying "--enable-fixed-rrset" on
+ the "configure" command line.
</simpara>
</note>
</sect3>
@@ -7203,22 +7687,76 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</listitem>
</varlistentry>
- <varlistentry>
- <term><command>sig-validity-interval</command></term>
- <listitem>
- <para>
- Specifies the number of days into the
- future when DNSSEC signatures automatically generated as a
- result
- of dynamic updates (<xref linkend="dynamic_update"/>)
- will expire. The default is <literal>30</literal> days.
- The maximum value is 10 years (3660 days). The signature
- inception time is unconditionally set to one hour before the
- current time
- to allow for a limited amount of clock skew.
- </para>
- </listitem>
- </varlistentry>
+ <varlistentry>
+ <term><command>sig-validity-interval</command></term>
+ <listitem>
+ <para>
+ Specifies the number of days into the future when
+ DNSSEC signatures automatically generated as a
+ result of dynamic updates (<xref
+ linkend="dynamic_update"/>) will expire. There
+ is a optional second field which specifies how
+ long before expiry that the signatures will be
+ regenerated. If not specified, the signatures will
+ be regenerated at 1/4 of base interval. The second
+ field is specified in days if the base interval is
+ greater than 7 days otherwise it is specified in hours.
+ The default base interval is <literal>30</literal> days
+ giving a re-signing interval of 7 1/2 days. The maximum
+ values are 10 years (3660 days).
+ </para>
+ <para>
+ The signature inception time is unconditionally
+ set to one hour before the current time to allow
+ for a limited amount of clock skew.
+ </para>
+ <para>
+ The <command>sig-validity-interval</command>
+ should be, at least, several multiples of the SOA
+ expire interval to allow for reasonable interaction
+ between the various timer and expiry dates.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-signing-nodes</command></term>
+ <listitem>
+ <para>
+ Specify the maximum number of nodes to be
+ examined in each quantum when signing a zone with
+ a new DNSKEY. The default is
+ <literal>100</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-signing-signatures</command></term>
+ <listitem>
+ <para>
+ Specify a threshold number of signatures that
+ will terminate processing a quantum when signing
+ a zone with a new DNSKEY. The default is
+ <literal>10</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-signing-type</command></term>
+ <listitem>
+ <para>
+ Specify a private RDATA type to be used when generating
+ key signing records. The default is
+ <literal>65535</literal>.
+ </para>
+ <para>
+ It is expected that this parameter may be removed
+ in a future version once there is a standard type.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>min-refresh-time</command></term>
@@ -7252,14 +7790,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>edns-udp-size</command></term>
<listitem>
<para>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
+ Sets the advertised EDNS UDP buffer size in bytes
+ to control the size of packets received.
+ Valid values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value
+ is 4096. The usual reason for setting
+ <command>edns-udp-size</command> to a non-default
+ value is to get UDP answers to pass through broken
+ firewalls that block fragmented packets and/or
+ block UDP packets that are greater than 512 bytes.
</para>
</listitem>
</varlistentry>
@@ -7268,11 +7807,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>max-udp-size</command></term>
<listitem>
<para>
- Sets the maximum EDNS UDP message size named will
+ Sets the maximum EDNS UDP message size <command>named</command> will
send in bytes. Valid values are 512 to 4096 (values outside
this range will be silently adjusted). The default
value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
+ <command>max-udp-size</command> to a non-default value is to get UDP
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
@@ -7312,22 +7851,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</listitem>
</varlistentry>
- <varlistentry>
+ <varlistentry id="clients-per-query">
<term><command>clients-per-query</command></term>
<term><command>max-clients-per-query</command></term>
<listitem>
<para>These set the
initial value (minimum) and maximum number of recursive
- simultanious clients for any given query
+ simultaneous clients for any given query
(&lt;qname,qtype,qclass&gt;) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients. <command>named</command> will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
</para>
<para>
This value should reflect how many queries come in for
a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, named will
+ If the number of queries exceed this value, <command>named</command> will
assume that it is dealing with a non-responsive zone
and will drop additional queries. If it gets a response
after dropping queries, it will raise the estimate. The
@@ -7422,14 +7961,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<term><command>server-id</command></term>
<listitem>
<para>
- The ID of the server should report via a query of
- the name <filename>ID.SERVER</filename>
- with type <command>TXT</command>, class <command>CHAOS</command>.
+ The ID the server should report when receiving a Name
+ Server Identifier (NSID) query, or a query of the name
+ <filename>ID.SERVER</filename> with type
+ <command>TXT</command>, class <command>CHAOS</command>.
The primary purpose of such queries is to
identify which of a group of anycast servers is actually
answering your queries. Specifying <command>server-id none;</command>
disables processing of the queries.
- Specifying <command>server-id hostname;</command> will cause named to
+ Specifying <command>server-id hostname;</command> will cause <command>named</command> to
use the hostname as found by the gethostname() function.
The default <command>server-id</command> is <command>none</command>.
</para>
@@ -7451,12 +7991,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
these cover the reverse namespace for addresses from RFC 1918 and
RFC 3330. They also include the reverse namespace for IPv6 local
address (locally assigned), IPv6 link local addresses, the IPv6
- loopback address and the IPv6 unknown addresss.
+ loopback address and the IPv6 unknown address.
</para>
<para>
- Named will attempt to determine if a built in zone already exists
+ Named will attempt to determine if a built-in zone already exists
or is active (covered by a forward-only forwarding declaration)
- and will not not create a empty zone in that case.
+ and will not create a empty zone in that case.
</para>
<para>
The current list of empty zones is:
@@ -7517,7 +8057,7 @@ XXX: end of RFC1918 addresses #defined out -->
<note>
The real parent servers for these zones should disable all
empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
+ root servers, this is all built-in empty zones. This will
enable them to return referrals to deeper in the tree.
</note>
<variablelist>
@@ -7547,7 +8087,7 @@ XXX: end of RFC1918 addresses #defined out -->
<term><command>empty-zones-enable</command></term>
<listitem>
<para>
- Enable or disable all empty zones. By default they
+ Enable or disable all empty zones. By default, they
are enabled.
</para>
</listitem>
@@ -7557,171 +8097,13 @@ XXX: end of RFC1918 addresses #defined out -->
<term><command>disable-empty-zone</command></term>
<listitem>
<para>
- Disable individual empty zones. By default none are
+ Disable individual empty zones. By default, none are
disabled. This option can be specified multiple times.
</para>
</listitem>
</varlistentry>
</variablelist>
</sect3>
-
- <sect3 id="statsfile">
- <title>The Statistics File</title>
-
- <para>
- The statistics file generated by <acronym>BIND</acronym> 9
- is similar, but not identical, to that
- generated by <acronym>BIND</acronym> 8.
- </para>
- <para>
- The statistics dump begins with a line, like:
- </para>
- <para>
- <command>+++ Statistics Dump +++ (973798949)</command>
- </para>
- <para>
- The number in parentheses is a standard
- Unix-style timestamp, measured as seconds since January 1, 1970.
- Following
- that line are a series of lines containing a counter type, the
- value of the
- counter, optionally a zone name, and optionally a view name.
- The lines without view and zone listed are global statistics for
- the entire server.
- Lines with a zone and view name for the given view and zone (the
- view name is
- omitted for the default view).
- </para>
- <para>
- The statistics dump ends with the line where the
- number is identical to the number in the beginning line; for example:
- </para>
- <para>
- <command>--- Statistics Dump --- (973798949)</command>
- </para>
- <para>
- The following statistics counters are maintained:
- </para>
- <informaltable colsep="0" rowsep="0">
- <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
- <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
- <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
- <tbody>
- <row rowsep="0">
- <entry colname="1">
- <para><command>success</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of
- successful queries made to the server or zone. A
- successful query
- is defined as query which returns a NOERROR response
- with at least
- one answer RR.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>referral</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries which resulted
- in referral responses.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>nxrrset</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries which resulted in
- NOERROR responses with no data.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>nxdomain</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number
- of queries which resulted in NXDOMAIN responses.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>failure</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries which resulted in a
- failure response other than those above.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>recursion</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries which caused the server
- to perform recursion in order to find the final answer.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>duplicate</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries which the server attempted to
- recurse but discover a existing query with the same
- IP address, port, query id, name, type and class
- already being processed.
- </para>
- </entry>
- </row>
- <row rowsep="0">
- <entry colname="1">
- <para><command>dropped</command></para>
- </entry>
- <entry colname="2">
- <para>
- The number of queries for which the server
- discovered a excessive number of existing
- recursive queries for the same name, type and
- class and were subsequently dropped.
- </para>
- </entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <para>
- Each query received by the server will cause exactly one of
- <command>success</command>,
- <command>referral</command>,
- <command>nxrrset</command>,
- <command>nxdomain</command>,
- <command>failure</command>,
- <command>duplicate</command>, or
- <command>dropped</command>
- to be incremented, and may additionally cause the
- <command>recursion</command> counter to be
- incremented.
- </para>
-
- </sect3>
<sect3 id="acache">
<title>Additional Section Caching</title>
@@ -7829,10 +8211,7 @@ XXX: end of RFC1918 addresses #defined out -->
In a server with multiple views, the limit applies
separately to the
acache of each view.
- The default is <literal>unlimited</literal>,
- meaning that
- entries are purged from the acache only at the
- periodic cleaning time.
+ The default is <literal>16M</literal>.
</para>
</listitem>
</varlistentry>
@@ -7862,6 +8241,9 @@ XXX: end of RFC1918 addresses #defined out -->
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
<optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+ <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+ <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
};
</programlisting>
@@ -7953,7 +8335,7 @@ XXX: end of RFC1918 addresses #defined out -->
<para>
The <command>edns-udp-size</command> option sets the EDNS UDP size
- that is advertised by named when querying the remote server.
+ that is advertised by <command>named</command> when querying the remote server.
Valid values are 512 to 4096 bytes (values outside this range will be
silently adjusted). This option is useful when you wish to
advertises a different value to this server than the value you
@@ -7963,11 +8345,11 @@ XXX: end of RFC1918 addresses #defined out -->
<para>
The <command>max-udp-size</command> option sets the
- maximum EDNS UDP message size named will send. Valid
+ maximum EDNS UDP message size <command>named</command> will send. Valid
values are 512 to 4096 bytes (values outside this range will
be silently adjusted). This option is useful when you
know that there is a firewall that is blocking large
- replies from named.
+ replies from <command>named</command>.
</para>
<para>
@@ -8052,6 +8434,74 @@ XXX: end of RFC1918 addresses #defined out -->
</sect2>
+ <sect2 id="statschannels">
+ <title><command>statistics-channels</command> Statement Grammar</title>
+
+<programlisting><command>statistics-channels</command> {
+ [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
+ [ inet ...; ]
+};
+</programlisting>
+ </sect2>
+
+ <sect2>
+ <title><command>statistics-channels</command> Statement Definition and
+ Usage</title>
+
+ <para>
+ The <command>statistics-channels</command> statement
+ declares communication channels to be used by system
+ administrators to get access to statistics information of
+ the name server.
+ </para>
+
+ <para>
+ This statement intends to be flexible to support multiple
+ communication protocols in the future, but currently only
+ HTTP access is supported.
+ It requires that BIND 9 be compiled with libxml2;
+ the <command>statistics-channels</command> statement is
+ still accepted even if it is built without the library,
+ but any HTTP access will fail with an error.
+ </para>
+
+ <para>
+ An <command>inet</command> control channel is a TCP socket
+ listening at the specified <command>ip_port</command> on the
+ specified <command>ip_addr</command>, which can be an IPv4 or IPv6
+ address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <command>ip_addr</command> of <literal>::</literal>.
+ </para>
+
+ <para>
+ If no port is specified, port 80 is used for HTTP channels.
+ The asterisk "<literal>*</literal>" cannot be used for
+ <command>ip_port</command>.
+ </para>
+
+ <para>
+ The attempt of opening a statistics channel is
+ restricted by the optional <command>allow</command> clause.
+ Connections to the statistics channel are permitted based on the
+ <command>address_match_list</command>.
+ If no <command>allow</command> clause is present,
+ <command>named</command> accepts connection
+ attempts from any address; since the statistics may
+ contain sensitive internal information, it is highly
+ recommended to restrict the source of connection requests
+ appropriately.
+ </para>
+
+ <para>
+ If no <command>statistics-channels</command> statement is present,
+ <command>named</command> will not open any communication channels.
+ </para>
+
+ </sect2>
+
<sect2>
<title><command>trusted-keys</command> Statement Grammar</title>
@@ -8090,6 +8540,9 @@ XXX: end of RFC1918 addresses #defined out -->
multiple key entries, each consisting of the key's
domain name, flags, protocol, algorithm, and the Base-64
representation of the key data.
+ Spaces, tabs, newlines and carriage returns are ignored
+ in the key data, so the configuration may be split up into
+ multiple lines.
</para>
</sect2>
@@ -8240,6 +8693,7 @@ view "external" {
<programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type master;
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
@@ -8252,9 +8706,11 @@ view "external" {
<optional> file <replaceable>string</replaceable> ; </optional>
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
<optional> journal <replaceable>string</replaceable> ; </optional>
+ <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
+ <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
<optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
@@ -8262,11 +8718,15 @@ view "external" {
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
<optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
+ <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+ <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> database <replaceable>string</replaceable> ; </optional>
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -8280,18 +8740,22 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
type slave;
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
<optional> journal <replaceable>string</replaceable> ; </optional>
+ <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
<optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> ixfr-base <replaceable>string</replaceable> ; </optional>
+ <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
<optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
<optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
<optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
@@ -8301,6 +8765,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
<optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
+ <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
+ <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
<optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
<optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -8329,6 +8795,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
type stub;
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
@@ -8435,7 +8902,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<filename>ex/example.com</filename> where <filename>ex/</filename> is
just the first two letters of the zone name. (Most
operating systems
- behave very slowly if you put 100 000 files into
+ behave very slowly if you put 100000 files into
a single directory.)
</para>
</entry>
@@ -8629,6 +9096,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
+ <term><command>allow-query-on</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>allow-query-on</command> in <xref linkend="access_control"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>allow-transfer</command></term>
<listitem>
<para>
@@ -8767,6 +9244,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>try-tcp-refresh</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>database</command></term>
<listitem>
@@ -8882,6 +9369,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
+ <term><command>max-journal-size</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>max-transfer-time-in</command></term>
<listitem>
<para>
@@ -8942,6 +9439,17 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
+ <term><command>notify-to-soa</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>notify-to-soa</command> in
+ <xref linkend="boolean_options"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>pubkey</command></term>
<listitem>
<para>
@@ -8979,6 +9487,36 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</varlistentry>
<varlistentry>
+ <term><command>sig-signing-nodes</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-signing-signatures</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>sig-signing-type</command></term>
+ <listitem>
+ <para>
+ See the description of
+ <command>sig-signing-type</command> in <xref linkend="tuning"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>transfer-source</command></term>
<listitem>
<para>
@@ -9067,6 +9605,10 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<para>
See the description of
<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
+ (Note that the <command>ixfr-from-differences</command>
+ <userinput>master</userinput> and
+ <userinput>slave</userinput> choices are not
+ available at the zone level.)
</para>
</listitem>
</varlistentry>
@@ -9106,45 +9648,41 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</sect3>
<sect3 id="dynamic_update_policies">
<title>Dynamic Update Policies</title>
- <para>
- <acronym>BIND</acronym> 9 supports two alternative
- methods of granting clients
- the right to perform dynamic updates to a zone,
- configured by the <command>allow-update</command>
- and
- <command>update-policy</command> option,
- respectively.
- </para>
- <para>
- The <command>allow-update</command> clause works the
- same
- way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
- permission to update any record of any name in the zone.
- </para>
- <para>
- The <command>update-policy</command> clause is new
- in <acronym>BIND</acronym>
- 9 and allows more fine-grained control over what updates are
- allowed.
- A set of rules is specified, where each rule either grants or
- denies
- permissions for one or more names to be updated by one or more
- identities.
- If the dynamic update request message is signed (that is, it
- includes
- either a TSIG or SIG(0) record), the identity of the signer can
- be determined.
- </para>
- <para>
- Rules are specified in the <command>update-policy</command> zone
- option, and are only meaningful for master zones. When the <command>update-policy</command> statement
- is present, it is a configuration error for the <command>allow-update</command> statement
- to be present. The <command>update-policy</command>
- statement only
- examines the signer of a message; the source address is not
- relevant.
- </para>
- <para>
+ <para><acronym>BIND</acronym> 9 supports two alternative
+ methods of granting clients the right to perform
+ dynamic updates to a zone, configured by the
+ <command>allow-update</command> and
+ <command>update-policy</command> option, respectively.
+ </para>
+ <para>
+ The <command>allow-update</command> clause works the
+ same way as in previous versions of <acronym>BIND</acronym>.
+ It grants given clients the permission to update any
+ record of any name in the zone.
+ </para>
+ <para>
+ The <command>update-policy</command> clause is new
+ in <acronym>BIND</acronym> 9 and allows more fine-grained
+ control over what updates are allowed. A set of rules
+ is specified, where each rule either grants or denies
+ permissions for one or more names to be updated by
+ one or more identities. If the dynamic update request
+ message is signed (that is, it includes either a TSIG
+ or SIG(0) record), the identity of the signer can be
+ determined.
+ </para>
+ <para>
+ Rules are specified in the <command>update-policy</command>
+ zone option, and are only meaningful for master zones.
+ When the <command>update-policy</command> statement
+ is present, it is a configuration error for the
+ <command>allow-update</command> statement to be
+ present. The <command>update-policy</command> statement
+ only examines the signer of a message; the source
+ address is not relevant.
+ </para>
+
+ <para>
This is how a rule definition looks:
</para>
@@ -9162,29 +9700,40 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
matches
the types specified in the type field.
</para>
-
<para>
- The identity field specifies a name or a wildcard name.
- Normally, this
- is the name of the TSIG or SIG(0) key used to sign the update
- request. When a
- TKEY exchange has been used to create a shared secret, the
- identity of the
- shared secret is the same as the identity of the key used to
- authenticate the
- TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
- wildcard name, it is subject to DNS wildcard expansion, so the
- rule will apply
- to multiple identities. The <replaceable>identity</replaceable> field must
- contain a fully-qualified domain name.
- </para>
+ No signer is required for <replaceable>tcp-self</replaceable>
+ or <replaceable>6to4-self</replaceable> however the standard
+ reverse mapping / prefix conversion must match the identity
+ field.
+ </para>
+ <para>
+ The identity field specifies a name or a wildcard
+ name. Normally, this is the name of the TSIG or
+ SIG(0) key used to sign the update request. When a
+ TKEY exchange has been used to create a shared secret,
+ the identity of the shared secret is the same as the
+ identity of the key used to authenticate the TKEY
+ exchange. TKEY is also the negotiation method used
+ by GSS-TSIG, which establishes an identity that is
+ the Kerberos principal of the client, such as
+ <userinput>"user@host.domain"</userinput>. When the
+ <replaceable>identity</replaceable> field specifies
+ a wildcard name, it is subject to DNS wildcard
+ expansion, so the rule will apply to multiple identities.
+ The <replaceable>identity</replaceable> field must
+ contain a fully-qualified domain name.
+ </para>
<para>
- The <replaceable>nametype</replaceable> field has 6
+ The <replaceable>nametype</replaceable> field has 12
values:
<varname>name</varname>, <varname>subdomain</varname>,
<varname>wildcard</varname>, <varname>self</varname>,
- <varname>selfsub</varname>, and <varname>selfwild</varname>.
+ <varname>selfsub</varname>, <varname>selfwild</varname>,
+ <varname>krb5-self</varname>, <varname>ms-self</varname>,
+ <varname>krb5-subdomain</varname>,
+ <varname>ms-subdomain</varname>,
+ <varname>tcp-self</varname> and <varname>6to4-self</varname>.
</para>
<informaltable>
<tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@@ -9283,6 +9832,43 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>tcp-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ Allow updates that have been sent via TCP and
+ for which the standard mapping from the initiating
+ IP address into the IN-ADDR.ARPA and IP6.ARPA
+ namespaces match the name to be updated.
+ </para>
+ <note>
+ It is theoretically possible to spoof these TCP
+ sessions.
+ </note>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>6to4-self</varname>
+ </para>
+ </entry> <entry colname="2">
+ <para>
+ Allow the 6to4 prefix to be update by any TCP
+ conection from the 6to4 network or from the
+ corresponding IPv4 address. This is intended
+ to allow NS or DNAME RRsets to be added to the
+ reverse tree.
+ </para>
+ <note>
+ It is theoretically possible to spoof these TCP
+ sessions.
+ </note>
+ </entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
@@ -9293,16 +9879,15 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
specify a fully-qualified domain name.
</para>
- <para>
- If no types are explicitly specified, this rule matches all
- types except
- RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
- "ANY" (ANY matches all types except NSEC, which can never be
- updated).
- Note that when an attempt is made to delete all records
- associated with a
- name, the rules are checked for each existing record type.
- </para>
+ <para>
+ If no types are explicitly specified, this rule matches
+ all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+ may be specified by name, including "ANY" (ANY matches
+ all types except NSEC and NSEC3, which can never be
+ updated). Note that when an attempt is made to delete
+ all records associated with a name, the rules are
+ checked for each existing record type.
+ </para>
</sect3>
</sect2>
</sect1>
@@ -9514,6 +10099,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<row rowsep="0">
<entry colname="1">
<para>
+ DHCID
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Is used for identifying which DHCP client is
+ associated with this name. Described in RFC 4701.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
DNAME
</para>
</entry>
@@ -9720,6 +10318,40 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<row rowsep="0">
<entry colname="1">
<para>
+ NSEC3
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name
+ interval do not exist in a zone and indicate
+ what RR types are present for an existing
+ name. NSEC3 differs from NSEC in that it
+ prevents zone enumeration but is more
+ computationally expensive on both the server
+ and the client than NSEC. Described in RFC
+ 5155.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ NSEC3PARAM
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Used in DNSSECbis to tell the authoritative
+ server which NSEC3 chains are available to use.
+ Described in RFC 5155.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
NXT
</para>
</entry>
@@ -9865,7 +10497,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</entry>
<entry colname="2">
<para>
- Provides a way to securly publish a secure shell key's
+ Provides a way to securely publish a secure shell key's
fingerprint. Described in RFC 4255.
</para>
</entry>
@@ -10250,8 +10882,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
the mail will be delivered to the server specified in the MX
record
pointed to by the CNAME.
- </para>
- <para>
For example:
</para>
<informaltable colsep="0" rowsep="0">
@@ -10690,7 +11320,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
describes the owner name of the resource records
to be created. Any single <command>$</command>
(dollar sign)
- symbols within the <command>lhs</command> side
+ symbols within the <command>lhs</command> string
are replaced by the iterator value.
To get a $ in the output, you need to escape the
@@ -10734,7 +11364,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
<para>
Specifies the time-to-live of the generated records. If
not specified this will be inherited using the
- normal ttl inheritance rules.
+ normal TTL inheritance rules.
</para>
<para><command>class</command>
and <command>ttl</command> can be
@@ -10834,15 +11464,1526 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
</para>
</sect2>
</sect1>
+
+ <sect1 id="statistics">
+ <title>BIND9 Statistics</title>
+ <para>
+ <acronym>BIND</acronym> 9 maintains lots of statistics
+ information and provides several interfaces for users to
+ get access to the statistics.
+ The available statistics include all statistics counters
+ that were available in <acronym>BIND</acronym> 8 and
+ are meaningful in <acronym>BIND</acronym> 9,
+ and other information that is considered useful.
+ </para>
+
+ <para>
+ The statistics information is categorized into the following
+ sections.
+ </para>
+
+ <informaltable frame="all">
+ <tgroup cols="2">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
+ <tbody>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Incoming Requests</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of incoming DNS requests for each OPCODE.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Incoming Queries</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of incoming queries for each RR type.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Outgoing Queries</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of outgoing queries for each RR
+ type sent from the internal resolver.
+ Maintained per view.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Name Server Statistics</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Statistics counters about incoming request processing.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Zone Maintenance Statistics</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Statistics counters regarding zone maintenance
+ operations such as zone transfers.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Resolver Statistics</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Statistics counters about name resolution
+ performed in the internal resolver.
+ Maintained per view.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Cache DB RRsets</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ The number of RRsets per RR type (positive
+ or negative) and nonexistent names stored in the
+ cache database.
+ Maintained per view.
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para>Socket I/O Statistics</para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Statistics counters about network related events.
+ </para>
+ </entry>
+ </row>
+
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <para>
+ A subset of Name Server Statistics is collected and shown
+ per zone for which the server has the authority when
+ <command>zone-statistics</command> is set to
+ <userinput>yes</userinput>.
+ These statistics counters are shown with their zone and view
+ names.
+ In some cases the view names are omitted for the default view.
+ </para>
+
+ <para>
+ There are currently two user interfaces to get access to the
+ statistics.
+ One is in the plain text format dumped to the file specified
+ by the <command>statistics-file</command> configuration option.
+ The other is remotely accessible via a statistics channel
+ when the <command>statistics-channels</command> statement
+ is specified in the configuration file
+ (see <xref linkend="statschannels"/>.)
+ </para>
+
+ <sect3 id="statsfile">
+ <title>The Statistics File</title>
+ <para>
+ The text format statistics dump begins with a line, like:
+ </para>
+ <para>
+ <command>+++ Statistics Dump +++ (973798949)</command>
+ </para>
+ <para>
+ The number in parentheses is a standard
+ Unix-style timestamp, measured as seconds since January 1, 1970.
+
+ Following
+ that line is a set of statistics information, which is categorized
+ as described above.
+ Each section begins with a line, like:
+ </para>
+
+ <para>
+ <command>++ Name Server Statistics ++</command>
+ </para>
+
+ <para>
+ Each section consists of lines, each containing the statistics
+ counter value followed by its textual description.
+ See below for available counters.
+ For brevity, counters that have a value of 0 are not shown
+ in the statistics file.
+ </para>
+
+ <para>
+ The statistics dump ends with the line where the
+ number is identical to the number in the beginning line; for example:
+ </para>
+ <para>
+ <command>--- Statistics Dump --- (973798949)</command>
+ </para>
+ </sect3>
+
+ <sect2 id="statistics_counters">
+ <title>Statistics Counters</title>
+ <para>
+ The following tables summarize statistics counters that
+ <acronym>BIND</acronym> 9 provides.
+ For each row of the tables, the leftmost column is the
+ abbreviated symbol name of that counter.
+ These symbols are shown in the statistics information
+ accessed via an HTTP statistics channel.
+ The rightmost column gives the description of the counter,
+ which is also shown in the statistics file
+ (but, in this document, possibly with slight modification
+ for better readability).
+ Additional notes may also be provided in this column.
+ When a middle column exists between these two columns,
+ it gives the corresponding counter name of the
+ <acronym>BIND</acronym> 8 statistics, if applicable.
+ </para>
+
+ <sect3>
+ <title>Name Server Statistics Counters</title>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row>
+ <entry colname="1">
+ <para>
+ <emphasis>Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <emphasis>BIND8 Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <emphasis>Description</emphasis>
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Requestv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv4 requests received.
+ Note: this also counts non query requests.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Requestv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv6 requests received.
+ Note: this also counts non query requests.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqEdns0</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requests with EDNS(0) received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqBadEDNSVer</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requests with unsupported EDNS version received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqTSIG</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requests with TSIG received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqSIG0</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requests with SIG(0) received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqBadSIG</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requests with invalid (TSIG or SIG(0)) signature.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ReqTCP</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RTCP</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ TCP requests received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>AuthQryRej</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RUQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Authoritative (non recursive) queries rejected.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RecQryRej</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RURQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Recursive queries rejected.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>XfrRej</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RUXFR</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Zone transfer requests rejected.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateRej</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RUUpd</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Dynamic update requests rejected.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Response</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SAns</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Responses sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RespTruncated</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Truncated responses sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RespEDNS0</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Responses with EDNS(0) sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RespTSIG</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Responses with TSIG sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>RespSIG0</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Responses with SIG(0) sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QrySuccess</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in a successful answer.
+ This means the query which returns a NOERROR response
+ with at least one answer RR.
+ This corresponds to the
+ <command>success</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryAuthAns</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in authoritative answer.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryNoauthAns</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SNaAns</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in non authoritative answer.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryReferral</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in referral answer.
+ This corresponds to the
+ <command>referral</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryNxrrset</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in NOERROR responses with no data.
+ This corresponds to the
+ <command>nxrrset</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QrySERVFAIL</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SFail</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in SERVFAIL.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryFORMERR</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SFErr</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in FORMERR.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryNXDOMAIN</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SNXD</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries resulted in NXDOMAIN.
+ This corresponds to the
+ <command>nxdomain</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryRecursion</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RFwdQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries which caused the server
+ to perform recursion in order to find the final answer.
+ This corresponds to the
+ <command>recursion</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryDuplicate</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RDupQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries which the server attempted to
+ recurse but discovered an existing query with the same
+ IP address, port, query ID, name, type and class
+ already being processed.
+ This corresponds to the
+ <command>duplicate</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryDropped</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Recursive queries for which the server
+ discovered an excessive number of existing
+ recursive queries for the same name, type and
+ class and were subsequently dropped.
+ This is the number of dropped queries due to
+ the reason explained with the
+ <command>clients-per-query</command>
+ and
+ <command>max-clients-per-query</command>
+ options
+ (see the description about
+ <xref linkend="clients-per-query"/>.)
+ This corresponds to the
+ <command>dropped</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryFailure</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Other query failures.
+ This corresponds to the
+ <command>failure</command> counter
+ of previous versions of
+ <acronym>BIND</acronym> 9.
+ Note: this counter is provided mainly for
+ backward compatibility with the previous versions.
+ Normally a more fine-grained counters such as
+ <command>AuthQryRej</command> and
+ <command>RecQryRej</command>
+ that would also fall into this counter are provided,
+ and so this counter would not be of much
+ interest in practice.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>XfrReqDone</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Requested zone transfers completed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateReqFwd</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Update requests forwarded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateRespFwd</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Update responses forwarded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateFwdFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Dynamic update forward failed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateDone</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Dynamic updates completed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Dynamic updates failed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>UpdateBadPrereq</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Dynamic updates rejected due to prerequisite failure.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+
+ <sect3>
+ <title>Zone Maintenance Statistics Counters</title>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row>
+ <entry colname="1">
+ <para>
+ <emphasis>Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <emphasis>Description</emphasis>
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NotifyOutv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv4 notifies sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NotifyOutv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 notifies sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NotifyInv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv4 notifies received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NotifyInv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 notifies received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NotifyRej</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Incoming notifies rejected.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SOAOutv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv4 SOA queries sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SOAOutv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 SOA queries sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>AXFRReqv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv4 AXFR requested.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>AXFRReqv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 AXFR requested.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>IXFRReqv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv4 IXFR requested.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>IXFRReqv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ IPv6 IXFR requested.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>XfrSuccess</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Zone transfer requests succeeded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>XfrFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Zone transfer requests failed.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+
+ <sect3>
+ <title>Resolver Statistics Counters</title>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+ <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row>
+ <entry colname="1">
+ <para>
+ <emphasis>Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <emphasis>BIND8 Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="3">
+ <para>
+ <emphasis>Description</emphasis>
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Queryv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SFwdQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv4 queries sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Queryv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SFwdQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv6 queries sent.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Responsev4</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RR</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv4 responses received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Responsev6</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RR</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv6 responses received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>NXDOMAIN</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RNXD</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ NXDOMAIN received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>SERVFAIL</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RFail</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ SERVFAIL received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>FORMERR</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RFErr</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ FORMERR received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>OtherError</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RErr</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Other errors received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>EDNS0Fail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ EDNS(0) query failures.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Mismatch</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RDupR</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Mismatch responses received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Truncated</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Truncated responses received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Lame</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>RLame</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Lame delegations received.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>Retry</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SDupQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Query retries performed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QueryAbort</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Queries aborted due to quota control.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QuerySockFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Failures in opening query sockets.
+ One common reason for such failures is a
+ failure of opening a new socket due to a
+ limitation on file descriptors.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QueryTimeout</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Query timeouts.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>GlueFetchv4</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SSysQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv4 NS address fetches invoked.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>GlueFetchv6</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command>SSysQ</command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv6 NS address fetches invoked.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>GlueFetchv4Fail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv4 NS address fetch failed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>GlueFetchv6Fail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ IPv6 NS address fetch failed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ValAttempt</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ DNSSEC validation attempted.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ValOk</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ DNSSEC validation succeeded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ValNegOk</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ DNSSEC validation on negative information succeeded.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>ValFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ DNSSEC validation failed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>QryRTTnn</command></para>
+ </entry>
+ <entry colname="2">
+ <para><command></command></para>
+ </entry>
+ <entry colname="3">
+ <para>
+ Frequency table on round trip times (RTTs) of
+ queries.
+ Each <command>nn</command> specifies the corresponding
+ frequency.
+ In the sequence of
+ <command>nn_1</command>,
+ <command>nn_2</command>,
+ ...,
+ <command>nn_m</command>,
+ the value of <command>nn_i</command> is the
+ number of queries whose RTTs are between
+ <command>nn_(i-1)</command> (inclusive) and
+ <command>nn_i</command> (exclusive) milliseconds.
+ For the sake of convenience we define
+ <command>nn_0</command> to be 0.
+ The last entry should be represented as
+ <command>nn_m+</command>, which means the
+ number of queries whose RTTs are equal to or over
+ <command>nn_m</command> milliseconds.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ </sect3>
+
+ <sect3>
+ <title>Socket I/O Statistics Counters</title>
+
+ <para>
+ Socket I/O statistics counters are defined per socket
+ types, which are
+ <command>UDP4</command> (UDP/IPv4),
+ <command>UDP6</command> (UDP/IPv6),
+ <command>TCP4</command> (TCP/IPv4),
+ <command>TCP6</command> (TCP/IPv6),
+ <command>Unix</command> (Unix Domain), and
+ <command>FDwatch</command> (sockets opened outside the
+ socket module).
+ In the following table <command>&lt;TYPE&gt;</command>
+ represents a socket type.
+ Not all counters are available for all socket types;
+ exceptions are noted in the description field.
+ </para>
+
+ <informaltable colsep="0" rowsep="0">
+ <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+ <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+ <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+ <tbody>
+ <row>
+ <entry colname="1">
+ <para>
+ <emphasis>Symbol</emphasis>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ <emphasis>Description</emphasis>
+ </para>
+ </entry>
+ </row>
+
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;Open</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Sockets opened successfully.
+ This counter is not applicable to the
+ <command>FDwatch</command> type.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;OpenFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of opening sockets.
+ This counter is not applicable to the
+ <command>FDwatch</command> type.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;Close</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Sockets closed.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;BindFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of binding sockets.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;ConnFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of connecting sockets.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;Conn</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Connections established successfully.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;AcceptFail</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Failures of accepting incoming connection requests.
+ This counter is not applicable to the
+ <command>UDP</command> and
+ <command>FDwatch</command> types.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;Accept</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Incoming connections successfully accepted.
+ This counter is not applicable to the
+ <command>UDP</command> and
+ <command>FDwatch</command> types.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;SendErr</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Errors in socket send operations.
+ This counter corresponds
+ to <command>SErr</command> counter of
+ <command>BIND</command> 8.
+ </para>
+ </entry>
+ </row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para><command>&lt;TYPE&gt;RecvErr</command></para>
+ </entry>
+ <entry colname="2">
+ <para>
+ Errors in socket receive operations.
+ This includes errors of send operations on a
+ connected UDP socket notified by an ICMP error
+ message.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect3>
+ <sect3>
+ <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
+ <para>
+ Most statistics counters that were available
+ in <command>BIND</command> 8 are also supported in
+ <command>BIND</command> 9 as shown in the above tables.
+ Here are notes about other counters that do not appear
+ in these tables.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term><command>RFwdR,SFwdR</command></term>
+ <listitem>
+ <para>
+ These counters are not supported
+ because <command>BIND</command> 9 does not adopt
+ the notion of <emphasis>forwarding</emphasis>
+ as <command>BIND</command> 8 did.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>RAXFR</command></term>
+ <listitem>
+ <para>
+ This counter is accessible in the Incoming Queries section.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>RIQ</command></term>
+ <listitem>
+ <para>
+ This counter is accessible in the Incoming Requests section.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ROpts</command></term>
+ <listitem>
+ <para>
+ This counter is not supported
+ because <command>BIND</command> 9 does not care
+ about IP options in the first place.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect3>
+ </sect2>
+ </sect1>
+
</chapter>
<chapter id="Bv9ARM.ch07">
<title><acronym>BIND</acronym> 9 Security Considerations</title>
<sect1 id="Access_Control_Lists">
<title>Access Control Lists</title>
<para>
- Access Control Lists (ACLs), are address match lists that
+ Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in <command>allow-notify</command>,
- <command>allow-query</command>, <command>allow-recursion</command>,
+ <command>allow-query</command>, <command>allow-query-on</command>,
+ <command>allow-recursion</command>, <command>allow-recursion-on</command>,
<command>blackhole</command>, <command>allow-transfer</command>,
etc.
</para>
@@ -10904,11 +13045,13 @@ zone "example.com" {
<sect1>
<title><command>Chroot</command> and <command>Setuid</command></title>
<para>
- On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
- (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
- option. This can help improve system security by placing <acronym>BIND</acronym> in
- a "sandbox", which will limit the damage done if a server is
- compromised.
+ On UNIX servers, it is possible to run <acronym>BIND</acronym>
+ in a <emphasis>chrooted</emphasis> environment (using
+ the <command>chroot()</command> function) by specifying
+ the "<option>-t</option>" option for <command>named</command>.
+ This can help improve system security by placing
+ <acronym>BIND</acronym> in a "sandbox", which will limit
+ the damage done if a server is compromised.
</para>
<para>
Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
@@ -10921,7 +13064,7 @@ zone "example.com" {
user 202:
</para>
<para>
- <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+ <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
</para>
<sect2>
@@ -11187,11 +13330,9 @@ zone "example.com" {
BIND architecture.
</para>
<para>
- BIND version 4 is officially deprecated and BIND version
- 8 development is considered maintenance-only in favor
- of BIND version 9. No additional development is done
- on BIND version 4 or BIND version 8 other than for
- security-related patches.
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
</para>
<para>
<acronym>BIND</acronym> development work is made
@@ -11554,7 +13695,7 @@ zone "example.com" {
<pubdate>March 2005</pubdate>
</biblioentry>
<biblioentry>
- <abbrev>RFC4044</abbrev>
+ <abbrev>RFC4034</abbrev>
<authorgroup>
<author>
<firstname>R.</firstname>
@@ -12518,13 +14659,15 @@ zone "example.com" {
<title>Manual pages</title>
<xi:include href="../../bin/dig/dig.docbook"/>
<xi:include href="../../bin/dig/host.docbook"/>
+ <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
+ <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
<xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
<xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
<xi:include href="../../bin/check/named-checkconf.docbook"/>
<xi:include href="../../bin/check/named-checkzone.docbook"/>
<xi:include href="../../bin/named/named.docbook"/>
<!-- named.conf.docbook and others? -->
- <!-- nsupdate gives db2latex indigestion, markup problems? -->
+ <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
<xi:include href="../../bin/rndc/rndc.docbook"/>
<xi:include href="../../bin/rndc/rndc.conf.docbook"/>
<xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 76a4bb71ecd6..320a86758374 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.26 2008/05/24 01:31:10 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.43.48.2 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,17 +45,17 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563405">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564385">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564524">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564637">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564659">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564693">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564845">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567243">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567416">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567546">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -71,7 +71,7 @@
</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563405"></a>Scope of Document</h2></div></div></div>
+<a name="id2563409"></a>Scope of Document</h2></div></div></div>
<p>
The Berkeley Internet Name Domain
(<acronym class="acronym">BIND</acronym>) implements a
@@ -82,30 +82,30 @@
system administrators.
</p>
<p>
- This version of the manual corresponds to BIND version 9.4.
+ This version of the manual corresponds to BIND version 9.6.
</p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564385"></a>Organization of This Document</h2></div></div></div>
+<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
<p>
- In this document, <span class="emphasis"><em>Section 1</em></span> introduces
- the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
+ In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
+ the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
- environments. Information in <span class="emphasis"><em>Section 3</em></span> is
+ environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
<span class="emphasis"><em>task-oriented</em></span> in its presentation and is
organized functionally, to aid in the process of installing the
<acronym class="acronym">BIND</acronym> 9 software. The task-oriented
section is followed by
- <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+ <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
concepts that the system administrator may need for implementing
- certain options. <span class="emphasis"><em>Section 5</em></span>
+ certain options. <span class="emphasis"><em>Chapter 5</em></span>
describes the <acronym class="acronym">BIND</acronym> 9 lightweight
- resolver. The contents of <span class="emphasis"><em>Section 6</em></span> are
+ resolver. The contents of <span class="emphasis"><em>Chapter 6</em></span> are
organized as in a reference manual to aid in the ongoing
- maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
+ maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
security considerations, and
- <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+ <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
main body of the document is followed by several
<span class="emphasis"><em>appendices</em></span> which contain useful reference
information, such as a <span class="emphasis"><em>bibliography</em></span> and
@@ -116,7 +116,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564524"></a>Conventions Used in This Document</h2></div></div></div>
+<a name="id2564528"></a>Conventions Used in This Document</h2></div></div></div>
<p>
In this document, we use the following general typographic
conventions:
@@ -243,7 +243,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564637"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<a name="id2564641"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
<p>
The purpose of this document is to explain the installation
and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@@ -253,7 +253,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564659"></a>DNS Fundamentals</h3></div></div></div>
+<a name="id2564662"></a>DNS Fundamentals</h3></div></div></div>
<p>
The Domain Name System (DNS) is a hierarchical, distributed
database. It stores information for mapping Internet host names to
@@ -267,13 +267,15 @@
more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
The <acronym class="acronym">BIND</acronym> 9 software distribution
contains a
- name server, <span><strong class="command">named</strong></span>, and two resolver
- libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
+ name server, <span><strong class="command">named</strong></span>, and a resolver
+ library, <span><strong class="command">liblwres</strong></span>. The older
+ <span><strong class="command">libbind</strong></span> resolver library is also available
+ from ISC as a separate download.
</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564693"></a>Domains and Domain Names</h3></div></div></div>
+<a name="id2564696"></a>Domains and Domain Names</h3></div></div></div>
<p>
The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
organizational or administrative boundaries. Each node of the tree,
@@ -319,7 +321,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2564845"></a>Zones</h3></div></div></div>
+<a name="id2567170"></a>Zones</h3></div></div></div>
<p>
To properly operate a name server, it is important to understand
the difference between a <span class="emphasis"><em>zone</em></span>
@@ -372,7 +374,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567243"></a>Authoritative Name Servers</h3></div></div></div>
+<a name="id2567246"></a>Authoritative Name Servers</h3></div></div></div>
<p>
Each zone is served by at least
one <span class="emphasis"><em>authoritative name server</em></span>,
@@ -389,7 +391,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567267"></a>The Primary Master</h4></div></div></div>
+<a name="id2567270"></a>The Primary Master</h4></div></div></div>
<p>
The authoritative server where the master copy of the zone
data is maintained is called the
@@ -409,7 +411,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567297"></a>Slave Servers</h4></div></div></div>
+<a name="id2567300"></a>Slave Servers</h4></div></div></div>
<p>
The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@@ -425,7 +427,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567386"></a>Stealth Servers</h4></div></div></div>
+<a name="id2567389"></a>Stealth Servers</h4></div></div></div>
<p>
Usually all of the zone's authoritative servers are listed in
NS records in the parent zone. These NS records constitute
@@ -460,7 +462,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567416"></a>Caching Name Servers</h3></div></div></div>
+<a name="id2567419"></a>Caching Name Servers</h3></div></div></div>
<p>
The resolver libraries provided by most operating systems are
<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@@ -487,7 +489,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2567520"></a>Forwarding</h4></div></div></div>
+<a name="id2567523"></a>Forwarding</h4></div></div></div>
<p>
Even a caching name server does not necessarily perform
the complete recursive lookup itself. Instead, it can
@@ -514,7 +516,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567546"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<a name="id2567549"></a>Name Servers in Multiple Roles</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> name server can
simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index f2abce42f488..831e7a12407e 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.28 2008/09/12 01:32:08 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.38.56.1 2009/01/08 01:50:59 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,16 +45,16 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567580">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567607">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567851">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567862">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567580"></a>Hardware requirements</h2></div></div></div>
+<a name="id2567584"></a>Hardware requirements</h2></div></div></div>
<p>
<acronym class="acronym">DNS</acronym> hardware requirements have
traditionally been quite modest.
@@ -73,7 +73,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567607"></a>CPU Requirements</h2></div></div></div>
+<a name="id2567610"></a>CPU Requirements</h2></div></div></div>
<p>
CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
i486-class machines
@@ -84,7 +84,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567620"></a>Memory Requirements</h2></div></div></div>
+<a name="id2567623"></a>Memory Requirements</h2></div></div></div>
<p>
The memory of the server has to be large enough to fit the
cache and zones loaded off disk. The <span><strong class="command">max-cache-size</strong></span>
@@ -107,7 +107,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567851"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<a name="id2567854"></a>Name Server Intensive Environment Issues</h2></div></div></div>
<p>
For name server intensive environments, there are two alternative
configurations that may be used. The first is where clients and
@@ -124,14 +124,16 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567862"></a>Supported Operating Systems</h2></div></div></div>
+<a name="id2567865"></a>Supported Operating Systems</h2></div></div></div>
<p>
ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
- number of Unix-like operating systems, and on some versions of
- Microsoft Windows including Windows XP, Windows 2003, and
- Windows 2008. For an up-to-date list of supported systems,
- see the README file in the top level directory of the BIND 9
- source distribution.
+ number
+ of Unix-like operating systems and on NT-derived versions of
+ Microsoft Windows such as Windows 2000 and Windows XP. For an
+ up-to-date
+ list of supported systems, see the README file in the top level
+ directory
+ of the BIND 9 source distribution.
</p>
</div>
</div>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 4d39c51a8520..9964823153fe 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.36 2008/05/24 01:31:10 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,19 +47,19 @@
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567894">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567910">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568001">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568423">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568428">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570142">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
</dl></dd>
</dl>
</div>
<p>
- In this section we provide some suggested configurations along
+ In this chapter we provide some suggested configurations along
with guidelines for their use. We suggest reasonable values for
certain option settings.
</p>
@@ -68,7 +68,7 @@
<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567894"></a>A Caching-only Name Server</h3></div></div></div>
+<a name="id2567897"></a>A Caching-only Name Server</h3></div></div></div>
<p>
The following sample configuration is appropriate for a caching-only
name server for use by clients internal to a corporation. All
@@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567910"></a>An Authoritative-only Name Server</h3></div></div></div>
+<a name="id2567913"></a>An Authoritative-only Name Server</h3></div></div></div>
<p>
This sample configuration is for an authoritative-only server
that is the master server for "<code class="filename">example.com</code>"
@@ -137,7 +137,7 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568001"></a>Load Balancing</h2></div></div></div>
+<a name="id2568004"></a>Load Balancing</h2></div></div></div>
<p>
A primitive form of load balancing can be achieved in
the <acronym class="acronym">DNS</acronym> by using multiple records
@@ -280,10 +280,10 @@ zone "eng.example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568423"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568358"></a>Name Server Operations</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2568428"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568363"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
<p>
This section describes several indispensable diagnostic,
administrative and monitoring tools available to the system
@@ -315,7 +315,7 @@ zone "eng.example.com" {
</p>
<div class="cmdsynopsis"><p><code class="command">dig</code> [@<em class="replaceable"><code>server</code></em>] <em class="replaceable"><code>domain</code></em> [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
<p>
- The usual simple use of dig will take the form
+ The usual simple use of <span><strong class="command">dig</strong></span> will take the form
</p>
<p>
<span><strong class="command">dig @server domain query-type query-class</strong></span>
@@ -541,8 +541,8 @@ zone "eng.example.com" {
Stop the server, making sure any recent changes
made through dynamic update or IXFR are first saved to
the master files of the updated zones.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+ This allows an external process to determine when <span><strong class="command">named</strong></span>
had completed stopping.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
@@ -551,8 +551,8 @@ zone "eng.example.com" {
made through dynamic update or IXFR are not saved to
the master files, but will be rolled forward from the
journal files when the server is restarted.
- If -p is specified named's process id is returned.
- This allows an external process to determine when named
+ If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+ This allows an external process to determine when <span><strong class="command">named</strong></span>
had completed halting.
</p></dd>
<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
@@ -586,9 +586,19 @@ zone "eng.example.com" {
</p></dd>
<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
<dd><p>
- Dump the list of queries named is currently recursing
+ Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
on.
</p></dd>
+<dt><span class="term"><strong class="userinput"><code>validation
+ [<span class="optional">on|off</span>]
+ [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
+ </code></strong></span></dt>
+<dd><p>
+ Enable or disable DNSSEC validation.
+ Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
+ set to <strong class="userinput"><code>yes</code></strong> to be effective.
+ It defaults to enabled.
+ </p></dd>
</dl></div>
<p>
A configuration file is required, since all
@@ -651,7 +661,7 @@ zone "eng.example.com" {
with
<span><strong class="command">named</strong></span>. Its syntax is
identical to the
- <span><strong class="command">key</strong></span> statement in named.conf.
+ <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
The keyword <strong class="userinput"><code>key</code></strong> is
followed by a key name, which must be a valid
domain name, though it need not actually be hierarchical;
@@ -739,7 +749,7 @@ controls {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570142"></a>Signals</h3></div></div></div>
+<a name="id2570071"></a>Signals</h3></div></div></div>
<p>
Certain UNIX signals cause the name server to take specific
actions, as described in the following table. These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index e31d85d2c33e..123098e1eccc 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.46 2008/05/24 01:31:11 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.87.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570600">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570618">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570985">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571127">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571138">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571177">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571416">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571430">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571547">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571684">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571753">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571832">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571975">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572173">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572195">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl>
</div>
@@ -95,10 +95,10 @@
</p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- As a slave zone can also be a master to other slaves, named,
+ As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
it loads. Specifying <span><strong class="command">notify master-only;</strong></span> will
- cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
+ cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
zones that it loads.
</div>
</div>
@@ -112,17 +112,22 @@
in RFC 2136.
</p>
<p>
- Dynamic update is enabled by
- including an <span><strong class="command">allow-update</strong></span> or
- <span><strong class="command">update-policy</strong></span> clause in the
- <span><strong class="command">zone</strong></span> statement.
+ Dynamic update is enabled by including an
+ <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
+ clause in the <span><strong class="command">zone</strong></span> statement. The
+ <span><strong class="command">tkey-gssapi-credential</strong></span> and
+ <span><strong class="command">tkey-domain</strong></span> clauses in the
+ <span><strong class="command">options</strong></span> statement enable the
+ server to negotiate keys that can be matched against those
+ in <span><strong class="command">update-policy</strong></span> or
+ <span><strong class="command">allow-update</strong></span>.
</p>
<p>
- Updating of secure zones (zones using DNSSEC) follows
- RFC 3007: RRSIG and NSEC records affected by updates are automatically
- regenerated by the server using an online zone key.
- Update authorization is based
- on transaction signatures and an explicit server policy.
+ Updating of secure zones (zones using DNSSEC) follows RFC
+ 3007: RRSIG, NSEC and NSEC3 records affected by updates are
+ automatically regenerated by the server using an online
+ zone key. Update authorization is based on transaction
+ signatures and an explicit server policy.
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
@@ -205,7 +210,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570600"></a>Split DNS</h2></div></div></div>
+<a name="id2564066"></a>Split DNS</h2></div></div></div>
<p>
Setting up different views, or visibility, of the DNS space to
internal and external resolvers is usually referred to as a
@@ -235,7 +240,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570618"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2564084"></a>Example split DNS setup</h3></div></div></div>
<p>
Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
(<code class="literal">example.com</code>)
@@ -481,7 +486,7 @@ nameserver 172.16.72.4
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570985"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571141"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
<p>
A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -489,7 +494,7 @@ nameserver 172.16.72.4
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571070"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571158"></a>Automatic Generation</h4></div></div></div>
<p>
The following command will generate a 128-bit (16 byte) HMAC-MD5
key as described above. Longer keys are better, but shorter keys
@@ -514,7 +519,7 @@ nameserver 172.16.72.4
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2571109"></a>Manual Generation</h4></div></div></div>
+<a name="id2571196"></a>Manual Generation</h4></div></div></div>
<p>
The shared secret is simply a random sequence of bits, encoded
in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -529,7 +534,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571127"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571214"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
<p>
This is beyond the scope of DNS. A secure transport mechanism
should be used. This could be secure FTP, ssh, telephone, etc.
@@ -537,7 +542,7 @@ nameserver 172.16.72.4
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571138"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571225"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
<p>
Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
are
@@ -550,7 +555,7 @@ key host1-host2. {
};
</pre>
<p>
- The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+ The algorithm, <code class="literal">hmac-md5</code>, is the only one supported by <acronym class="acronym">BIND</acronym>.
The secret is the one generated above. Since this is a secret, it
is recommended that either <code class="filename">named.conf</code> be non-world
readable, or the key directive be added to a non-world readable
@@ -566,7 +571,7 @@ key host1-host2. {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571177"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571268"></a>Instructing the Server to Use the Key</h3></div></div></div>
<p>
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -598,7 +603,7 @@ server 10.1.2.3 {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571303"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571325"></a>TSIG Key Based Access Control</h3></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> allows IP addresses and ranges
to be specified in ACL
@@ -609,24 +614,24 @@ server 10.1.2.3 {
be denoted <span><strong class="command">key host1-host2.</strong></span>
</p>
<p>
- An example of an allow-update directive would be:
+ An example of an <span><strong class="command">allow-update</strong></span> directive would be:
</p>
<pre class="programlisting">
allow-update { key host1-host2. ;};
</pre>
<p>
This allows dynamic updates to succeed only if the request
- was signed by a key named
- "<span><strong class="command">host1-host2.</strong></span>".
+ was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
</p>
<p>
- You may want to read about the more
- powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+ You may want to read about the more powerful
+ <span><strong class="command">update-policy</strong></span> statement in
+ <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571416"></a>Errors</h3></div></div></div>
+<a name="id2571510"></a>Errors</h3></div></div></div>
<p>
The processing of TSIG signed messages can result in
several errors. If a signed message is sent to a non-TSIG aware
@@ -652,7 +657,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571430"></a>TKEY</h2></div></div></div>
+<a name="id2571524"></a>TKEY</h2></div></div></div>
<p><span><strong class="command">TKEY</strong></span>
is a mechanism for automatically generating a shared secret
between two hosts. There are several "modes" of
@@ -688,10 +693,10 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571547"></a>SIG(0)</h2></div></div></div>
+<a name="id2571709"></a>SIG(0)</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
- transaction signatures as specified in RFC 2535 and RFC2931.
+ transaction signatures as specified in RFC 2535 and RFC 2931.
SIG(0)
uses public/private keys to authenticate messages. Access control
is performed in the same manner as TSIG keys; privileges can be
@@ -749,7 +754,7 @@ allow-update { key host1-host2. ;};
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571684"></a>Generating Keys</h3></div></div></div>
+<a name="id2571778"></a>Generating Keys</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-keygen</strong></span> program is used to
generate keys.
@@ -793,6 +798,11 @@ allow-update { key host1-host2. ;};
a different key tag), repeat the above command.
</p>
<p>
+ The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
+ to get a key pair from a crypto hardware and build the key
+ files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
+ </p>
+<p>
The public keys should be inserted into the zone file by
including the <code class="filename">.key</code> files using
<span><strong class="command">$INCLUDE</strong></span> statements.
@@ -800,22 +810,20 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571753"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571925"></a>Signing the Zone</h3></div></div></div>
<p>
The <span><strong class="command">dnssec-signzone</strong></span> program is used
- to
- sign a zone.
+ to sign a zone.
</p>
<p>
- Any <code class="filename">keyset</code> files corresponding
- to secure subzones should be present. The zone signer will
- generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
- records for the zone, as well as <code class="literal">DS</code>
- for
- the child zones if <code class="literal">'-d'</code> is specified.
- If <code class="literal">'-d'</code> is not specified, then
- DS RRsets for
- the secure child zones need to be added manually.
+ Any <code class="filename">keyset</code> files corresponding to
+ secure subzones should be present. The zone signer will
+ generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
+ and <code class="literal">RRSIG</code> records for the zone, as
+ well as <code class="literal">DS</code> for the child zones if
+ <code class="literal">'-g'</code> is specified. If <code class="literal">'-g'</code>
+ is not specified, then DS RRsets for the secure child
+ zones need to be added manually.
</p>
<p>
The following command signs the zone, assuming it is in a
@@ -844,7 +852,7 @@ allow-update { key host1-host2. ;};
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2571832"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572006"></a>Configuring Servers</h3></div></div></div>
<p>
To enable <span><strong class="command">named</strong></span> to respond appropriately
to DNS requests from DNSSEC aware clients,
@@ -881,7 +889,7 @@ allow-update { key host1-host2. ;};
more public keys for the root. This allows answers from
outside the organization to be validated. It will also
have several keys for parts of the namespace the organization
- controls. These are here to ensure that named is immune
+ controls. These are here to ensure that <span><strong class="command">named</strong></span> is immune
to compromises in the DNSSEC components of the security
of parent zones.
</p>
@@ -932,7 +940,7 @@ options {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571975"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572220"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
<p>
<acronym class="acronym">BIND</acronym> 9 fully supports all currently
defined forms of IPv6
@@ -971,7 +979,7 @@ options {
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572173"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572282"></a>Address Lookups Using AAAA Records</h3></div></div></div>
<p>
The IPv6 AAAA record is a parallel to the IPv4 A record,
and, unlike the deprecated A6 record, specifies the entire
@@ -990,7 +998,7 @@ host 3600 IN AAAA 2001:db8::1
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2572195"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572304"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
<p>
When looking up an address in nibble format, the address
components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 33d1d0d195a0..addc97ac643d 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.38 2008/05/24 01:31:11 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572228">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572228"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572337"></a>The Lightweight Resolver Library</h2></div></div></div>
<p>
Traditionally applications have been linked with a stub resolver
library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index e2929068970d..10b7fd55580f 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.88 2008/10/18 01:29:58 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.201.14.8 2009/04/03 01:52:21 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,54 +48,59 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573436">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574117"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574307"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574736"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574958"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575084"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576435"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576508"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576572"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576616"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576631"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585614"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585666"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585748"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587042"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587332"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588510"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589477">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591109">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591500">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592188">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592384">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592572"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
</dl>
</div>
<p>
@@ -221,27 +226,23 @@
<td>
<p>
An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
- IPv6 scoped addresses that have ambiguity on their scope
- zones must be
- disambiguated by an appropriate zone ID with the percent
- character
- (`%') as delimiter.
- It is strongly recommended to use string zone names rather
- than
- numeric identifiers, in order to be robust against system
- configuration changes.
- However, since there is no standard mapping for such names
- and
- identifier values, currently only interface names as link
- identifiers
+ IPv6 scoped addresses that have ambiguity on their
+ scope zones must be disambiguated by an appropriate
+ zone ID with the percent character (`%') as
+ delimiter. It is strongly recommended to use
+ string zone names rather than numeric identifiers,
+ in order to be robust against system configuration
+ changes. However, since there is no standard
+ mapping for such names and identifier values,
+ currently only interface names as link identifiers
are supported, assuming one-to-one mapping between
- interfaces and links.
- For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
- link attached to the interface <span><strong class="command">ne0</strong></span>
+ interfaces and links. For example, a link-local
+ address <span><strong class="command">fe80::1</strong></span> on the link
+ attached to the interface <span><strong class="command">ne0</strong></span>
can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
- Note that on most systems link-local addresses always have
- the
- ambiguity, and need to be disambiguated.
+ Note that on most systems link-local addresses
+ always have the ambiguity, and need to be
+ disambiguated.
</p>
</td>
</tr>
@@ -294,6 +295,11 @@
netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
</p>
+ <p>
+ When specifying a prefix involving a IPv6 scoped address
+ the scope may be omitted. In that case the prefix will
+ match packets from any scope.
+ </p>
</td>
</tr>
<tr>
@@ -455,7 +461,7 @@
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573302"></a>Syntax</h4></div></div></div>
+<a name="id2573414"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -464,14 +470,13 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573330"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573442"></a>Definition and Usage</h4></div></div></div>
<p>
Address match lists are primarily used to determine access
control for various server operations. They are also used in
the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
- statements. The elements
- which constitute an address match list can be any of the
- following:
+ statements. The elements which constitute an address match
+ list can be any of the following:
</p>
<div class="itemizedlist"><ul type="disc">
<li>an IP address (IPv4 or IPv6)</li>
@@ -488,61 +493,68 @@
<p>
Elements can be negated with a leading exclamation mark (`!'),
and the match list names "any", "none", "localhost", and
- "localnets"
- are predefined. More information on those names can be found in
- the description of the acl statement.
+ "localnets" are predefined. More information on those names
+ can be found in the description of the acl statement.
</p>
<p>
The addition of the key clause made the name of this syntactic
element something of a misnomer, since security keys can be used
to validate access without regard to a host or network address.
- Nonetheless,
- the term "address match list" is still used throughout the
- documentation.
+ Nonetheless, the term "address match list" is still used
+ throughout the documentation.
</p>
<p>
When a given IP address or prefix is compared to an address
- match list, the list is traversed in order until an element
- matches.
+ match list, the comparison takes place in approximately O(1)
+ time. However, key comparisons require that the list of keys
+ be traversed until a matching key is found, and therefore may
+ be somewhat slower.
+ </p>
+<p>
The interpretation of a match depends on whether the list is being
- used
- for access control, defining listen-on ports, or in a sortlist,
- and whether the element was negated.
+ used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
+ <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
</p>
<p>
When used as an access control list, a non-negated match
allows access and a negated match denies access. If
there is no match, access is denied. The clauses
<span><strong class="command">allow-notify</strong></span>,
+ <span><strong class="command">allow-recursion</strong></span>,
+ <span><strong class="command">allow-recursion-on</strong></span>,
<span><strong class="command">allow-query</strong></span>,
+ <span><strong class="command">allow-query-on</strong></span>,
<span><strong class="command">allow-query-cache</strong></span>,
+ <span><strong class="command">allow-query-cache-on</strong></span>,
<span><strong class="command">allow-transfer</strong></span>,
<span><strong class="command">allow-update</strong></span>,
<span><strong class="command">allow-update-forwarding</strong></span>, and
<span><strong class="command">blackhole</strong></span> all use address match
- lists. Similarly, the listen-on option will cause the
- server to not accept queries on any of the machine's
+ lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
+ server to refuse queries on any of the machine's
addresses which do not match the list.
</p>
<p>
- Because of the first-match aspect of the algorithm, an element
- that defines a subset of another element in the list should come
- before the broader element, regardless of whether either is
- negated. For
- example, in
- <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
- element is
- completely useless because the algorithm will match any lookup for
- 1.2.3.13 to the 1.2.3/24 element.
- Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
- that problem by having 1.2.3.13 blocked by the negation but all
- other 1.2.3.* hosts fall through.
+ Order of insertion is significant. If more than one element
+ in an ACL is found to match a given IP address or prefix,
+ preference will be given to the one that came
+ <span class="emphasis"><em>first</em></span> in the ACL definition.
+ Because of this first-match behavior, an element that
+ defines a subset of another element in the list should
+ come before the broader element, regardless of whether
+ either is negated. For example, in
+ <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
+ the 1.2.3.13 element is completely useless because the
+ algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+ element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+ that problem by having 1.2.3.13 blocked by the negation, but
+ all other 1.2.3.* hosts fall through.
</p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573436"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573716"></a>Comment Syntax</h3></div></div></div>
<p>
The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
comments to appear
@@ -552,7 +564,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573588"></a>Syntax</h4></div></div></div>
+<a name="id2573731"></a>Syntax</h4></div></div></div>
<p>
</p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -567,7 +579,7 @@
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573618"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573761"></a>Definition and Usage</h4></div></div></div>
<p>
Comments may appear anywhere that whitespace may appear in
a <acronym class="acronym">BIND</acronym> configuration file.
@@ -598,8 +610,6 @@
slash) and continue to the end of the physical line. They cannot
be continued across multiple physical lines; to have one logical
comment span multiple lines, each line must use the // pair.
- </p>
-<p>
For example:
</p>
<p>
@@ -617,8 +627,6 @@
with the character <code class="literal">#</code> (number sign)
and continue to the end of the
physical line, as in C++ comments.
- </p>
-<p>
For example:
</p>
<p>
@@ -763,6 +771,17 @@
</tr>
<tr>
<td>
+ <p><span><strong class="command">statistics-channels</strong></span></p>
+ </td>
+<td>
+ <p>
+ declares communication channels to get access to
+ <span><strong class="command">named</strong></span> statistics.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
<p><span><strong class="command">trusted-keys</strong></span></p>
</td>
<td>
@@ -801,7 +820,7 @@
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574117"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574346"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
address_match_list
};
@@ -819,8 +838,7 @@
<p>
Note that an address match list's name must be defined
with <span><strong class="command">acl</strong></span> before it can be used
- elsewhere; no
- forward references are allowed.
+ elsewhere; no forward references are allowed.
</p>
<p>
The following ACLs are built-in:
@@ -884,7 +902,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574307"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574536"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
[ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
keys { <em class="replaceable"><code>key_list</code></em> }; ]
@@ -1006,12 +1024,12 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574736"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574965"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574753"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2574982"></a><span><strong class="command">include</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">include</strong></span> statement inserts the
@@ -1026,7 +1044,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574776"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575005"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@@ -1035,7 +1053,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574800"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575029"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">key</strong></span> statement defines a shared
secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1082,10 +1100,10 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574958"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575120"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
- ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
+ ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
[ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
[ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
| <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
@@ -1106,7 +1124,7 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575084"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575245"></a><span><strong class="command">logging</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p>
The <span><strong class="command">logging</strong></span> statement configures a
@@ -1140,7 +1158,7 @@
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575137"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575298"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
<p>
All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
you can make as many of them as you want.
@@ -1302,7 +1320,7 @@ notrace</strong></span>. All debugging messages in the server have a debug
the date and time will be logged. <span><strong class="command">print-time</strong></span> may
be specified for a <span><strong class="command">syslog</strong></span> channel,
but is usually
- pointless since <span><strong class="command">syslog</strong></span> also prints
+ pointless since <span><strong class="command">syslog</strong></span> also logs
the date and
time. If <span><strong class="command">print-category</strong></span> is
requested, then the
@@ -1536,7 +1554,7 @@ category notify { null; };
</td>
<td>
<p>
- Messages that named was unable to determine the
+ Messages that <span><strong class="command">named</strong></span> was unable to determine the
class of or for which there was no matching <span><strong class="command">view</strong></span>.
A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
This category is best sent to a file or stderr, by
@@ -1588,15 +1606,18 @@ category notify { null; };
enable query logging unless <span><strong class="command">querylog</strong></span> option has been
specified.
</p>
+
<p>
- The query log entry reports the client's IP address and
- port number, and the
- query name, class and type. It also reports whether the
- Recursion Desired
- flag was set (+ if set, - if not set), EDNS was in use
- (E) or if the
- query was signed (S).
+ The query log entry reports the client's IP
+ address and port number, and the query name,
+ class and type. It also reports whether the
+ Recursion Desired flag was set (+ if set, -
+ if not set), if the query was signed (S),
+ EDNS was in use (E), if DO (DNSSEC Ok) was
+ set (D), or if CD (Checking Disabled) was set
+ (C).
</p>
+
<p>
<code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
</p>
@@ -1607,6 +1628,17 @@ category notify { null; };
</tr>
<tr>
<td>
+ <p><span><strong class="command">query-errors</strong></span></p>
+ </td>
+<td>
+ <p>
+ Information about queries that resulted in some
+ failure.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
<p><span><strong class="command">dispatch</strong></span></p>
</td>
<td>
@@ -1645,7 +1677,7 @@ category notify { null; };
</td>
<td>
<p>
- Delegation only. Logs queries that have have
+ Delegation only. Logs queries that have
been forced to NXDOMAIN as the result of a
delegation-only zone or
a <span><strong class="command">delegation-only</strong></span> in a
@@ -1653,13 +1685,266 @@ category notify { null; };
</p>
</td>
</tr>
+<tr>
+<td>
+ <p><span><strong class="command">edns-disabled</strong></span></p>
+ </td>
+<td>
+ <p>
+ Log queries that have been forced to use plain
+ DNS due to timeouts. This is often due to
+ the remote servers not being RFC 1034 compliant
+ (not always returning FORMERR or similar to
+ EDNS queries and other extensions to the DNS
+ when they are not understood). In other words, this is
+ targeted at servers that fail to respond to
+ DNS queries that they don't understand.
+ </p>
+ <p>
+ Note: the log message can also be due to
+ packet loss. Before reporting servers for
+ non-RFC 1034 compliance they should be re-tested
+ to determine the nature of the non-compliance.
+ This testing should prevent or reduce the
+ number of false-positive reports.
+ </p>
+ <p>
+ Note: eventually <span><strong class="command">named</strong></span> will have to stop
+ treating such timeouts as due to RFC 1034 non
+ compliance and start treating it as plain
+ packet loss. Falsely classifying packet
+ loss as due to RFC 1034 non compliance impacts
+ on DNSSEC validation which requires EDNS for
+ the DNSSEC records to be returned.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2576793"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<p>
+ The <span><strong class="command">query-errors</strong></span> category is
+ specifically intended for debugging purposes: To identify
+ why and how specific queries result in responses which
+ indicate an error.
+ Messages of this category are therefore only logged
+ with <span><strong class="command">debug</strong></span> levels.
+ </p>
+<p>
+ At the debug levels of 1 or higher, each response with the
+ rcode of SERVFAIL is logged as follows:
+ </p>
+<p>
+ <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
+ </p>
+<p>
+ This means an error resulting in SERVFAIL was
+ detected at line 3880 of source file
+ <code class="filename">query.c</code>.
+ Log messages of this level will particularly
+ help identify the cause of SERVFAIL for an
+ authoritative server.
+ </p>
+<p>
+ At the debug levels of 2 or higher, detailed context
+ information of recursive resolutions that resulted in
+ SERVFAIL is logged.
+ The log message will look like as follows:
+ </p>
+<p>
+ <code class="computeroutput">fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</code>
+ </p>
+<p>
+ The first part before the colon shows that a recursive
+ resolution for AAAA records of www.example.com completed
+ in 30.000183 seconds and the final result that led to the
+ SERVFAIL was determined at line 2970 of source file
+ <code class="filename">resolver.c</code>.
+ </p>
+<p>
+ The following part shows the detected final result and the
+ latest result of DNSSEC validation.
+ The latter is always success when no validation attempt
+ is made.
+ In this example, this query resulted in SERVFAIL probably
+ because all name servers are down or unreachable, leading
+ to a timeout in 30 seconds.
+ DNSSEC validation was probably not attempted.
+ </p>
+<p>
+ The last part enclosed in square brackets shows statistics
+ information collected for this particular resolution
+ attempt.
+ The <code class="varname">domain</code> field shows the deepest zone
+ that the resolver reached;
+ it is the zone where the error was finally detected.
+ The meaning of the other fields is summarized in the
+ following table.
+ </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p><code class="varname">referral</code></p>
+ </td>
+<td>
+ <p>
+ The number of referrals the resolver received
+ throughout the resolution process.
+ In the above example this is 2, which are most
+ likely com and example.com.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">restart</code></p>
+ </td>
+<td>
+ <p>
+ The number of cycles that the resolver tried
+ remote servers at the <code class="varname">domain</code>
+ zone.
+ In each cycle the resolver sends one query
+ (possibly resending it, depending on the response)
+ to each known name server of
+ the <code class="varname">domain</code> zone.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">qrysent</code></p>
+ </td>
+<td>
+ <p>
+ The number of queries the resolver sent at the
+ <code class="varname">domain</code> zone.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">timeout</code></p>
+ </td>
+<td>
+ <p>
+ The number of timeouts since the resolver
+ received the last response.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">lame</code></p>
+ </td>
+<td>
+ <p>
+ The number of lame servers the resolver detected
+ at the <code class="varname">domain</code> zone.
+ A server is detected to be lame either by an
+ invalid response or as a result of lookup in
+ BIND9's address database (ADB), where lame
+ servers are cached.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">neterr</code></p>
+ </td>
+<td>
+ <p>
+ The number of erroneous results that the
+ resolver encountered in sending queries
+ at the <code class="varname">domain</code> zone.
+ One common case is the remote server is
+ unreachable and the resolver receives an ICMP
+ unreachable error message.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">badresp</code></p>
+ </td>
+<td>
+ <p>
+ The number of unexpected responses (other than
+ <code class="varname">lame</code>) to queries sent by the
+ resolver at the <code class="varname">domain</code> zone.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">adberr</code></p>
+ </td>
+<td>
+ <p>
+ Failures in finding remote server addresses
+ of the <code class="varname">domain</code> zone in the ADB.
+ One common case of this is that the remote
+ server's name does not have any address records.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">findfail</code></p>
+ </td>
+<td>
+ <p>
+ Failures of resolving remote server addresses.
+ This is a total number of failures throughout
+ the resolution process.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><code class="varname">valfail</code></p>
+ </td>
+<td>
+ <p>
+ Failures of DNSSEC validation.
+ Validation failures are counted throughout
+ the resolution process (not limited to
+ the <code class="varname">domain</code> zone), but should
+ only happen in <code class="varname">domain</code>.
+ </p>
+ </td>
+</tr>
</tbody>
</table></div>
+<p>
+ At the debug levels of 3 or higher, the same messages
+ as those at the debug 1 level are logged for other errors
+ than SERVFAIL.
+ Note that negative responses such as NXDOMAIN are not
+ regarded as errors here.
+ </p>
+<p>
+ At the debug levels of 4 or higher, the same messages
+ as those at the debug 2 level are logged for other errors
+ than SERVFAIL.
+ Unlike the above case of level 3, messages are logged for
+ negative responses.
+ This is because any unexpected results can be difficult to
+ debug in the recursion case.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576435"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577306"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">lwres</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -1674,7 +1959,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576508"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577448"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">lwres</strong></span> statement configures the
name
@@ -1725,14 +2010,14 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576572"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577512"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576616"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577556"></a><span><strong class="command">masters</strong></span> Statement Definition and
Usage</h3></div></div></div>
<p><span><strong class="command">masters</strong></span>
lists allow for a common set of masters to be easily used by
@@ -1741,7 +2026,7 @@ category notify { null; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576631"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577571"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
<p>
This is the grammar of the <span><strong class="command">options</strong></span>
statement in the <code class="filename">named.conf</code> file:
@@ -1753,10 +2038,12 @@ category notify { null; };
[<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
+ [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
[<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
+ [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
@@ -1778,6 +2065,7 @@ category notify { null; };
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
@@ -1799,12 +2087,16 @@ category notify { null; };
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
@@ -1821,6 +2113,9 @@ category notify { null; };
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+ [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1843,6 +2138,7 @@ category notify { null; };
[<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
@@ -1861,6 +2157,9 @@ category notify { null; };
[<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@@ -1937,28 +2236,42 @@ category notify { null; };
</p></dd>
<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
<dd><p>
- <span class="emphasis"><em>This option is obsolete.</em></span>
- It was used in <acronym class="acronym">BIND</acronym> 8 to
- specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
- In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
- needed; its functionality is built into the name server.
+ <span class="emphasis"><em>This option is obsolete.</em></span> It
+ was used in <acronym class="acronym">BIND</acronym> 8 to specify
+ the pathname to the <span><strong class="command">named-xfer</strong></span>
+ program. In <acronym class="acronym">BIND</acronym> 9, no separate
+ <span><strong class="command">named-xfer</strong></span> program is needed;
+ its functionality is built into the name server.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
+<dd><p>
+ The security credential with which the server should
+ authenticate keys requested by the GSS-TSIG protocol.
+ Currently only Kerberos 5 authentication is available
+ and the credential is a Kerberos principal which
+ the server can acquire through the default system
+ key file, normally <code class="filename">/etc/krb5.keytab</code>.
+ Normally this principal is of the form
+ "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
+ To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
+ must also be set.
</p></dd>
<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
<dd><p>
- The domain appended to the names of all
- shared keys generated with
- <span><strong class="command">TKEY</strong></span>. When a client
- requests a <span><strong class="command">TKEY</strong></span> exchange, it
- may or may not specify
- the desired name for the key. If present, the name of the
- shared
- key will be "<code class="varname">client specified part</code>" +
- "<code class="varname">tkey-domain</code>".
- Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
- the <span><strong class="command">domainname</strong></span> should be the
- server's domain
- name.
+ The domain appended to the names of all shared keys
+ generated with <span><strong class="command">TKEY</strong></span>. When a
+ client requests a <span><strong class="command">TKEY</strong></span> exchange,
+ it may or may not specify the desired name for the
+ key. If present, the name of the shared key will
+ be <code class="varname">client specified part</code> +
+ <code class="varname">tkey-domain</code>. Otherwise, the
+ name of the shared key will be <code class="varname">random hex
+ digits</code> + <code class="varname">tkey-domain</code>.
+ In most cases, the <span><strong class="command">domainname</strong></span>
+ should be the server's domain name, or an otherwise
+ non-existent subdomain like
+ "_tkey.<code class="varname">domainname</code>". If you are
+ using GSS-TSIG, this variable must be defined.
</p></dd>
<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
<dd><p>
@@ -1983,25 +2296,17 @@ digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
If not specified, the default is <code class="filename">named_dump.db</code>.
</p></dd>
<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd>
-<p>
+<dd><p>
The pathname of the file the server writes memory
- usage statistics to on exit. If specified the
- statistics will be written to the file on exit.
- </p>
-<p>
- In <acronym class="acronym">BIND</acronym> 9.5 and later this will
- default to <code class="filename">named.memstats</code>.
- <acronym class="acronym">BIND</acronym> 9.5 will also introduce
- <span><strong class="command">memstatistics</strong></span> to control the
- writing.
- </p>
-</dd>
+ usage statistics to on exit. If not specified,
+ the default is <code class="filename">named.memstats</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
<dd><p>
The pathname of the file the server writes its process ID
- in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
- The pid-file is used by programs that want to send signals to
+ in. If not specified, the default is
+ <code class="filename">/var/run/named/named.pid</code>.
+ The PID file is used by programs that want to send signals to
the running
name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
use of a PID file &#8212; no file will be written and any
@@ -2096,7 +2401,7 @@ options {
top of a zone. When a DNSKEY is at or below a domain
specified by the
deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
- the normal dnssec validation
+ the normal DNSSEC validation
has left the key untrusted, the trust-anchor will be append to
the key
name and a DLV record will be looked up to see if it can
@@ -2109,10 +2414,10 @@ options {
<dd><p>
Specify hierarchies which must be or may not be secure (signed and
validated).
- If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+ If <strong class="userinput"><code>yes</code></strong>, then <span><strong class="command">named</strong></span> will only accept
answers if they
are secure.
- If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+ If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation
applies
allowing for insecure answers to be accepted.
The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
@@ -2142,6 +2447,14 @@ options {
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
the checks.
</p></dd>
+<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
+<dd><p>
+ Write memory statistics to the file specified by
+ <span><strong class="command">memstatistics-file</strong></span> at exit.
+ The default is <strong class="userinput"><code>no</code></strong> unless
+ '-m record' is specified on the command line in
+ which case it is <strong class="userinput"><code>yes</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
<dd>
<p>
@@ -2461,6 +2774,17 @@ options {
to crash.
</p>
</dd>
+<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
+ in the NS RRset against the SOA MNAME. Normally a NOTIFY
+ message is not sent to the SOA MNAME (SOA ORIGIN) as it is
+ supposed to contain the name of the ultimate master.
+ Sometimes, however, a slave is listed as the SOA MNAME in
+ hidden master configurations and in that case you would
+ want the ultimate master to still send NOTIFY messages to
+ all the nameservers listed in the NS RRset.
+ </p></dd>
<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
<dd><p>
If <strong class="userinput"><code>yes</code></strong>, and a
@@ -2675,43 +2999,44 @@ options {
also accepts <span><strong class="command">master</strong></span> and
<span><strong class="command">slave</strong></span> at the view and options
levels which causes
- <span><strong class="command">ixfr-from-differences</strong></span> to apply to
+ <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
all <span><strong class="command">master</strong></span> or
<span><strong class="command">slave</strong></span> zones respectively.
+ It is off by default.
</p>
</dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
<dd><p>
This should be set when you have multiple masters for a zone
and the
- addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
+ addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
not log
- when the serial number on the master is less than what named
+ when the serial number on the master is less than what <span><strong class="command">named</strong></span>
currently
has. The default is <strong class="userinput"><code>no</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
<dd><p>
- Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
- named behaves as if it does not support DNSSEC.
+ Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
+ <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
The default is <strong class="userinput"><code>yes</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
<dd><p>
- Enable DNSSEC validation in named.
+ Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
set to <strong class="userinput"><code>yes</code></strong> to be effective.
- The default is <strong class="userinput"><code>no</code></strong>.
+ The default is <strong class="userinput"><code>yes</code></strong>.
</p></dd>
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
<dd><p>
Accept expired signatures when verifying DNSSEC signatures.
The default is <strong class="userinput"><code>no</code></strong>.
- Setting this option to "yes" leaves named vulnerable to replay attacks.
+ Setting this option to "yes" leaves <span><strong class="command">named</strong></span> vulnerable to replay attacks.
</p></dd>
<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
<dd><p>
- Specify whether query logging should be started when named
+ Specify whether query logging should be started when <span><strong class="command">named</strong></span>
starts.
If <span><strong class="command">querylog</strong></span> is not specified,
then the query logging
@@ -2737,9 +3062,9 @@ options {
from RFC 952 and RFC 821 as modified by RFC 1123.
</p>
<p><span><strong class="command">check-names</strong></span>
- applies to the owner names of A, AAA and MX records.
- It also applies to the domain names in the RDATA of NS, SOA
- and MX records.
+ applies to the owner names of A, AAAA and MX records.
+ It also applies to the domain names in the RDATA of NS, SOA,
+ MX, and SRV records.
It also applies to the RDATA of PTR records where the owner
name indicated that it is a reverse lookup of a hostname
(the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
@@ -2796,7 +3121,7 @@ options {
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
<dd><p>
When returning authoritative negative responses to
- SOA queries set the TTL of the SOA recored returned in
+ SOA queries set the TTL of the SOA record returned in
the authority section to zero.
The default is <span><strong class="command">yes</strong></span>.
</p></dd>
@@ -2816,11 +3141,17 @@ options {
a KSK.
The default is <span><strong class="command">yes</strong></span>.
</p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+ Try to refresh the zone using TCP if UDP queries fail.
+ For BIND 8 compatibility, the default is
+ <span><strong class="command">yes</strong></span>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580525"></a>Forwarding</h4></div></div></div>
+<a name="id2581667"></a>Forwarding</h4></div></div></div>
<p>
The forwarding facility can be used to create a large site-wide
cache on a few servers, reducing traffic over links to external
@@ -2864,7 +3195,7 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580721"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2581725"></a>Dual-stack Servers</h4></div></div></div>
<p>
Dual-stack servers are used as servers of last resort to work
around
@@ -2929,16 +3260,52 @@ options {
</p>
</div>
</dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd>
+<p>
+ Specifies which local addresses can accept ordinary
+ DNS questions. This makes it possible, for instance,
+ to allow queries on internal-facing interfaces but
+ disallow them on external-facing ones, without
+ necessarily knowing the internal network's addresses.
+ </p>
+<p>
+ <span><strong class="command">allow-query-on</strong></span> may
+ also be specified in the <span><strong class="command">zone</strong></span>
+ statement, in which case it overrides the
+ <span><strong class="command">options allow-query-on</strong></span> statement.
+ </p>
+<p>
+ If not specified, the default is to allow queries
+ on all addresses.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ <span><strong class="command">allow-query-cache</strong></span> is
+ used to specify access to the cache.
+ </p>
+</div>
+</dd>
<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
<dd><p>
Specifies which hosts are allowed to get answers
from the cache. If <span><strong class="command">allow-query-cache</strong></span>
is not set then <span><strong class="command">allow-recursion</strong></span>
is used if set, otherwise <span><strong class="command">allow-query</strong></span>
- is used if set, otherwise the default
- (<span><strong class="command">localnets;</strong></span>
+ is used if set unless <span><strong class="command">recursion no;</strong></span> is
+ set in which case <span><strong class="command">none;</strong></span> is used,
+ otherwise the default (<span><strong class="command">localnets;</strong></span>
<span><strong class="command">localhost;</strong></span>) is used.
</p></dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
+<dd><p>
+ Specifies which local addresses can give answers
+ from the cache. If not specified, the default is
+ to allow cache queries on any address,
+ <span><strong class="command">localnets</strong></span> and
+ <span><strong class="command">localhost</strong></span>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
<dd><p>
Specifies which hosts are allowed to make recursive
@@ -2950,6 +3317,12 @@ options {
(<span><strong class="command">localnets;</strong></span>
<span><strong class="command">localhost;</strong></span>) is used.
</p></dd>
+<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
+<dd><p>
+ Specifies which local addresses can accept recursive
+ queries. If not specified, the default is to allow
+ recursive queries on all addresses.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
<dd><p>
Specifies which hosts are allowed to
@@ -3019,11 +3392,11 @@ options {
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581142"></a>Interfaces</h4></div></div></div>
+<a name="id2582231"></a>Interfaces</h4></div></div></div>
<p>
The interfaces and ports that the server will answer queries
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
- an optional port, and an <code class="varname">address_match_list</code>.
+ an optional port and an <code class="varname">address_match_list</code>.
The server will listen on all interfaces allowed by the address
match list. If a port is not specified, port 53 will be used.
</p>
@@ -3042,7 +3415,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
</p>
<p>
If no <span><strong class="command">listen-on</strong></span> is specified, the
- server will listen on port 53 on all interfaces.
+ server will listen on port 53 on all IPv4 interfaces.
</p>
<p>
The <span><strong class="command">listen-on-v6</strong></span> option is used to
@@ -3093,8 +3466,10 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
</pre>
<p>
If no <span><strong class="command">listen-on-v6</strong></span> option is
- specified,
- the server will not listen on any IPv6 address.
+ specified, the server will not listen on any IPv6 address
+ unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
+ invoked. If <span><strong class="command">-6</strong></span> is specified then
+ <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
</p>
</div>
<div class="sect3" lang="en">
@@ -3178,20 +3553,37 @@ use-v6-udp-ports { range 1024 65535; };
avoid-v6-udp-ports {};
</pre>
<p>
- Note: it is generally strongly discouraged to
+ Note: BIND 9.5.0 introduced
+ the <span><strong class="command">use-queryport-pool</strong></span>
+ option to support a pool of such random ports, but this
+ option is now obsolete because reusing the same ports in
+ the pool may not be sufficiently secure.
+ For the same reason, it is generally strongly discouraged to
specify a particular port for the
<span><strong class="command">query-source</strong></span> or
<span><strong class="command">query-source-v6</strong></span> options;
- it implicitly disables the use of randomized port numbers
- and can be insecure.
+ it implicitly disables the use of randomized port numbers.
</p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
+<dd><p>
+ This option is obsolete.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
+<dd><p>
+ This option is obsolete.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
+<dd><p>
+ This option is obsolete.
+ </p></dd>
+</dl></div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
The address specified in the <span><strong class="command">query-source</strong></span> option
is used for both UDP and TCP queries, but the port applies only
- to
- UDP queries. TCP queries always use a random
+ to UDP queries. TCP queries always use a random
unprivileged port.
</p>
</div>
@@ -3228,7 +3620,12 @@ avoid-v6-udp-ports {};
zone is loaded, in addition to the servers listed in the
zone's NS records.
This helps to ensure that copies of the zones will
- quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+ quickly converge on stealth servers.
+ Optionally, a port may be specified with each
+ <span><strong class="command">also-notify</strong></span> address to send
+ the notify messages to a port other than the
+ default of 53.
+ If an <span><strong class="command">also-notify</strong></span> list
is given in a <span><strong class="command">zone</strong></span> statement,
it will override
the <span><strong class="command">options also-notify</strong></span>
@@ -3395,7 +3792,7 @@ avoid-v6-udp-ports {};
to be used, you should set
<span><strong class="command">use-alt-transfer-source</strong></span>
appropriately and you should not depend upon
- getting a answer back to the first refresh
+ getting an answer back to the first refresh
query.
</div>
</dd>
@@ -3447,7 +3844,7 @@ avoid-v6-udp-ports {};
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582140"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2583571"></a>UDP Port Lists</h4></div></div></div>
<p>
<span><strong class="command">use-v4-udp-ports</strong></span>,
<span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -3489,7 +3886,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582200"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2583699"></a>Operating System Resource Limits</h4></div></div></div>
<p>
The server's usage of many system resources can be limited.
Scaled values are allowed when specifying resource limits. For
@@ -3548,7 +3945,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582452"></a>Server Resource Limits</h4></div></div></div>
+<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
<p>
The following options set limits on the server's
resource consumption that are enforced internally by the
@@ -3571,6 +3968,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
journal
will be automatically removed. The default is
<code class="literal">unlimited</code>.
+ This may also be set on a per-zone basis.
</p></dd>
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<dd><p>
@@ -3602,7 +4000,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<p>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
- interfaces named listens on, tcp-clients as well as
+ interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <code class="literal">512</code>.
The minimum value is <code class="literal">128</code> and the
@@ -3619,7 +4017,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
server's cache, in bytes.
When the amount of data in the cache
reaches this limit, the server will cause records to expire
- prematurely so that the limit is not exceeded.
+ prematurely based on an LRU based strategy so that
+ the limit is not exceeded.
A value of 0 is special, meaning that
records are purged from the cache only when their
TTLs expire.
@@ -3649,15 +4048,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582682"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2583985"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
<dd><p>
- The server will remove expired resource records
+ This interval is effectively obsolete. Previously,
+ the server would remove expired resource records
from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
- The default is 60 minutes. The maximum value is 28 days
- (40320 minutes).
- If set to 0, no periodic cleaning will occur.
+ <acronym class="acronym">BIND</acronym> 9 now manages cache
+ memory in a more sophisticated manner and does not
+ rely on the periodic cleaning any more.
+ Specifying this option therefore has no effect on
+ the server's behavior.
</p></dd>
<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
<dd><p>
@@ -3914,8 +4316,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</td>
<td>
<p>
- Records are returned in a round-robin
- order.
+ Records are returned in a cyclic round-robin order.
+ </p>
+ <p>
+ If <acronym class="acronym">BIND</acronym> is configured with the
+ "--enable-fixed-rrset" option at compile time, then
+ the initial ordering of the RRset will match the
+ one specified in the zone file.
</p>
</td>
</tr>
@@ -3943,9 +4350,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- The <span><strong class="command">rrset-order</strong></span> statement
- is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
- BIND 9 currently does not fully support "fixed" ordering.
+ In this release of <acronym class="acronym">BIND</acronym> 9, the
+ <span><strong class="command">rrset-order</strong></span> statement does not support
+ "fixed" ordering by default. Fixed ordering can be enabled
+ at compile time by specifying "--enable-fixed-rrset" on
+ the "configure" command line.
</p>
</div>
</div>
@@ -4000,17 +4409,59 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
</dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
+<dd>
+<p>
+ Specifies the number of days into the future when
+ DNSSEC signatures automatically generated as a
+ result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire. There
+ is a optional second field which specifies how
+ long before expiry that the signatures will be
+ regenerated. If not specified, the signatures will
+ be regenerated at 1/4 of base interval. The second
+ field is specified in days if the base interval is
+ greater than 7 days otherwise it is specified in hours.
+ The default base interval is <code class="literal">30</code> days
+ giving a re-signing interval of 7 1/2 days. The maximum
+ values are 10 years (3660 days).
+ </p>
+<p>
+ The signature inception time is unconditionally
+ set to one hour before the current time to allow
+ for a limited amount of clock skew.
+ </p>
+<p>
+ The <span><strong class="command">sig-validity-interval</strong></span>
+ should be, at least, several multiples of the SOA
+ expire interval to allow for reasonable interaction
+ between the various timer and expiry dates.
+ </p>
+</dd>
+<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
+<dd><p>
+ Specify the maximum number of nodes to be
+ examined in each quantum when signing a zone with
+ a new DNSKEY. The default is
+ <code class="literal">100</code>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<dd><p>
- Specifies the number of days into the
- future when DNSSEC signatures automatically generated as a
- result
- of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
- will expire. The default is <code class="literal">30</code> days.
- The maximum value is 10 years (3660 days). The signature
- inception time is unconditionally set to one hour before the
- current time
- to allow for a limited amount of clock skew.
+ Specify a threshold number of signatures that
+ will terminate processing a quantum when signing
+ a zone with a new DNSKEY. The default is
+ <code class="literal">10</code>.
</p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
+<dd>
+<p>
+ Specify a private RDATA type to be used when generating
+ key signing records. The default is
+ <code class="literal">65535</code>.
+ </p>
+<p>
+ It is expected that this parameter may be removed
+ in a future version once there is a standard type.
+ </p>
+</dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
@@ -4037,22 +4488,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</dd>
<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
<dd><p>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
+ Sets the advertised EDNS UDP buffer size in bytes
+ to control the size of packets received.
+ Valid values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value
+ is 4096. The usual reason for setting
+ <span><strong class="command">edns-udp-size</strong></span> to a non-default
+ value is to get UDP answers to pass through broken
+ firewalls that block fragmented packets and/or
+ block UDP packets that are greater than 512 bytes.
</p></dd>
<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
<dd><p>
- Sets the maximum EDNS UDP message size named will
+ Sets the maximum EDNS UDP message size <span><strong class="command">named</strong></span> will
send in bytes. Valid values are 512 to 4096 (values outside
this range will be silently adjusted). The default
value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
+ <span><strong class="command">max-udp-size</strong></span> to a non-default value is to get UDP
answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets
that are greater than 512 bytes.
@@ -4085,21 +4537,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
file.
</p></dd>
<dt>
-<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
+<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
</dt>
<dd>
<p>These set the
initial value (minimum) and maximum number of recursive
- simultanious clients for any given query
+ simultaneous clients for any given query
(&lt;qname,qtype,qclass&gt;) that the server will accept
- before dropping additional clients. named will attempt to
+ before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
self tune this value and changes will be logged. The
default values are 10 and 100.
</p>
<p>
This value should reflect how many queries come in for
a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, named will
+ If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
assume that it is dealing with a non-responsive zone
and will drop additional queries. If it gets a response
after dropping queries, it will raise the estimate. The
@@ -4172,14 +4624,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p></dd>
<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
<dd><p>
- The ID of the server should report via a query of
- the name <code class="filename">ID.SERVER</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ The ID the server should report when receiving a Name
+ Server Identifier (NSID) query, or a query of the name
+ <code class="filename">ID.SERVER</code> with type
+ <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
The primary purpose of such queries is to
identify which of a group of anycast servers is actually
answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
disables processing of the queries.
- Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+ Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
use the hostname as found by the gethostname() function.
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
</p></dd>
@@ -4197,12 +4650,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
these cover the reverse namespace for addresses from RFC 1918 and
RFC 3330. They also include the reverse namespace for IPv6 local
address (locally assigned), IPv6 link local addresses, the IPv6
- loopback address and the IPv6 unknown addresss.
+ loopback address and the IPv6 unknown address.
</p>
<p>
- Named will attempt to determine if a built in zone already exists
+ Named will attempt to determine if a built-in zone already exists
or is active (covered by a forward-only forwarding declaration)
- and will not not create a empty zone in that case.
+ and will not create a empty zone in that case.
</p>
<p>
The current list of empty zones is:
@@ -4248,7 +4701,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<h3 class="title">Note</h3>
The real parent servers for these zones should disable all
empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
+ root servers, this is all built-in empty zones. This will
enable them to return referrals to deeper in the tree.
</div>
<div class="variablelist"><dl>
@@ -4266,173 +4719,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p></dd>
<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
<dd><p>
- Enable or disable all empty zones. By default they
+ Enable or disable all empty zones. By default, they
are enabled.
</p></dd>
<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
<dd><p>
- Disable individual empty zones. By default none are
+ Disable individual empty zones. By default, none are
disabled. This option can be specified multiple times.
</p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>
- The statistics file generated by <acronym class="acronym">BIND</acronym> 9
- is similar, but not identical, to that
- generated by <acronym class="acronym">BIND</acronym> 8.
- </p>
-<p>
- The statistics dump begins with a line, like:
- </p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>
- The number in parentheses is a standard
- Unix-style timestamp, measured as seconds since January 1, 1970.
- Following
- that line are a series of lines containing a counter type, the
- value of the
- counter, optionally a zone name, and optionally a view name.
- The lines without view and zone listed are global statistics for
- the entire server.
- Lines with a zone and view name for the given view and zone (the
- view name is
- omitted for the default view).
- </p>
-<p>
- The statistics dump ends with the line where the
- number is identical to the number in the beginning line; for example:
- </p>
-<p>
- <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
- </p>
-<p>
- The following statistics counters are maintained:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">success</strong></span></p>
- </td>
-<td>
- <p>
- The number of
- successful queries made to the server or zone. A
- successful query
- is defined as query which returns a NOERROR response
- with at least
- one answer RR.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">referral</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted
- in referral responses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">nxrrset</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted in
- NOERROR responses with no data.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">nxdomain</strong></span></p>
- </td>
-<td>
- <p>
- The number
- of queries which resulted in NXDOMAIN responses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">failure</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted in a
- failure response other than those above.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">recursion</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which caused the server
- to perform recursion in order to find the final answer.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">duplicate</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which the server attempted to
- recurse but discover a existing query with the same
- IP address, port, query id, name, type and class
- already being processed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">dropped</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries for which the server
- discovered a excessive number of existing
- recursive queries for the same name, type and
- class and were subsequently dropped.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- Each query received by the server will cause exactly one of
- <span><strong class="command">success</strong></span>,
- <span><strong class="command">referral</strong></span>,
- <span><strong class="command">nxrrset</strong></span>,
- <span><strong class="command">nxdomain</strong></span>,
- <span><strong class="command">failure</strong></span>,
- <span><strong class="command">duplicate</strong></span>, or
- <span><strong class="command">dropped</strong></span>
- to be incremented, and may additionally cause the
- <span><strong class="command">recursion</strong></span> counter to be
- incremented.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
<a name="acache"></a>Additional Section Caching</h4></div></div></div>
<p>
The additional section cache, also called <span><strong class="command">acache</strong></span>,
@@ -4518,10 +4816,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
In a server with multiple views, the limit applies
separately to the
acache of each view.
- The default is <code class="literal">unlimited</code>,
- meaning that
- entries are purged from the acache only at the
- periodic cleaning time.
+ The default is <code class="literal">16M</code>.
</p></dd>
</dl></div>
</div>
@@ -4545,6 +4840,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+ [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
};
</pre>
</div>
@@ -4628,7 +4926,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p>
<p>
The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
- that is advertised by named when querying the remote server.
+ that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
Valid values are 512 to 4096 bytes (values outside this range will be
silently adjusted). This option is useful when you wish to
advertises a different value to this server than the value you
@@ -4637,11 +4935,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</p>
<p>
The <span><strong class="command">max-udp-size</strong></span> option sets the
- maximum EDNS UDP message size named will send. Valid
+ maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid
values are 512 to 4096 bytes (values outside this range will
be silently adjusted). This option is useful when you
know that there is a firewall that is blocking large
- replies from named.
+ replies from <span><strong class="command">named</strong></span>.
</p>
<p>
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
@@ -4719,7 +5017,67 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585614"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
+ [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
+ [ inet ...; ]
+};
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2586754"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">statistics-channels</strong></span> statement
+ declares communication channels to be used by system
+ administrators to get access to statistics information of
+ the name server.
+ </p>
+<p>
+ This statement intends to be flexible to support multiple
+ communication protocols in the future, but currently only
+ HTTP access is supported.
+ It requires that BIND 9 be compiled with libxml2;
+ the <span><strong class="command">statistics-channels</strong></span> statement is
+ still accepted even if it is built without the library,
+ but any HTTP access will fail with an error.
+ </p>
+<p>
+ An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+ listening at the specified <span><strong class="command">ip_port</strong></span> on the
+ specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+ address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+ </p>
+<p>
+ If no port is specified, port 80 is used for HTTP channels.
+ The asterisk "<code class="literal">*</code>" cannot be used for
+ <span><strong class="command">ip_port</strong></span>.
+ </p>
+<p>
+ The attempt of opening a statistics channel is
+ restricted by the optional <span><strong class="command">allow</strong></span> clause.
+ Connections to the statistics channel are permitted based on the
+ <span><strong class="command">address_match_list</strong></span>.
+ If no <span><strong class="command">allow</strong></span> clause is present,
+ <span><strong class="command">named</strong></span> accepts connection
+ attempts from any address; since the statistics may
+ contain sensitive internal information, it is highly
+ recommended to restrict the source of connection requests
+ appropriately.
+ </p>
+<p>
+ If no <span><strong class="command">statistics-channels</strong></span> statement is present,
+ <span><strong class="command">named</strong></span> will not open any communication channels.
+ </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2586908"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -4728,7 +5086,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585666"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2586960"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</h3></div></div></div>
<p>
The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -4754,6 +5112,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
multiple key entries, each consisting of the key's
domain name, flags, protocol, algorithm, and the Base-64
representation of the key data.
+ Spaces, tabs, newlines and carriage returns are ignored
+ in the key data, so the configuration may be split up into
+ multiple lines.
</p>
</div>
<div class="sect2" lang="en">
@@ -4771,7 +5132,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585748"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2587042"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
The <span><strong class="command">view</strong></span> statement is a powerful
feature
@@ -4894,6 +5255,7 @@ view "external" {
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type master;
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
@@ -4906,9 +5268,11 @@ view "external" {
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
@@ -4916,11 +5280,15 @@ view "external" {
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
+ [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
@@ -4934,18 +5302,22 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
type slave;
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
@@ -4955,6 +5327,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
+ [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
+ [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -4983,6 +5357,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type stub;
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
@@ -5023,10 +5398,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2587332"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2588510"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587339"></a>Zone Types</h4></div></div></div>
+<a name="id2588518"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -5089,7 +5464,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
just the first two letters of the zone name. (Most
operating systems
- behave very slowly if you put 100 000 files into
+ behave very slowly if you put 100000 files into
a single directory.)
</p>
</td>
@@ -5235,7 +5610,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587690"></a>Class</h4></div></div></div>
+<a name="id2588937"></a>Class</h4></div></div></div>
<p>
The zone's name may optionally be followed by a class. If
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -5257,7 +5632,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587723"></a>Zone Options</h4></div></div></div>
+<a name="id2588970"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
@@ -5269,6 +5644,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
</p></dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
<dd><p>
See the description of <span><strong class="command">allow-transfer</strong></span>
@@ -5348,6 +5728,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
</p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
<dd>
<p>
@@ -5424,6 +5809,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
</p></dd>
+<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server Resource Limits&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dd><p>
See the description of
@@ -5454,6 +5844,12 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
</p></dd>
+<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify-to-soa</strong></span> in
+ <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
<dd><p>
In <acronym class="acronym">BIND</acronym> 8, this option was
@@ -5476,6 +5872,21 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
See the description of
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
</p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
<dd><p>
See the description of
@@ -5521,6 +5932,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<dd><p>
See the description of
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
+ <strong class="userinput"><code>master</code></strong> and
+ <strong class="userinput"><code>slave</code></strong> choices are not
+ available at the zone level.)
</p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
<dd><p>
@@ -5544,43 +5959,38 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p>
- <acronym class="acronym">BIND</acronym> 9 supports two alternative
- methods of granting clients
- the right to perform dynamic updates to a zone,
- configured by the <span><strong class="command">allow-update</strong></span>
- and
- <span><strong class="command">update-policy</strong></span> option,
- respectively.
+<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
+ methods of granting clients the right to perform
+ dynamic updates to a zone, configured by the
+ <span><strong class="command">allow-update</strong></span> and
+ <span><strong class="command">update-policy</strong></span> option, respectively.
</p>
<p>
The <span><strong class="command">allow-update</strong></span> clause works the
- same
- way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
- permission to update any record of any name in the zone.
+ same way as in previous versions of <acronym class="acronym">BIND</acronym>.
+ It grants given clients the permission to update any
+ record of any name in the zone.
</p>
<p>
The <span><strong class="command">update-policy</strong></span> clause is new
- in <acronym class="acronym">BIND</acronym>
- 9 and allows more fine-grained control over what updates are
- allowed.
- A set of rules is specified, where each rule either grants or
- denies
- permissions for one or more names to be updated by one or more
- identities.
- If the dynamic update request message is signed (that is, it
- includes
- either a TSIG or SIG(0) record), the identity of the signer can
- be determined.
+ in <acronym class="acronym">BIND</acronym> 9 and allows more fine-grained
+ control over what updates are allowed. A set of rules
+ is specified, where each rule either grants or denies
+ permissions for one or more names to be updated by
+ one or more identities. If the dynamic update request
+ message is signed (that is, it includes either a TSIG
+ or SIG(0) record), the identity of the signer can be
+ determined.
</p>
<p>
- Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
- option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
- is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
- to be present. The <span><strong class="command">update-policy</strong></span>
- statement only
- examines the signer of a message; the source address is not
- relevant.
+ Rules are specified in the <span><strong class="command">update-policy</strong></span>
+ zone option, and are only meaningful for master zones.
+ When the <span><strong class="command">update-policy</strong></span> statement
+ is present, it is a configuration error for the
+ <span><strong class="command">allow-update</strong></span> statement to be
+ present. The <span><strong class="command">update-policy</strong></span> statement
+ only examines the signer of a message; the source
+ address is not relevant.
</p>
<p>
This is how a rule definition looks:
@@ -5599,26 +6009,38 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
the types specified in the type field.
</p>
<p>
- The identity field specifies a name or a wildcard name.
- Normally, this
- is the name of the TSIG or SIG(0) key used to sign the update
- request. When a
- TKEY exchange has been used to create a shared secret, the
- identity of the
- shared secret is the same as the identity of the key used to
- authenticate the
- TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
- wildcard name, it is subject to DNS wildcard expansion, so the
- rule will apply
- to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
+ No signer is required for <em class="replaceable"><code>tcp-self</code></em>
+ or <em class="replaceable"><code>6to4-self</code></em> however the standard
+ reverse mapping / prefix conversion must match the identity
+ field.
+ </p>
+<p>
+ The identity field specifies a name or a wildcard
+ name. Normally, this is the name of the TSIG or
+ SIG(0) key used to sign the update request. When a
+ TKEY exchange has been used to create a shared secret,
+ the identity of the shared secret is the same as the
+ identity of the key used to authenticate the TKEY
+ exchange. TKEY is also the negotiation method used
+ by GSS-TSIG, which establishes an identity that is
+ the Kerberos principal of the client, such as
+ <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
+ <em class="replaceable"><code>identity</code></em> field specifies
+ a wildcard name, it is subject to DNS wildcard
+ expansion, so the rule will apply to multiple identities.
+ The <em class="replaceable"><code>identity</code></em> field must
contain a fully-qualified domain name.
</p>
<p>
- The <em class="replaceable"><code>nametype</code></em> field has 6
+ The <em class="replaceable"><code>nametype</code></em> field has 12
values:
<code class="varname">name</code>, <code class="varname">subdomain</code>,
<code class="varname">wildcard</code>, <code class="varname">self</code>,
- <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
+ <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
+ <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
+ <code class="varname">krb5-subdomain</code>,
+ <code class="varname">ms-subdomain</code>,
+ <code class="varname">tcp-self</code> and <code class="varname">6to4-self</code>.
</p>
<div class="informaltable"><table border="1">
<colgroup>
@@ -5723,6 +6145,47 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
</td>
</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">tcp-self</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Allow updates that have been sent via TCP and
+ for which the standard mapping from the initiating
+ IP address into the IN-ADDR.ARPA and IP6.ARPA
+ namespaces match the name to be updated.
+ </p>
+ <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ It is theoretically possible to spoof these TCP
+ sessions.
+ </div>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">6to4-self</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Allow the 6to4 prefix to be update by any TCP
+ conection from the 6to4 network or from the
+ corresponding IPv4 address. This is intended
+ to allow NS or DNAME RRsets to be added to the
+ reverse tree.
+ </p>
+ <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ It is theoretically possible to spoof these TCP
+ sessions.
+ </div>
+ </td>
+</tr>
</tbody>
</table></div>
<p>
@@ -5731,21 +6194,20 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
specify a fully-qualified domain name.
</p>
<p>
- If no types are explicitly specified, this rule matches all
- types except
- RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
- "ANY" (ANY matches all types except NSEC, which can never be
- updated).
- Note that when an attempt is made to delete all records
- associated with a
- name, the rules are checked for each existing record type.
+ If no types are explicitly specified, this rule matches
+ all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+ may be specified by name, including "ANY" (ANY matches
+ all types except NSEC and NSEC3, which can never be
+ updated). Note that when an attempt is made to delete
+ all records associated with a name, the rules are
+ checked for each existing record type.
</p>
</div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589477"></a>Zone File</h2></div></div></div>
+<a name="id2591109"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -5758,7 +6220,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589495"></a>Resource Records</h4></div></div></div>
+<a name="id2591127"></a>Resource Records</h4></div></div></div>
<p>
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -5953,6 +6415,19 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<tr>
<td>
<p>
+ DHCID
+ </p>
+ </td>
+<td>
+ <p>
+ Is used for identifying which DHCP client is
+ associated with this name. Described in RFC 4701.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
DNAME
</p>
</td>
@@ -6159,6 +6634,40 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
<tr>
<td>
<p>
+ NSEC3
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name
+ interval do not exist in a zone and indicate
+ what RR types are present for an existing
+ name. NSEC3 differs from NSEC in that it
+ prevents zone enumeration but is more
+ computationally expensive on both the server
+ and the client than NSEC. Described in RFC
+ 5155.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ NSEC3PARAM
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSECbis to tell the authoritative
+ server which NSEC3 chains are available to use.
+ Described in RFC 5155.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
NXT
</p>
</td>
@@ -6304,7 +6813,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</td>
<td>
<p>
- Provides a way to securly publish a secure shell key's
+ Provides a way to securely publish a secure shell key's
fingerprint. Described in RFC 4255.
</p>
</td>
@@ -6448,7 +6957,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590912"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2592682"></a>Textual expression of RRs</h4></div></div></div>
<p>
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -6651,7 +7160,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591500"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2593203"></a>Discussion of MX Records</h3></div></div></div>
<p>
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -6685,8 +7194,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
the mail will be delivered to the server specified in the MX
record
pointed to by the CNAME.
- </p>
-<p>
For example:
</p>
<div class="informaltable"><table border="1">
@@ -6909,7 +7416,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592188"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2593886"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -6970,7 +7477,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592384"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2594013"></a>Other Zone File Directives</h3></div></div></div>
<p>
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -6985,7 +7492,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592406"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2594036"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$ORIGIN</strong></span>
<em class="replaceable"><code>domain-name</code></em>
@@ -7013,7 +7520,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592467"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2594097"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$INCLUDE</strong></span>
<em class="replaceable"><code>filename</code></em>
@@ -7049,7 +7556,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592536"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2594234"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
Syntax: <span><strong class="command">$TTL</strong></span>
<em class="replaceable"><code>default-ttl</code></em>
@@ -7068,7 +7575,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592572"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2594270"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
Syntax: <span><strong class="command">$GENERATE</strong></span>
<em class="replaceable"><code>range</code></em>
@@ -7128,7 +7635,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
describes the owner name of the resource records
to be created. Any single <span><strong class="command">$</strong></span>
(dollar sign)
- symbols within the <span><strong class="command">lhs</strong></span> side
+ symbols within the <span><strong class="command">lhs</strong></span> string
are replaced by the iterator value.
To get a $ in the output, you need to escape the
@@ -7172,7 +7679,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
<p>
Specifies the time-to-live of the generated records. If
not specified this will be inherited using the
- normal ttl inheritance rules.
+ normal TTL inheritance rules.
</p>
<p><span><strong class="command">class</strong></span>
and <span><strong class="command">ttl</strong></span> can be
@@ -7271,6 +7778,1470 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</p>
</div>
</div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
+ information and provides several interfaces for users to
+ get access to the statistics.
+ The available statistics include all statistics counters
+ that were available in <acronym class="acronym">BIND</acronym> 8 and
+ are meaningful in <acronym class="acronym">BIND</acronym> 9,
+ and other information that is considered useful.
+ </p>
+<p>
+ The statistics information is categorized into the following
+ sections.
+ </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p>Incoming Requests</p>
+ </td>
+<td>
+ <p>
+ The number of incoming DNS requests for each OPCODE.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Incoming Queries</p>
+ </td>
+<td>
+ <p>
+ The number of incoming queries for each RR type.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Outgoing Queries</p>
+ </td>
+<td>
+ <p>
+ The number of outgoing queries for each RR
+ type sent from the internal resolver.
+ Maintained per view.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Name Server Statistics</p>
+ </td>
+<td>
+ <p>
+ Statistics counters about incoming request processing.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Zone Maintenance Statistics</p>
+ </td>
+<td>
+ <p>
+ Statistics counters regarding zone maintenance
+ operations such as zone transfers.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Resolver Statistics</p>
+ </td>
+<td>
+ <p>
+ Statistics counters about name resolution
+ performed in the internal resolver.
+ Maintained per view.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Cache DB RRsets</p>
+ </td>
+<td>
+ <p>
+ The number of RRsets per RR type (positive
+ or negative) and nonexistent names stored in the
+ cache database.
+ Maintained per view.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>Socket I/O Statistics</p>
+ </td>
+<td>
+ <p>
+ Statistics counters about network related events.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+<p>
+ A subset of Name Server Statistics is collected and shown
+ per zone for which the server has the authority when
+ <span><strong class="command">zone-statistics</strong></span> is set to
+ <strong class="userinput"><code>yes</code></strong>.
+ These statistics counters are shown with their zone and view
+ names.
+ In some cases the view names are omitted for the default view.
+ </p>
+<p>
+ There are currently two user interfaces to get access to the
+ statistics.
+ One is in the plain text format dumped to the file specified
+ by the <span><strong class="command">statistics-file</strong></span> configuration option.
+ The other is remotely accessible via a statistics channel
+ when the <span><strong class="command">statistics-channels</strong></span> statement
+ is specified in the configuration file
+ (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span><strong class="command">statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
+ </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="statsfile"></a>The Statistics File</h4></div></div></div>
+<p>
+ The text format statistics dump begins with a line, like:
+ </p>
+<p>
+ <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
+ </p>
+<p>
+ The number in parentheses is a standard
+ Unix-style timestamp, measured as seconds since January 1, 1970.
+
+ Following
+ that line is a set of statistics information, which is categorized
+ as described above.
+ Each section begins with a line, like:
+ </p>
+<p>
+ <span><strong class="command">++ Name Server Statistics ++</strong></span>
+ </p>
+<p>
+ Each section consists of lines, each containing the statistics
+ counter value followed by its textual description.
+ See below for available counters.
+ For brevity, counters that have a value of 0 are not shown
+ in the statistics file.
+ </p>
+<p>
+ The statistics dump ends with the line where the
+ number is identical to the number in the beginning line; for example:
+ </p>
+<p>
+ <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+ </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
+<p>
+ The following tables summarize statistics counters that
+ <acronym class="acronym">BIND</acronym> 9 provides.
+ For each row of the tables, the leftmost column is the
+ abbreviated symbol name of that counter.
+ These symbols are shown in the statistics information
+ accessed via an HTTP statistics channel.
+ The rightmost column gives the description of the counter,
+ which is also shown in the statistics file
+ (but, in this document, possibly with slight modification
+ for better readability).
+ Additional notes may also be provided in this column.
+ When a middle column exists between these two columns,
+ it gives the corresponding counter name of the
+ <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
+ </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2595267"></a>Name Server Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p>
+ <span class="emphasis"><em>Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>BIND8 Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>Description</em></span>
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Requestv4</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 requests received.
+ Note: this also counts non query requests.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Requestv6</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 requests received.
+ Note: this also counts non query requests.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqEdns0</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requests with EDNS(0) received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requests with unsupported EDNS version received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqTSIG</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requests with TSIG received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqSIG0</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requests with SIG(0) received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqBadSIG</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requests with invalid (TSIG or SIG(0)) signature.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ReqTCP</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RTCP</strong></span></p>
+ </td>
+<td>
+ <p>
+ TCP requests received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">AuthQryRej</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RUQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ Authoritative (non recursive) queries rejected.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RecQryRej</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RURQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ Recursive queries rejected.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">XfrRej</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RUXFR</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfer requests rejected.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateRej</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RUUpd</strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic update requests rejected.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Response</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SAns</strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RespTruncated</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Truncated responses sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RespEDNS0</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses with EDNS(0) sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RespTSIG</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses with TSIG sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">RespSIG0</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Responses with SIG(0) sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QrySuccess</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in a successful answer.
+ This means the query which returns a NOERROR response
+ with at least one answer RR.
+ This corresponds to the
+ <span><strong class="command">success</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryAuthAns</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in authoritative answer.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryNoauthAns</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SNaAns</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in non authoritative answer.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryReferral</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in referral answer.
+ This corresponds to the
+ <span><strong class="command">referral</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryNxrrset</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in NOERROR responses with no data.
+ This corresponds to the
+ <span><strong class="command">nxrrset</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QrySERVFAIL</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in SERVFAIL.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryFORMERR</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SFErr</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in FORMERR.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SNXD</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries resulted in NXDOMAIN.
+ This corresponds to the
+ <span><strong class="command">nxdomain</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryRecursion</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RFwdQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries which caused the server
+ to perform recursion in order to find the final answer.
+ This corresponds to the
+ <span><strong class="command">recursion</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryDuplicate</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RDupQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries which the server attempted to
+ recurse but discovered an existing query with the same
+ IP address, port, query ID, name, type and class
+ already being processed.
+ This corresponds to the
+ <span><strong class="command">duplicate</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryDropped</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Recursive queries for which the server
+ discovered an excessive number of existing
+ recursive queries for the same name, type and
+ class and were subsequently dropped.
+ This is the number of dropped queries due to
+ the reason explained with the
+ <span><strong class="command">clients-per-query</strong></span>
+ and
+ <span><strong class="command">max-clients-per-query</strong></span>
+ options
+ (see the description about
+ <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
+ This corresponds to the
+ <span><strong class="command">dropped</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryFailure</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Other query failures.
+ This corresponds to the
+ <span><strong class="command">failure</strong></span> counter
+ of previous versions of
+ <acronym class="acronym">BIND</acronym> 9.
+ Note: this counter is provided mainly for
+ backward compatibility with the previous versions.
+ Normally a more fine-grained counters such as
+ <span><strong class="command">AuthQryRej</strong></span> and
+ <span><strong class="command">RecQryRej</strong></span>
+ that would also fall into this counter are provided,
+ and so this counter would not be of much
+ interest in practice.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">XfrReqDone</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Requested zone transfers completed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateReqFwd</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Update requests forwarded.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateRespFwd</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Update responses forwarded.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateFwdFail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic update forward failed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateDone</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic updates completed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateFail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic updates failed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic updates rejected due to prerequisite failure.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2596808"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p>
+ <span class="emphasis"><em>Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>Description</em></span>
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NotifyOutv4</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 notifies sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NotifyOutv6</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 notifies sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NotifyInv4</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 notifies received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NotifyInv6</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 notifies received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NotifyRej</strong></span></p>
+ </td>
+<td>
+ <p>
+ Incoming notifies rejected.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">SOAOutv4</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 SOA queries sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">SOAOutv6</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 SOA queries sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">AXFRReqv4</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 AXFR requested.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">AXFRReqv6</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 AXFR requested.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">IXFRReqv4</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 IXFR requested.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">IXFRReqv6</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 IXFR requested.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">XfrSuccess</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfer requests succeeded.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">XfrFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfer requests failed.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2597191"></a>Resolver Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p>
+ <span class="emphasis"><em>Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>BIND8 Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>Description</em></span>
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Queryv4</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SFwdQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 queries sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Queryv6</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SFwdQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 queries sent.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Responsev4</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RR</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 responses received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Responsev6</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RR</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 responses received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">NXDOMAIN</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RNXD</strong></span></p>
+ </td>
+<td>
+ <p>
+ NXDOMAIN received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">SERVFAIL</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ SERVFAIL received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">FORMERR</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RFErr</strong></span></p>
+ </td>
+<td>
+ <p>
+ FORMERR received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">OtherError</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RErr</strong></span></p>
+ </td>
+<td>
+ <p>
+ Other errors received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">EDNS0Fail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ EDNS(0) query failures.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Mismatch</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RDupR</strong></span></p>
+ </td>
+<td>
+ <p>
+ Mismatch responses received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Truncated</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Truncated responses received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Lame</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">RLame</strong></span></p>
+ </td>
+<td>
+ <p>
+ Lame delegations received.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">Retry</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SDupQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ Query retries performed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QueryAbort</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Queries aborted due to quota control.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QuerySockFail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Failures in opening query sockets.
+ One common reason for such failures is a
+ failure of opening a new socket due to a
+ limitation on file descriptors.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QueryTimeout</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Query timeouts.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">GlueFetchv4</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SSysQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 NS address fetches invoked.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">GlueFetchv6</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">SSysQ</strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 NS address fetches invoked.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">GlueFetchv4Fail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv4 NS address fetch failed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">GlueFetchv6Fail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ IPv6 NS address fetch failed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ValAttempt</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC validation attempted.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ValOk</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC validation succeeded.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ValNegOk</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC validation on negative information succeeded.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">ValFail</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC validation failed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">QryRTTnn</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command"></strong></span></p>
+ </td>
+<td>
+ <p>
+ Frequency table on round trip times (RTTs) of
+ queries.
+ Each <span><strong class="command">nn</strong></span> specifies the corresponding
+ frequency.
+ In the sequence of
+ <span><strong class="command">nn_1</strong></span>,
+ <span><strong class="command">nn_2</strong></span>,
+ ...,
+ <span><strong class="command">nn_m</strong></span>,
+ the value of <span><strong class="command">nn_i</strong></span> is the
+ number of queries whose RTTs are between
+ <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and
+ <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds.
+ For the sake of convenience we define
+ <span><strong class="command">nn_0</strong></span> to be 0.
+ The last entry should be represented as
+ <span><strong class="command">nn_m+</strong></span>, which means the
+ number of queries whose RTTs are equal to or over
+ <span><strong class="command">nn_m</strong></span> milliseconds.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2598210"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<p>
+ Socket I/O statistics counters are defined per socket
+ types, which are
+ <span><strong class="command">UDP4</strong></span> (UDP/IPv4),
+ <span><strong class="command">UDP6</strong></span> (UDP/IPv6),
+ <span><strong class="command">TCP4</strong></span> (TCP/IPv4),
+ <span><strong class="command">TCP6</strong></span> (TCP/IPv6),
+ <span><strong class="command">Unix</strong></span> (Unix Domain), and
+ <span><strong class="command">FDwatch</strong></span> (sockets opened outside the
+ socket module).
+ In the following table <span><strong class="command">&lt;TYPE&gt;</strong></span>
+ represents a socket type.
+ Not all counters are available for all socket types;
+ exceptions are noted in the description field.
+ </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+ <p>
+ <span class="emphasis"><em>Symbol</em></span>
+ </p>
+ </td>
+<td>
+ <p>
+ <span class="emphasis"><em>Description</em></span>
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;Open</strong></span></p>
+ </td>
+<td>
+ <p>
+ Sockets opened successfully.
+ This counter is not applicable to the
+ <span><strong class="command">FDwatch</strong></span> type.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;OpenFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Failures of opening sockets.
+ This counter is not applicable to the
+ <span><strong class="command">FDwatch</strong></span> type.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;Close</strong></span></p>
+ </td>
+<td>
+ <p>
+ Sockets closed.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;BindFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Failures of binding sockets.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;ConnFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Failures of connecting sockets.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;Conn</strong></span></p>
+ </td>
+<td>
+ <p>
+ Connections established successfully.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;AcceptFail</strong></span></p>
+ </td>
+<td>
+ <p>
+ Failures of accepting incoming connection requests.
+ This counter is not applicable to the
+ <span><strong class="command">UDP</strong></span> and
+ <span><strong class="command">FDwatch</strong></span> types.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;Accept</strong></span></p>
+ </td>
+<td>
+ <p>
+ Incoming connections successfully accepted.
+ This counter is not applicable to the
+ <span><strong class="command">UDP</strong></span> and
+ <span><strong class="command">FDwatch</strong></span> types.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;SendErr</strong></span></p>
+ </td>
+<td>
+ <p>
+ Errors in socket send operations.
+ This counter corresponds
+ to <span><strong class="command">SErr</strong></span> counter of
+ <span><strong class="command">BIND</strong></span> 8.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">&lt;TYPE&gt;RecvErr</strong></span></p>
+ </td>
+<td>
+ <p>
+ Errors in socket receive operations.
+ This includes errors of send operations on a
+ connected UDP socket notified by an ICMP error
+ message.
+ </p>
+ </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2598651"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<p>
+ Most statistics counters that were available
+ in <span><strong class="command">BIND</strong></span> 8 are also supported in
+ <span><strong class="command">BIND</strong></span> 9 as shown in the above tables.
+ Here are notes about other counters that do not appear
+ in these tables.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt>
+<dd><p>
+ These counters are not supported
+ because <span><strong class="command">BIND</strong></span> 9 does not adopt
+ the notion of <span class="emphasis"><em>forwarding</em></span>
+ as <span><strong class="command">BIND</strong></span> 8 did.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt>
+<dd><p>
+ This counter is accessible in the Incoming Queries section.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt>
+<dd><p>
+ This counter is accessible in the Incoming Requests section.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt>
+<dd><p>
+ This counter is not supported
+ because <span><strong class="command">BIND</strong></span> 9 does not care
+ about IP options in the first place.
+ </p></dd>
+</dl></div>
+</div>
+</div>
+</div>
</div>
<div class="navfooter">
<hr>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 4ddbcedc9a8b..80ba6e3c5461 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.76 2008/10/16 01:29:41 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
<p><b>Table of Contents</b></p>
<dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593181"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593326">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593386">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl>
@@ -58,9 +58,10 @@
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
<p>
- Access Control Lists (ACLs), are address match lists that
+ Access Control Lists (ACLs) are address match lists that
you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
- <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
+ <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
+ <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
etc.
</p>
@@ -118,14 +119,16 @@ zone "example.com" {
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593181"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2598893"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
- On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
- (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
- option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
- a "sandbox", which will limit the damage done if a server is
- compromised.
+ On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
+ in a <span class="emphasis"><em>chrooted</em></span> environment (using
+ the <span><strong class="command">chroot()</strong></span> function) by specifying
+ the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
+ This can help improve system security by placing
+ <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
+ the damage done if a server is compromised.
</p>
<p>
Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
@@ -138,11 +141,11 @@ zone "example.com" {
user 202:
</p>
<p>
- <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
+ <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
</p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593326"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2598974"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
In order for a <span><strong class="command">chroot</strong></span> environment
to
@@ -170,7 +173,7 @@ zone "example.com" {
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593386"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2599034"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
Prior to running the <span><strong class="command">named</strong></span> daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 65f8cec8d3ba..65ca623f8a45 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.77 2008/10/16 01:29:41 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593466">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593472">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593483">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593500">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593466"></a>Common Problems</h2></div></div></div>
+<a name="id2599251"></a>Common Problems</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2593472"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2599324"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
<p>
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593483"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2599336"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
<p>
Zone serial numbers are just numbers &#8212; they aren't
date related. A lot of people set them to a number that
@@ -95,7 +95,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593500"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2599353"></a>Where Can I Get Help?</h2></div></div></div>
<p>
The Internet Systems Consortium
(<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 71ea617e6afb..3664b99fc34d 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.80 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.180.16.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
<div class="toc">
<p><b>Table of Contents</b></p>
<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593630">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593802">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597082">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593630"></a>Acknowledgments</h2></div></div></div>
+<a name="id2599415"></a>Acknowledgments</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -148,11 +148,9 @@
BIND architecture.
</p>
<p>
- BIND version 4 is officially deprecated and BIND version
- 8 development is considered maintenance-only in favor
- of BIND version 9. No additional development is done
- on BIND version 4 or BIND version 8 other than for
- security-related patches.
+ BIND versions 4 and 8 are officially deprecated.
+ No additional development is done
+ on BIND version 4 or BIND version 8.
</p>
<p>
<acronym class="acronym">BIND</acronym> development work is made
@@ -164,7 +162,7 @@
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593802"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2599587"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -252,17 +250,17 @@
</p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2593990"></a>Bibliography</h4></div></div></div>
+<a name="id2599843"></a>Bibliography</h4></div></div></div>
<div class="bibliodiv">
<h3 class="title">Standards</h3>
<div class="biblioentry">
-<a name="id2594001"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2599853"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594024"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2599877"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594048"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2599900"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
Specification</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
</div>
@@ -270,42 +268,42 @@
<h3 class="title">
<a name="proposed_standards"></a>Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2594084"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2599937"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
Specification</i>. </span><span class="pubdate">July 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594110"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2599963"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
Queries</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594136"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2599989"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594161"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600013"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594184"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2600037"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594240"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2600092"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594266"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2600119"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594293"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2600146"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594423"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600208"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594453"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600237"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594483"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2600267"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594509"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2600294"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
Key Transaction Authentication for DNS
(GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
@@ -314,19 +312,19 @@
<h3 class="title">
<acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
<div class="biblioentry">
-<a name="id2594592"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2600376"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594618"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2600403"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594654"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600439"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594720"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600504"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594785"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2600569"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
</div>
</div>
@@ -334,146 +332,146 @@
<h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
Implementation</h3>
<div class="biblioentry">
-<a name="id2594858"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2600643"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594884"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2600668"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594952"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600737"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2594987"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2600772"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Resource Record Types</h3>
<div class="biblioentry">
-<a name="id2595033"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2600818"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595091"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2600875"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595128"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2600913"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595163"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2600948"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
Domain
Name System</i>. </span><span class="pubdate">January 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595218"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2601002"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
Location of
Services.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595256"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2601041"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
Distribute MIXER
Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595282"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2601066"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595307"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601092"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595334"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601118"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595361"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601145"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595400"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601185"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595430"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601214"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595460"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2601244"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595502"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601287"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595536"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2601320"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595562"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2601347"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595586"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2601370"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
version 6</i>. </span><span class="pubdate">October 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595643"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2601428"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> and the Internet</h3>
<div class="biblioentry">
-<a name="id2595675"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2601460"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595701"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2601485"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
Support</i>. </span><span class="pubdate">October 1989. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595723"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2601576"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595747"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2601600"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595793"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2601645"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595816"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601669"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">
<acronym class="acronym">DNS</acronym> Operations</h3>
<div class="biblioentry">
-<a name="id2595874"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2601726"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595897"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2601750"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595924"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2601777"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595950"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2601803"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
</div>
<div class="biblioentry">
-<a name="id2595987"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2601840"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Internationalized Domain Names</h3>
<div class="biblioentry">
-<a name="id2596033"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2601885"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596065"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601917"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596110"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601963"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596146"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2601998"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
for Internationalized Domain Names in
Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
</div>
@@ -489,47 +487,47 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2596190"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2602043"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596213"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2602066"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596238"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2602091"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596332"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596356"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602140"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596402"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602186"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596425"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2602210"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596452"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2602236"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596477"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2602262"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
</div>
</div>
<div class="bibliodiv">
<h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
<div class="biblioentry">
-<a name="id2596521"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2602306"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
Location</i>. </span><span class="pubdate">November 1994. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596579"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602363"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596605"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2602390"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
</div>
</div>
@@ -543,39 +541,39 @@
</p>
</div>
<div class="biblioentry">
-<a name="id2596653"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2602438"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596693"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602477"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596720"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602504"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596818"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2602534"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596843"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2602560"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596870"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2602586"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596906"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2602691"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596942"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2602727"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596969"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2602754"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2596996"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2602780"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
(RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
</div>
<div class="biblioentry">
-<a name="id2597041"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602825"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
</div>
</div>
</div>
@@ -596,14 +594,14 @@
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2597082"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2602867"></a>Other Documents About <acronym class="acronym">BIND</acronym>
</h3></div></div></div>
<p></p>
<div class="bibliography">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2597092"></a>Bibliography</h4></div></div></div>
+<a name="id2602876"></a>Bibliography</h4></div></div></div>
<div class="biblioentry">
-<a name="id2597094"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2602878"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
</div>
</div>
</div>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 892ab16b942a..5fbeb3dede95 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.9 2008/05/24 01:31:12 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch10.html,v 1.11.14.1 2009/01/08 01:51:00 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -55,6 +55,12 @@
<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
</dt>
<dt>
@@ -70,6 +76,9 @@
<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
</dt>
<dt>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 6de42bcee192..23499407ec50 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.html,v 1.85.18.82 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.193.14.5 2009/04/03 01:52:22 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -41,7 +41,7 @@
<div>
<div><h1 class="title">
<a name="id2563174"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright 2004-2008 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<div><p class="copyright">Copyright 2004-2009 Internet Systems Consortium, Inc. ("ISC")</p></div>
<div><p class="copyright">Copyright 2000-2003 Internet Software Consortium.</p></div>
</div>
<hr>
@@ -51,39 +51,39 @@
<dl>
<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563405">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564385">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564524">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564637">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564659">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564693">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564845">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567243">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567416">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567546">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567580">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567607">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567851">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567862">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567894">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567910">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568001">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568423">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568428">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570142">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,34 @@
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570600">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570618">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570985">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571127">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571138">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571177">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571416">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571430">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571547">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571684">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571753">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571832">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571975">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572173">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572195">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572228">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,83 +127,88 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573436">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574117"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574307"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574736"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574958"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575084"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576435"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576508"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576572"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576616"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576631"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585614"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585666"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585748"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587042"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587332"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588510"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589477">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591109">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591500">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592188">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592384">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592572"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
<dd><dl>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593181"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593326">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593386">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
</dl></dd>
<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593466">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593472">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593483">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593500">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
</dl></dd>
<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593630">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593802">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597082">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
</dl></dd>
</dl></dd>
<dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
@@ -215,6 +220,12 @@
<span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
</dt>
<dt>
@@ -230,6 +241,9 @@
<span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
</dt>
<dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
+</dt>
+<dt>
<span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
</dt>
<dt>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 29637452ec51..b56a05d52962 100644
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -621,389 +621,455 @@ endobj
<< /S /GoTo /D (subsubsection.6.2.16.18) >>
endobj
420 0 obj
-(6.2.16.18 The Statistics File)
+(6.2.16.18 Additional Section Caching)
endobj
421 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.19) >>
+<< /S /GoTo /D (subsection.6.2.17) >>
endobj
424 0 obj
-(6.2.16.19 Additional Section Caching)
+(6.2.17 statistics-channels Statement Grammar)
endobj
425 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
+<< /S /GoTo /D (subsection.6.2.18) >>
endobj
428 0 obj
-(6.2.17 server Statement Grammar)
+(6.2.18 statistics-channels Statement Definition and Usage)
endobj
429 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
+<< /S /GoTo /D (subsection.6.2.19) >>
endobj
432 0 obj
-(6.2.18 server Statement Definition and Usage)
+(6.2.19 server Statement Grammar)
endobj
433 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
+<< /S /GoTo /D (subsection.6.2.20) >>
endobj
436 0 obj
-(6.2.19 trusted-keys Statement Grammar)
+(6.2.20 server Statement Definition and Usage)
endobj
437 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
+<< /S /GoTo /D (subsection.6.2.21) >>
endobj
440 0 obj
-(6.2.20 trusted-keys Statement Definition and Usage)
+(6.2.21 trusted-keys Statement Grammar)
endobj
441 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
+<< /S /GoTo /D (subsection.6.2.22) >>
endobj
444 0 obj
-(6.2.21 view Statement Grammar)
+(6.2.22 trusted-keys Statement Definition and Usage)
endobj
445 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
+<< /S /GoTo /D (subsection.6.2.23) >>
endobj
448 0 obj
-(6.2.22 view Statement Definition and Usage)
+(6.2.23 view Statement Grammar)
endobj
449 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
+<< /S /GoTo /D (subsection.6.2.24) >>
endobj
452 0 obj
-(6.2.23 zone Statement Grammar)
+(6.2.24 view Statement Definition and Usage)
endobj
453 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
+<< /S /GoTo /D (subsection.6.2.25) >>
endobj
456 0 obj
-(6.2.24 zone Statement Definition and Usage)
+(6.2.25 zone Statement Grammar)
endobj
457 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.1) >>
+<< /S /GoTo /D (subsection.6.2.26) >>
endobj
460 0 obj
-(6.2.24.1 Zone Types)
+(6.2.26 zone Statement Definition and Usage)
endobj
461 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.2) >>
+<< /S /GoTo /D (subsubsection.6.2.26.1) >>
endobj
464 0 obj
-(6.2.24.2 Class)
+(6.2.26.1 Zone Types)
endobj
465 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.3) >>
+<< /S /GoTo /D (subsubsection.6.2.26.2) >>
endobj
468 0 obj
-(6.2.24.3 Zone Options)
+(6.2.26.2 Class)
endobj
469 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.4) >>
+<< /S /GoTo /D (subsubsection.6.2.26.3) >>
endobj
472 0 obj
-(6.2.24.4 Dynamic Update Policies)
+(6.2.26.3 Zone Options)
endobj
473 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.26.4) >>
endobj
476 0 obj
-(6.3 Zone File)
+(6.2.26.4 Dynamic Update Policies)
endobj
477 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (section.6.3) >>
endobj
480 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.3 Zone File)
endobj
481 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
endobj
484 0 obj
-(6.3.1.1 Resource Records)
+(6.3.1 Types of Resource Records and When to Use Them)
endobj
485 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
endobj
488 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.3.1.1 Resource Records)
endobj
489 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
endobj
492 0 obj
-(6.3.2 Discussion of MX Records)
+(6.3.1.2 Textual expression of RRs)
endobj
493 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
endobj
496 0 obj
-(6.3.3 Setting TTLs)
+(6.3.2 Discussion of MX Records)
endobj
497 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
endobj
500 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.3.3 Setting TTLs)
endobj
501 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
endobj
504 0 obj
-(6.3.5 Other Zone File Directives)
+(6.3.4 Inverse Mapping in IPv4)
endobj
505 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
endobj
508 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
+(6.3.5 Other Zone File Directives)
endobj
509 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
endobj
512 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
+(6.3.5.1 The \044ORIGIN Directive)
endobj
513 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
endobj
516 0 obj
-(6.3.5.3 The \044TTL Directive)
+(6.3.5.2 The \044INCLUDE Directive)
endobj
517 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
endobj
520 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.3.5.3 The \044TTL Directive)
endobj
521 0 obj
-<< /S /GoTo /D (subsection.6.3.7) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
endobj
524 0 obj
-(6.3.7 Additional File Formats)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
endobj
525 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
endobj
528 0 obj
-(7 BIND 9 Security Considerations)
+(6.3.7 Additional File Formats)
endobj
529 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (section.6.4) >>
endobj
532 0 obj
-(7.1 Access Control Lists)
+(6.4 BIND9 Statistics)
endobj
533 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (subsubsection.6.4.0.1) >>
endobj
536 0 obj
-(7.2 Chroot and Setuid)
+(6.4.0.1 The Statistics File)
endobj
537 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (subsection.6.4.1) >>
endobj
540 0 obj
-(7.2.1 The chroot Environment)
+(6.4.1 Statistics Counters)
endobj
541 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (subsubsection.6.4.1.1) >>
endobj
544 0 obj
-(7.2.2 Using the setuid Function)
+(6.4.1.1 Name Server Statistics Counters)
endobj
545 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (subsubsection.6.4.1.2) >>
endobj
548 0 obj
-(7.3 Dynamic Update Security)
+(6.4.1.2 Zone Maintenance Statistics Counters)
endobj
549 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsubsection.6.4.1.3) >>
endobj
552 0 obj
-(8 Troubleshooting)
+(6.4.1.3 Resolver Statistics Counters)
endobj
553 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (subsubsection.6.4.1.4) >>
endobj
556 0 obj
-(8.1 Common Problems)
+(6.4.1.4 Compatibility with BIND 8 Counters)
endobj
557 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (chapter.7) >>
endobj
560 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(7 BIND 9 Security Considerations)
endobj
561 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (section.7.1) >>
endobj
564 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(7.1 Access Control Lists)
endobj
565 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (section.7.2) >>
endobj
568 0 obj
-(8.3 Where Can I Get Help?)
+(7.2 Chroot and Setuid)
endobj
569 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (subsection.7.2.1) >>
endobj
572 0 obj
-(A Appendices)
+(7.2.1 The chroot Environment)
endobj
573 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (subsection.7.2.2) >>
endobj
576 0 obj
-(A.1 Acknowledgments)
+(7.2.2 Using the setuid Function)
endobj
577 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (section.7.3) >>
endobj
580 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(7.3 Dynamic Update Security)
endobj
581 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (chapter.8) >>
endobj
584 0 obj
-(A.2 General DNS Reference Information)
+(8 Troubleshooting)
endobj
585 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (section.8.1) >>
endobj
588 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(8.1 Common Problems)
endobj
589 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (subsection.8.1.1) >>
endobj
592 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(8.1.1 It's not working; how can I figure out what's wrong?)
endobj
593 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (section.8.2) >>
endobj
596 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(8.2 Incrementing and Changing the Serial Number)
endobj
597 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (section.8.3) >>
endobj
600 0 obj
-(A.3.2 Internet Drafts)
+(8.3 Where Can I Get Help?)
endobj
601 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (appendix.A) >>
endobj
604 0 obj
-(A.3.3 Other Documents About BIND)
+(A Appendices)
endobj
605 0 obj
-<< /S /GoTo /D (appendix.B) >>
+<< /S /GoTo /D (section.A.1) >>
endobj
608 0 obj
-(B Manual pages)
+(A.1 Acknowledgments)
endobj
609 0 obj
-<< /S /GoTo /D (section.B.1) >>
+<< /S /GoTo /D (subsection.A.1.1) >>
endobj
612 0 obj
-(B.1 dig)
+(A.1.1 A Brief History of the DNS and BIND)
endobj
613 0 obj
-<< /S /GoTo /D (section.B.2) >>
+<< /S /GoTo /D (section.A.2) >>
endobj
616 0 obj
-(B.2 host)
+(A.2 General DNS Reference Information)
endobj
617 0 obj
-<< /S /GoTo /D (section.B.3) >>
+<< /S /GoTo /D (subsection.A.2.1) >>
endobj
620 0 obj
-(B.3 dnssec-keygen)
+(A.2.1 IPv6 addresses \(AAAA\))
endobj
621 0 obj
-<< /S /GoTo /D (section.B.4) >>
+<< /S /GoTo /D (section.A.3) >>
endobj
624 0 obj
-(B.4 dnssec-signzone)
+(A.3 Bibliography \(and Suggested Reading\))
endobj
625 0 obj
-<< /S /GoTo /D (section.B.5) >>
+<< /S /GoTo /D (subsection.A.3.1) >>
endobj
628 0 obj
-(B.5 named-checkconf)
+(A.3.1 Request for Comments \(RFCs\))
endobj
629 0 obj
-<< /S /GoTo /D (section.B.6) >>
+<< /S /GoTo /D (subsection.A.3.2) >>
endobj
632 0 obj
-(B.6 named-checkzone)
+(A.3.2 Internet Drafts)
endobj
633 0 obj
-<< /S /GoTo /D (section.B.7) >>
+<< /S /GoTo /D (subsection.A.3.3) >>
endobj
636 0 obj
-(B.7 named)
+(A.3.3 Other Documents About BIND)
endobj
637 0 obj
-<< /S /GoTo /D (section.B.8) >>
+<< /S /GoTo /D (appendix.B) >>
endobj
640 0 obj
-(B.8 rndc)
+(B Manual pages)
endobj
641 0 obj
-<< /S /GoTo /D (section.B.9) >>
+<< /S /GoTo /D (section.B.1) >>
endobj
644 0 obj
-(B.9 rndc.conf)
+(B.1 dig)
endobj
645 0 obj
-<< /S /GoTo /D (section.B.10) >>
+<< /S /GoTo /D (section.B.2) >>
endobj
648 0 obj
-(B.10 rndc-confgen)
+(B.2 host)
endobj
649 0 obj
-<< /S /GoTo /D [650 0 R /FitH ] >>
+<< /S /GoTo /D (section.B.3) >>
+endobj
+652 0 obj
+(B.3 dnssec-dsfromkey)
+endobj
+653 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+656 0 obj
+(B.4 dnssec-keyfromlabel)
+endobj
+657 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+660 0 obj
+(B.5 dnssec-keygen)
+endobj
+661 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+664 0 obj
+(B.6 dnssec-signzone)
+endobj
+665 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+668 0 obj
+(B.7 named-checkconf)
+endobj
+669 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+672 0 obj
+(B.8 named-checkzone)
+endobj
+673 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+676 0 obj
+(B.9 named)
endobj
-653 0 obj <<
+677 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+680 0 obj
+(B.10 nsupdate)
+endobj
+681 0 obj
+<< /S /GoTo /D (section.B.11) >>
+endobj
+684 0 obj
+(B.11 rndc)
+endobj
+685 0 obj
+<< /S /GoTo /D (section.B.12) >>
+endobj
+688 0 obj
+(B.12 rndc.conf)
+endobj
+689 0 obj
+<< /S /GoTo /D (section.B.13) >>
+endobj
+692 0 obj
+(B.13 rndc-confgen)
+endobj
+693 0 obj
+<< /S /GoTo /D [694 0 R /FitH ] >>
+endobj
+697 0 obj <<
/Length 236
/Filter /FlateDecode
>>
stream
xڍJA 9M'd2sTBeoaiRpt*Ar /A}Փºsv B)P+!lQbJwN1P)&>ͮ-AbEMpd[L+V?ct~r~[~N a(˘9M<
endobj
-650 0 obj <<
+694 0 obj <<
/Type /Page
-/Contents 653 0 R
-/Resources 652 0 R
+/Contents 697 0 R
+/Resources 696 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+/Parent 703 0 R
>> endobj
-651 0 obj <<
+695 0 obj <<
/Type /XObject
/Subtype /Form
/FormType 1
/PTEX.FileName (./isc-logo.pdf)
/PTEX.PageNumber 1
-/PTEX.InfoDict 660 0 R
+/PTEX.InfoDict 704 0 R
/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
/BBox [0.00000000 0.00000000 255.00000000 149.00000000]
/Resources <<
/ProcSet [ /PDF /Text ]
/ColorSpace <<
-/R15 661 0 R
-/R9 662 0 R
-/R11 663 0 R
-/R13 664 0 R
+/R15 705 0 R
+/R9 706 0 R
+/R11 707 0 R
+/R13 708 0 R
>>/ExtGState <<
-/R17 665 0 R
-/R8 666 0 R
->>/Font << /R19 667 0 R >>
+/R17 709 0 R
+/R8 710 0 R
+>>/Font << /R19 711 0 R >>
>>
-/Length 668 0 R
+/Length 712 0 R
/Filter /FlateDecode
>>
stream
@@ -1019,7 +1085,7 @@ xu;d9+eR lG`Xkz#10gw~6[53}+}tI%Ts*{?'?
FIca0) A+ |-Tua>s:~KV׋OAI ɪr2Qب>.z
eNdd"gK2cɗGoO8GϦ:B ht[
endobj
-660 0 obj
+704 0 obj
<<
/Producer (AFPL Ghostscript 8.51)
/CreationDate (D:20050606145621)
@@ -1029,46 +1095,46 @@ endobj
/Author (Douglas E. Appelt)
>>
endobj
-661 0 obj
-[/Separation/PANTONE#201805#20C/DeviceCMYK 669 0 R]
+705 0 obj
+[/Separation/PANTONE#201805#20C/DeviceCMYK 713 0 R]
endobj
-662 0 obj
-[/Separation/PANTONE#207506#20C/DeviceCMYK 670 0 R]
+706 0 obj
+[/Separation/PANTONE#207506#20C/DeviceCMYK 714 0 R]
endobj
-663 0 obj
-[/Separation/PANTONE#20301#20C/DeviceCMYK 671 0 R]
+707 0 obj
+[/Separation/PANTONE#20301#20C/DeviceCMYK 715 0 R]
endobj
-664 0 obj
-[/Separation/PANTONE#20871#20C/DeviceCMYK 672 0 R]
+708 0 obj
+[/Separation/PANTONE#20871#20C/DeviceCMYK 716 0 R]
endobj
-665 0 obj
+709 0 obj
<<
/Type /ExtGState
/SA true
>>
endobj
-666 0 obj
+710 0 obj
<<
/Type /ExtGState
/OPM 1
>>
endobj
-667 0 obj
+711 0 obj
<<
/BaseFont /NVXWCK#2BTrajanPro-Bold
-/FontDescriptor 673 0 R
+/FontDescriptor 717 0 R
/Type /Font
/FirstChar 67
/LastChar 136
/Widths [ 800 0 0 0 0 0 452 0 0 0 0 0 0 0 0 0 582 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 841 633 576 686 590 540 923 827 407 760]
-/Encoding 674 0 R
+/Encoding 718 0 R
/Subtype /Type1
>>
endobj
-668 0 obj
+712 0 obj
2362
endobj
-669 0 obj
+713 0 obj
<<
/Filter /FlateDecode
/FunctionType 4
@@ -1079,7 +1145,7 @@ endobj
stream
xN)-P0P-QHHP
endobj
-670 0 obj
+714 0 obj
<<
/Filter /FlateDecode
/FunctionType 4
@@ -1090,7 +1156,7 @@ endobj
stream
xN)-P0P-QHHP
endobj
-671 0 obj
+715 0 obj
<<
/Filter /FlateDecode
/FunctionType 4
@@ -1101,7 +1167,7 @@ endobj
stream
xN)-P0T-QHHP
endobj
-672 0 obj
+716 0 obj
<<
/Filter /FlateDecode
/FunctionType 4
@@ -1112,7 +1178,7 @@ endobj
stream
xN)-P0365T-QHHPX# -,Z
endobj
-673 0 obj
+717 0 obj
<<
/Type /FontDescriptor
/FontName /NVXWCK#2BTrajanPro-Bold
@@ -1125,17 +1191,17 @@ endobj
/StemV 138
/MissingWidth 500
/CharSet (/Msmall/C/Ysmall/Nsmall/Osmall/Esmall/Rsmall/S/Ssmall/I/Tsmall/Ismall/Usmall)
-/FontFile3 675 0 R
+/FontFile3 719 0 R
>>
endobj
-674 0 obj
+718 0 obj
<<
/Type /Encoding
/BaseEncoding /WinAnsiEncoding
/Differences [ 127/Nsmall/Tsmall/Esmall/Rsmall/Ysmall/Ssmall/Msmall/Osmall/Ismall/Usmall]
>>
endobj
-675 0 obj
+719 0 obj
<<
/Filter /FlateDecode
/Subtype /Type1C
@@ -1158,18 +1224,18 @@ x \3gA34IT-R8-ǵ2Wu~!"(0*FÂ͢ĨSoQP0iFݸVN^_!Ԃb
ȼL<; *XG_Y1ET4-U_>آ}v d#r۟@\5lh<8s
Ov61B5*<6,bh\]##1OϤ5o]ц4}h0$,6A,?/;Rcy6UJYX^ɟ2K|oؔ/Ȩ/( 2#NMKr rf9yZ}$ ) h`iGAH+&*X$VhA10Hi w~I(2;]Lx4[O,QQFdQ%\:Ó;єEb1=$?IC3C=V'>+~8 #;_*qň+ 8p_YRd%a H\eDfR[kφG/WTA5HVoo8hn)Dnqzfh&cQbX߂L;{uن-[S-ۼyub܁hm4^˙ LQendstream
endobj
-654 0 obj <<
-/D [650 0 R /XYZ 85.0394 794.5015 null]
+698 0 obj <<
+/D [694 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-655 0 obj <<
-/D [650 0 R /XYZ 85.0394 769.5949 null]
+699 0 obj <<
+/D [694 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-652 0 obj <<
-/Font << /F21 658 0 R >>
-/XObject << /Im1 651 0 R >>
+696 0 obj <<
+/Font << /F21 702 0 R >>
+/XObject << /Im1 695 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-678 0 obj <<
+722 0 obj <<
/Length 999
/Filter /FlateDecode
>>
@@ -1181,21 +1247,21 @@ xڵV]:}WUC6|AT\GqQ;56$Ql!I'h~D3-dq5ֻ
CfI( ||
&cq$e_R֨ h6Sp9U`U=&Ds?f} ڰ7[#-IE~"A! <)%0pCiODeӅn4N|nf B @029}=8JoK AeLwNr\yfn(Kc-Q.v$粶8tnXa/S_'·{M beweAw'SO`G@!!x^攑$HZˬO% "rw4gmmsq'<sg٩73Q4Sla#8:ŲٙT]!}NE0fendstream
endobj
-677 0 obj <<
+721 0 obj <<
/Type /Page
-/Contents 678 0 R
-/Resources 676 0 R
+/Contents 722 0 R
+/Resources 720 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+/Parent 703 0 R
>> endobj
-679 0 obj <<
-/D [677 0 R /XYZ 56.6929 794.5015 null]
+723 0 obj <<
+/D [721 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-676 0 obj <<
-/Font << /F23 682 0 R /F14 685 0 R >>
+720 0 obj <<
+/Font << /F23 726 0 R /F14 729 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-688 0 obj <<
+732 0 obj <<
/Length 2891
/Filter /FlateDecode
>>
@@ -1213,1498 +1279,1594 @@ W*ox]Δܫ!$j2Ȑ
2Pj&X*oLBE]*w=Bp2Lf Ra)"qPއLpҗda.;ޯ3h6wmHd8!# Lsu4G]^97Vb_mS$H13lHp%?ApF{H-S\
/uS탙0ߙ搕ɚ#CJsuJHAsiX
M:hnokh#lklMfR,`5("qP,b~]=מ,z%hg
-Gm2RBb7
-RDaYxN,);]3"ՏgkuamS)CvdXgHbk ,IDә74} J#HzE zЯ-t)oOT3)$xPe'A+R#M.g3/JsAendstream
+Gm2RE7XD\@p,tD'/ս@_'Hd!EB*Ҍ@aadz:uնHA!;23X$15$LCK[drgľڀL% a "APr=|?SRxRWywqqv:7'*SVZ<`w2ci Ε[~&3Sp%?Bendstream
endobj
-687 0 obj <<
+731 0 obj <<
/Type /Page
-/Contents 688 0 R
-/Resources 686 0 R
+/Contents 732 0 R
+/Resources 730 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 691 0 R 692 0 R 693 0 R 694 0 R 695 0 R 696 0 R 697 0 R 698 0 R 699 0 R 700 0 R 701 0 R 702 0 R 703 0 R 704 0 R 705 0 R 706 0 R 707 0 R 708 0 R 709 0 R 710 0 R 711 0 R 712 0 R 713 0 R 714 0 R 715 0 R 716 0 R 717 0 R 718 0 R 719 0 R 720 0 R 721 0 R 722 0 R 723 0 R 724 0 R 725 0 R 726 0 R 727 0 R 728 0 R 729 0 R 730 0 R 731 0 R 732 0 R 733 0 R 734 0 R 735 0 R 736 0 R 737 0 R 738 0 R 739 0 R 740 0 R ]
+/Parent 703 0 R
+/Annots [ 735 0 R 736 0 R 737 0 R 738 0 R 739 0 R 740 0 R 741 0 R 742 0 R 743 0 R 744 0 R 745 0 R 746 0 R 747 0 R 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R ]
>> endobj
-691 0 obj <<
+735 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 688.709 539.579 697.2967]
/Subtype /Link
/A << /S /GoTo /D (chapter.1) >>
>> endobj
-692 0 obj <<
+736 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 676.5858 539.579 685.4425]
/Subtype /Link
/A << /S /GoTo /D (section.1.1) >>
>> endobj
-693 0 obj <<
+737 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 664.4876 539.579 673.3442]
/Subtype /Link
/A << /S /GoTo /D (section.1.2) >>
>> endobj
-694 0 obj <<
+738 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 652.3894 539.579 661.246]
/Subtype /Link
/A << /S /GoTo /D (section.1.3) >>
>> endobj
-695 0 obj <<
+739 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 640.1914 539.579 649.1477]
/Subtype /Link
/A << /S /GoTo /D (section.1.4) >>
>> endobj
-696 0 obj <<
+740 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 628.0932 539.579 637.0495]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.1) >>
>> endobj
-697 0 obj <<
+741 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 615.995 539.579 624.9512]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.2) >>
>> endobj
-698 0 obj <<
+742 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 603.8967 539.579 612.853]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.3) >>
>> endobj
-699 0 obj <<
+743 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 591.7985 539.579 600.7547]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.4) >>
>> endobj
-700 0 obj <<
+744 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 579.7002 539.579 588.6565]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.1.4.4.1) >>
>> endobj
-701 0 obj <<
+745 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 567.6019 539.579 576.5582]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.1.4.4.2) >>
>> endobj
-702 0 obj <<
+746 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [532.6051 555.5037 539.579 564.46]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.1.4.4.3) >>
>> endobj
-703 0 obj <<
+747 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 543.4055 539.579 552.5112]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.5) >>
>> endobj
-704 0 obj <<
+748 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 531.3072 539.579 540.413]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.1.4.5.1) >>
>> endobj
-705 0 obj <<
+749 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 519.209 539.579 528.3147]
/Subtype /Link
/A << /S /GoTo /D (subsection.1.4.6) >>
>> endobj
-706 0 obj <<
+750 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 496.7003 539.579 505.4125]
/Subtype /Link
/A << /S /GoTo /D (chapter.2) >>
>> endobj
-707 0 obj <<
+751 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 484.5772 539.579 493.5832]
/Subtype /Link
/A << /S /GoTo /D (section.2.1) >>
>> endobj
-708 0 obj <<
+752 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 472.4789 539.579 481.485]
/Subtype /Link
/A << /S /GoTo /D (section.2.2) >>
>> endobj
-709 0 obj <<
+753 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 460.3806 539.579 469.3867]
/Subtype /Link
/A << /S /GoTo /D (section.2.3) >>
>> endobj
-710 0 obj <<
+754 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 448.2824 539.579 457.2885]
/Subtype /Link
/A << /S /GoTo /D (section.2.4) >>
>> endobj
-711 0 obj <<
+755 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 436.1841 539.579 445.1902]
/Subtype /Link
/A << /S /GoTo /D (section.2.5) >>
>> endobj
-712 0 obj <<
+756 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 413.4314 539.579 422.288]
/Subtype /Link
/A << /S /GoTo /D (chapter.3) >>
>> endobj
-713 0 obj <<
+757 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 401.353 539.579 410.4588]
/Subtype /Link
/A << /S /GoTo /D (section.3.1) >>
>> endobj
-714 0 obj <<
+758 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 389.2548 539.579 398.3605]
/Subtype /Link
/A << /S /GoTo /D (subsection.3.1.1) >>
>> endobj
-715 0 obj <<
+759 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 377.1565 539.579 386.2623]
/Subtype /Link
/A << /S /GoTo /D (subsection.3.1.2) >>
>> endobj
-716 0 obj <<
+760 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 365.1579 539.579 374.164]
/Subtype /Link
/A << /S /GoTo /D (section.3.2) >>
>> endobj
-717 0 obj <<
+761 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 353.0597 539.579 362.0658]
/Subtype /Link
/A << /S /GoTo /D (section.3.3) >>
>> endobj
-718 0 obj <<
+762 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 340.9614 539.579 349.9675]
/Subtype /Link
/A << /S /GoTo /D (subsection.3.3.1) >>
>> endobj
-719 0 obj <<
+763 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 328.7635 539.579 337.8693]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.3.3.1.1) >>
>> endobj
-720 0 obj <<
+764 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 316.6653 539.579 325.771]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.3.3.1.2) >>
>> endobj
-721 0 obj <<
+765 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 304.567 539.579 313.6728]
/Subtype /Link
/A << /S /GoTo /D (subsection.3.3.2) >>
>> endobj
-722 0 obj <<
+766 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 281.9139 539.579 290.7706]
/Subtype /Link
/A << /S /GoTo /D (chapter.4) >>
>> endobj
-723 0 obj <<
+767 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 269.8356 539.579 278.9413]
/Subtype /Link
/A << /S /GoTo /D (section.4.1) >>
>> endobj
-724 0 obj <<
+768 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 257.7373 539.579 266.8431]
/Subtype /Link
/A << /S /GoTo /D (section.4.2) >>
>> endobj
-725 0 obj <<
+769 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 245.6391 539.579 254.7448]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.2.1) >>
>> endobj
-726 0 obj <<
+770 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 233.5408 539.579 242.4971]
/Subtype /Link
/A << /S /GoTo /D (section.4.3) >>
>> endobj
-727 0 obj <<
+771 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 221.4426 539.579 230.3988]
/Subtype /Link
/A << /S /GoTo /D (section.4.4) >>
>> endobj
-728 0 obj <<
+772 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 209.3443 539.579 218.3006]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.4.1) >>
>> endobj
-729 0 obj <<
+773 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 197.2461 539.579 206.2023]
/Subtype /Link
/A << /S /GoTo /D (section.4.5) >>
>> endobj
-730 0 obj <<
+774 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 185.1478 539.579 194.1041]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.1) >>
>> endobj
-731 0 obj <<
+775 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 173.0496 539.579 182.0058]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.4.5.1.1) >>
>> endobj
-732 0 obj <<
+776 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 161.051 539.579 170.0571]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.4.5.1.2) >>
>> endobj
-733 0 obj <<
+777 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 148.9527 539.579 157.9588]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.2) >>
>> endobj
-734 0 obj <<
+778 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 136.8545 539.579 145.8606]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.3) >>
>> endobj
-735 0 obj <<
+779 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 124.7562 539.579 133.7623]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.4) >>
>> endobj
-736 0 obj <<
+780 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 112.658 539.579 121.6641]
+/Rect [527.6238 112.5583 539.579 121.5146]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.5) >>
>> endobj
-737 0 obj <<
+781 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 100.4601 539.579 109.4163]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.5.6) >>
>> endobj
-738 0 obj <<
+782 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 88.3618 539.579 97.3181]
/Subtype /Link
/A << /S /GoTo /D (section.4.6) >>
>> endobj
-739 0 obj <<
+783 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 76.2636 539.579 85.2199]
/Subtype /Link
/A << /S /GoTo /D (section.4.7) >>
>> endobj
-740 0 obj <<
+784 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 64.1653 539.579 73.1216]
/Subtype /Link
/A << /S /GoTo /D (section.4.8) >>
>> endobj
-689 0 obj <<
-/D [687 0 R /XYZ 85.0394 794.5015 null]
+733 0 obj <<
+/D [731 0 R /XYZ 85.0394 794.5015 null]
>> endobj
-690 0 obj <<
-/D [687 0 R /XYZ 85.0394 711.9273 null]
+734 0 obj <<
+/D [731 0 R /XYZ 85.0394 711.9273 null]
>> endobj
-686 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R >>
+730 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-743 0 obj <<
-/Length 3152
+787 0 obj <<
+/Length 3167
/Filter /FlateDecode
>>
stream
-x[w6)h?1מvw4q_VfJWf?" -pdR{Z;13O lBl4юq(d<kX44G=<ka&8D*Eڝj-\^|Wo.?\r٫xVQў_g?B'W>(ΪgJs|<J%8pc<!40J<p~MrD v1eUŔ+zbj5?'Sx|_sJM}֍){ڬ'7Zn
+x[w6)h?1מvw4q_VfJW~EZحR{Z;13O lBl4юq(d<kX44G=<ka&8D*Eڝj-\^|Wo.?\r٫xVQў_g?B'W>(ΪgJs|<J%8pc<!40J<p~MrD v1eUŔ+zbj5?'Sx|_sJM}֍){ڬ'7Zn
?{qsq`+MUeGOĠĄ 1bj180bPEbDŐfOJ:r^^1cEebF!ԉqF2q` C& !qy'Yo?W߿y} gw*
0HbadHs%Sݏ{CmYr>z53N~`- ZaL1KWuoy=sWzY~9~eO0>YP2L/0iUeQ{}
EyӢ ?wP ,Fb@G%
-qM`r<4I`"/mT8uZZ(1@CT(8Pp ˉPx˺CyB*u:-*{R1c
-
-$F =`(tR &_rS__!i7漘'`5xāz< KM}8>N*dA3A``1sbXBDf\_;2!ϩC9JnØbt!'F=ä?H{Lt?;䲘`q8āqzW$S
+qM`r<4I`"/mp괴zPb*KA(Prq (mu[VTU{vu[Ub!
+0PradPABY3 S]_A ,b@0P2q`(ReSsA9Օ}B
+ut$%ښ;HjB xI:
+O.{_I *U:}}MoG|3%`[rq`(JZ{z8(aAP:<ӑ='`!eÐā!z(Ie<!sJղlcJW
+9.b@ 1~2q`?*Jȇ>{Ue1'jq8vW/U57ԛvR;Mq1?ja8A}.XG]B.9'P+9q" =T$H:<oE]*jSLW1 !sq`0# 8~]u\uOXv.)?V0d#f h1PG\ĆGOkxy[-m5ķw$bA
+ Lv*7lo~nkNjf})qX
+o1ŁzOxHE ;<~ۇ 9QVL0Ĩ`Td@'* FQ=u|M*a',b⊱
+ !e? u+"͝Ew</ W櫏iVZ1QY(b<&4fHy19_-o_;ګ !I
+ igXd) s=М s+=Ho7f.\'I##I,e!l $ au^MeP
endobj
-742 0 obj <<
+786 0 obj <<
/Type /Page
-/Contents 743 0 R
-/Resources 741 0 R
+/Contents 787 0 R
+/Resources 785 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R ]
+/Parent 703 0 R
+/Annots [ 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R ]
>> endobj
-748 0 obj <<
+792 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 758.4766 511.2325 767.4329]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.8.1) >>
>> endobj
-749 0 obj <<
+793 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 746.445 511.2325 755.4012]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.8.2) >>
>> endobj
-750 0 obj <<
+794 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 734.5129 511.2325 743.3696]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.8.3) >>
>> endobj
-751 0 obj <<
+795 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 722.3816 511.2325 731.3379]
/Subtype /Link
/A << /S /GoTo /D (section.4.9) >>
>> endobj
-752 0 obj <<
+796 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 710.3499 511.2325 719.3062]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.9.1) >>
>> endobj
-753 0 obj <<
+797 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 698.3182 511.2325 707.2745]
/Subtype /Link
/A << /S /GoTo /D (subsection.4.9.2) >>
>> endobj
-754 0 obj <<
+798 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 675.998 511.2325 684.7301]
/Subtype /Link
/A << /S /GoTo /D (chapter.5) >>
>> endobj
-755 0 obj <<
+799 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 663.9862 511.2325 672.9425]
/Subtype /Link
/A << /S /GoTo /D (section.5.1) >>
>> endobj
-756 0 obj <<
+800 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 651.9545 511.2325 660.9108]
/Subtype /Link
/A << /S /GoTo /D (section.5.2) >>
>> endobj
-757 0 obj <<
+801 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 629.6343 511.2325 638.4909]
/Subtype /Link
/A << /S /GoTo /D (chapter.6) >>
>> endobj
-758 0 obj <<
+802 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 617.6225 511.2325 626.7282]
/Subtype /Link
/A << /S /GoTo /D (section.6.1) >>
>> endobj
-759 0 obj <<
+803 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 605.5908 511.2325 614.5471]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.1.1) >>
>> endobj
-760 0 obj <<
+804 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 593.5591 511.2325 602.5154]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.1.1.1) >>
>> endobj
-761 0 obj <<
+805 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 581.5275 511.2325 590.4837]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.1.1.2) >>
>> endobj
-762 0 obj <<
+806 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 569.4958 511.2325 578.4521]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.1.2) >>
>> endobj
-763 0 obj <<
+807 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 557.4641 511.2325 566.4204]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.1.2.1) >>
>> endobj
-764 0 obj <<
+808 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 545.4324 511.2325 554.3887]
+/Rect [499.2773 545.4324 511.2325 554.5382]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.1.2.2) >>
>> endobj
-765 0 obj <<
+809 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 533.4007 511.2325 542.5065]
/Subtype /Link
/A << /S /GoTo /D (section.6.2) >>
>> endobj
-766 0 obj <<
+810 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 521.3691 511.2325 530.3254]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.1) >>
>> endobj
-767 0 obj <<
+811 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 509.3374 511.2325 518.2937]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.2) >>
>> endobj
-768 0 obj <<
+812 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 497.3057 511.2325 506.262]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.3) >>
>> endobj
-769 0 obj <<
+813 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 485.274 511.2325 494.2303]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.4) >>
>> endobj
-770 0 obj <<
+814 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 473.2424 511.2325 482.1986]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.5) >>
>> endobj
-771 0 obj <<
+815 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 461.2107 511.2325 470.167]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.6) >>
>> endobj
-772 0 obj <<
+816 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 449.179 511.2325 458.1353]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.7) >>
>> endobj
-773 0 obj <<
+817 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 437.1473 511.2325 446.1036]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.8) >>
>> endobj
-774 0 obj <<
+818 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 425.1157 511.2325 434.0719]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.9) >>
>> endobj
-775 0 obj <<
+819 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 413.084 511.2325 422.0403]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.10) >>
>> endobj
-776 0 obj <<
+820 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 401.0523 511.2325 410.0086]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.10.1) >>
>> endobj
-777 0 obj <<
+821 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 389.0206 511.2325 398.1264]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.10.2) >>
>> endobj
-778 0 obj <<
+822 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 377.0886 511.2325 386.0947]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.11) >>
>> endobj
-779 0 obj <<
+823 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 365.0569 511.2325 374.063]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.12) >>
>> endobj
-780 0 obj <<
+824 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 353.0252 511.2325 362.0313]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.13) >>
>> endobj
-781 0 obj <<
+825 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 340.9936 511.2325 349.9997]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.14) >>
>> endobj
-782 0 obj <<
+826 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 328.9619 511.2325 337.968]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.15) >>
>> endobj
-783 0 obj <<
+827 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 316.9302 511.2325 325.9363]
+/Rect [499.2773 316.8305 511.2325 325.9363]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.16) >>
>> endobj
-784 0 obj <<
+828 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 304.7989 511.2325 313.9046]
+/Rect [499.2773 304.8985 511.2325 313.9046]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.1) >>
>> endobj
-785 0 obj <<
+829 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 292.7672 511.2325 301.873]
+/Rect [499.2773 292.7672 511.2325 301.7235]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.2) >>
>> endobj
-786 0 obj <<
+830 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 280.7355 511.2325 289.8413]
+/Rect [499.2773 280.7355 511.2325 289.6918]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.3) >>
>> endobj
-787 0 obj <<
+831 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 268.7038 511.2325 277.8096]
+/Rect [499.2773 268.7038 511.2325 277.6601]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.4) >>
>> endobj
-788 0 obj <<
+832 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 256.6722 511.2325 265.6285]
+/Rect [499.2773 256.6722 511.2325 265.7779]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.5) >>
>> endobj
-789 0 obj <<
+833 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 244.6405 511.2325 253.5968]
+/Rect [499.2773 244.6405 511.2325 253.7462]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.6) >>
>> endobj
-790 0 obj <<
+834 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 232.6088 511.2325 241.7146]
+/Rect [499.2773 232.6088 511.2325 241.5651]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.7) >>
>> endobj
-791 0 obj <<
+835 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 220.5771 511.2325 229.5334]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.8) >>
>> endobj
-792 0 obj <<
+836 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 208.5455 511.2325 217.5017]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.9) >>
>> endobj
-793 0 obj <<
+837 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 196.5138 511.2325 205.4701]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.10) >>
>> endobj
-794 0 obj <<
+838 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 184.4821 511.2325 193.4384]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.11) >>
>> endobj
-795 0 obj <<
+839 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 172.4504 511.2325 181.4067]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.12) >>
>> endobj
-796 0 obj <<
+840 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 160.4187 511.2325 169.375]
+/Rect [499.2773 160.4187 511.2325 169.5245]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.13) >>
>> endobj
-797 0 obj <<
+841 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 148.3871 511.2325 157.3433]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.14) >>
>> endobj
-798 0 obj <<
+842 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 136.3554 511.2325 145.4611]
+/Rect [499.2773 136.3554 511.2325 145.3117]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.15) >>
>> endobj
-799 0 obj <<
+843 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 124.3237 511.2325 133.28]
+/Rect [499.2773 124.3237 511.2325 133.4295]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.16) >>
>> endobj
-800 0 obj <<
+844 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 112.292 511.2325 121.2483]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.17) >>
>> endobj
-801 0 obj <<
+845 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 100.2604 511.2325 109.3661]
+/Rect [499.2773 100.2604 511.2325 109.2166]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.2.16.18) >>
>> endobj
-802 0 obj <<
+846 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 88.2287 511.2325 97.185]
/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
+/A << /S /GoTo /D (subsection.6.2.17) >>
>> endobj
-803 0 obj <<
+847 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 76.197 511.2325 85.1533]
/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.17) >>
+/A << /S /GoTo /D (subsection.6.2.18) >>
>> endobj
-804 0 obj <<
+848 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [499.2773 64.1653 511.2325 73.1216]
/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.18) >>
+/A << /S /GoTo /D (subsection.6.2.19) >>
>> endobj
-744 0 obj <<
-/D [742 0 R /XYZ 56.6929 794.5015 null]
+788 0 obj <<
+/D [786 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-741 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R >>
+785 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-807 0 obj <<
-/Length 3350
-/Filter /FlateDecode
->>
-stream
-xKs7<jxÖ^vrd$W6Ɂ&PÎ/`"%8~J4̐"TXVE &;7r{1}xߟ ݳ]2z_w^]]^~e<)T̨ίia}p?P¬ɎT()Dο _W!p$\O8'jgoG)wgp1T:ar(ʏs0<2rS/E9)>Wt?g{F]x~ܭ+nH)k}٨׼91 rPp3f_LoHفjoZH _7Jy5^U~5l޼GeV<LN: .b$aD(9- N@ޏ 0tH;Rϙ_ Spw6L@i-L ;0P-L\]2-?v: n͆bЬ &a 9+ZhĝoZih dcN=wܝ `Z )a=TXK*d "0ݝbg؊nͅ
-"ЬMNhRv ڙDkm{R&
-A(2 ^NA
-nφ
-bPbP%BIbKqZĶժx⋃f1``0`v`lhOuAU㻠=l|s]ίU.3ܷفHnY*;<MG7z+?E{d]jiI=M 嶵ɾs/( \Ok1D4StQXB }|\MgwgCfK}ڨ stpՏѿ\*g'X|;apT{J׫^zU 4XݸGWjVx6Sgɛzڙ
-l Zv` #Rf&\;%ګuWh܎B)x;% MJړ~Berwnnj8Q%J0h^|5y91FA=j0xWM?\QR=n+'87#/n^#:5<L{8~b::gFf]DPX B\{H"h"`$eUB|^#u9ޮWe}ZOw`
-.fJ6q8\ ǣG4_c<r;(\wkF KفkFخuG 0 }irP0EgHLᆪjS[5<R-S &lZ9 %LFe7IV` a#GJyHZ=֡$ U!E0vם)C0P$ ?)rn0g1` ^N A6soEOEj>l F!cIqN(Ӏ [-BbM1f )`#aZ噆Y582m:n! ٸA 7pƺoiLᆪYC 74UxX
+851 0 obj <<
+/Length 3445
+/Filter /FlateDecode
+>>
+stream
+x[SGzH}>la){1lmYH"@~{4G@oW
+9:ߜΈzV*'L-;b1]xԫӭ\N?sYBeOO?zi<)t̨Ͽa]_(axK*A"b? +Qe|.'a댏N9(piA .J>l^ͮY{<qk>.j\M;\JdM'_ayٵn]Et܊[9e)z͋Xۅm݈#x(Eyb/<CqA͛Y<<>cFLi11#fM3ML&{"F("oJu+JJHa1 dM"L DX V@Fu .2Rx0Y_SHw1LiMNLLcDP `۫v MHk14fM6L4vηJR23C3 kr幅RBҰN2A F&EPt{1=Mj1, c% fD7*` ~z(BP!qXy_/ϐ|{("!`
+LWo c~:ڑb6S|^
+,{!a8
+!BwR
+xeFwyza1!#j# T$D|mO߮8/r~B?PA= &#[~&W,
+//#L}s+^"1Ō
+ᒉpa8rtǃ5E]pJHe1(J@8 (ͭkbϴu^B@PB L@yN<
+OI.bJAkR\eH@0-{jONKj_91x
+';LafL 01IaΈԁ8&PG^I2nٗ>?rSv߭pšڸõj5B9Xm` 󍩝SfjV+it1Z|m$-Λ)
+w7uϖF)<0!
+"Ԛ;80Pa纞$⁡_<Z0OJ/{y1m͏&g]dm.m3ݐb&7H8fؘX/"ZZMTuW>v Z/,.S=,{6IG3L$
+1Y(@C51rq (CaV] 7EM5f_E>>-uܨq41"y9 106{?=É{ ~]#>\S³Y~=E{7汘`Qu(āQzCS"
+|}Mf󯉋F|\UCYȮAFpLG\1*a#{k<˩.'oK/}#o:VqY ޟ7@XG3`%āzO@M| ޶&Ik /A&e̴v0ת1ڽ̒ u0G<ꥆ<`:Xڱ)6#ŞzR\
+@06{eDiY[?}Bi`y&'O)r6粎HTVᶇ'U6m\-A!#,;pf TiyS慳?VR̒BQ6B(q+ࡒMj;nf_*?MAߠMs): AHEF~3 tQrGψSͽ/7t\])&S٫yL4׈B6ӮA{endstream
endobj
-806 0 obj <<
+850 0 obj <<
/Type /Page
-/Contents 807 0 R
-/Resources 805 0 R
+/Contents 851 0 R
+/Resources 849 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R 849 0 R 850 0 R 851 0 R 852 0 R 853 0 R 854 0 R 855 0 R 856 0 R 857 0 R 858 0 R 859 0 R 860 0 R 864 0 R 865 0 R ]
+/Parent 703 0 R
+/Annots [ 853 0 R 854 0 R 855 0 R 856 0 R 857 0 R 858 0 R 859 0 R 860 0 R 861 0 R 862 0 R 863 0 R 864 0 R 865 0 R 866 0 R 867 0 R 868 0 R 869 0 R 870 0 R 871 0 R 872 0 R 873 0 R 874 0 R 875 0 R 876 0 R 877 0 R 878 0 R 879 0 R 880 0 R 881 0 R 882 0 R 886 0 R 887 0 R 888 0 R 889 0 R 890 0 R 891 0 R 892 0 R 893 0 R 894 0 R 895 0 R 896 0 R 897 0 R 898 0 R 899 0 R 900 0 R 901 0 R 902 0 R 903 0 R 904 0 R 905 0 R 906 0 R 907 0 R 908 0 R 909 0 R 910 0 R ]
>> endobj
-809 0 obj <<
+853 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [527.6238 758.4766 539.579 767.4329]
/Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.19) >>
->> endobj
-810 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.5215 539.579 755.4777]
-/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.20) >>
>> endobj
-811 0 obj <<
+854 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 734.5663 539.579 743.5226]
+/Rect [527.6238 746.3946 539.579 755.3509]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.21) >>
>> endobj
-812 0 obj <<
+855 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 722.6111 539.579 731.5674]
+/Rect [527.6238 734.3125 539.579 743.2688]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.22) >>
>> endobj
-813 0 obj <<
+856 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 710.656 539.579 719.6122]
+/Rect [527.6238 722.2305 539.579 731.1868]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.23) >>
>> endobj
-814 0 obj <<
+857 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 698.8005 539.579 707.8065]
+/Rect [527.6238 710.1484 539.579 719.1047]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.2.24) >>
>> endobj
-815 0 obj <<
+858 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 686.8453 539.579 695.8514]
+/Rect [527.6238 698.1661 539.579 707.1721]
/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.1) >>
+/A << /S /GoTo /D (subsection.6.2.25) >>
>> endobj
-816 0 obj <<
+859 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.8901 539.579 683.7467]
+/Rect [527.6238 685.9843 539.579 694.9406]
/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.2) >>
+/A << /S /GoTo /D (subsection.6.2.26) >>
>> endobj
-817 0 obj <<
+860 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 662.8353 539.579 671.7916]
+/Rect [527.6238 673.9023 539.579 682.8586]
/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.3) >>
+/A << /S /GoTo /D (subsubsection.6.2.26.1) >>
>> endobj
-818 0 obj <<
+861 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 650.8801 539.579 659.8364]
+/Rect [527.6238 661.9199 539.579 670.926]
/Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.4) >>
+/A << /S /GoTo /D (subsubsection.6.2.26.2) >>
>> endobj
-819 0 obj <<
+862 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 649.7382 539.579 658.6945]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.26.3) >>
+>> endobj
+863 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 637.7558 539.579 646.6124]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.26.4) >>
+>> endobj
+864 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 638.925 539.579 647.8812]
+/Rect [527.6238 625.5741 539.579 634.5304]
/Subtype /Link
/A << /S /GoTo /D (section.6.3) >>
>> endobj
-820 0 obj <<
+865 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 626.9698 539.579 635.9261]
+/Rect [527.6238 613.4921 539.579 622.4483]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.1) >>
>> endobj
-821 0 obj <<
+866 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 615.0146 539.579 623.9709]
+/Rect [527.6238 601.41 539.579 610.3663]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.3.1.1) >>
>> endobj
-822 0 obj <<
+867 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 603.0594 539.579 612.0157]
+/Rect [527.6238 589.328 539.579 598.2842]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.3.1.2) >>
>> endobj
-823 0 obj <<
+868 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 591.1043 539.579 600.0606]
+/Rect [527.6238 577.2459 539.579 586.2022]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.2) >>
>> endobj
-824 0 obj <<
+869 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 579.1491 539.579 588.1054]
+/Rect [527.6238 565.1639 539.579 574.1201]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.3) >>
>> endobj
-825 0 obj <<
+870 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 567.1939 539.579 576.1502]
+/Rect [527.6238 553.0818 539.579 562.0381]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.4) >>
>> endobj
-826 0 obj <<
+871 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 555.2388 539.579 564.3445]
+/Rect [527.6238 540.9998 539.579 550.1055]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.5) >>
>> endobj
-827 0 obj <<
+872 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 543.2836 539.579 552.3894]
+/Rect [527.6238 528.9177 539.579 538.0235]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.3.5.1) >>
>> endobj
-828 0 obj <<
+873 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 531.3284 539.579 540.4342]
+/Rect [527.6238 516.8357 539.579 525.9414]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.3.5.2) >>
>> endobj
-829 0 obj <<
+874 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 519.3733 539.579 528.479]
+/Rect [527.6238 504.7536 539.579 513.8594]
/Subtype /Link
/A << /S /GoTo /D (subsubsection.6.3.5.3) >>
>> endobj
-830 0 obj <<
+875 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 507.4181 539.579 516.5239]
+/Rect [527.6238 492.6716 539.579 501.6279]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.6) >>
>> endobj
-831 0 obj <<
+876 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 495.4629 539.579 504.4192]
+/Rect [527.6238 480.5895 539.579 489.5458]
/Subtype /Link
/A << /S /GoTo /D (subsection.6.3.7) >>
>> endobj
-832 0 obj <<
+877 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 468.5075 539.579 477.4638]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.4) >>
+>> endobj
+878 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 456.4254 539.579 465.3817]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
+>> endobj
+879 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 444.3434 539.579 453.2997]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.4.1) >>
+>> endobj
+880 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 432.2613 539.579 441.2176]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
+>> endobj
+881 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 420.1793 539.579 429.1356]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
+>> endobj
+882 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 408.0972 539.579 417.0535]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
+>> endobj
+886 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 473.5253 539.579 482.2574]
+/Rect [527.6238 396.0152 539.579 404.9715]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
+>> endobj
+887 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 373.4431 539.579 382.2997]
/Subtype /Link
/A << /S /GoTo /D (chapter.7) >>
>> endobj
-833 0 obj <<
+888 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 461.59 539.579 470.5462]
+/Rect [527.6238 361.3809 539.579 370.4867]
/Subtype /Link
/A << /S /GoTo /D (section.7.1) >>
>> endobj
-834 0 obj <<
+889 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 449.6348 539.579 458.5911]
+/Rect [527.6238 349.2989 539.579 358.2551]
/Subtype /Link
/A << /S /GoTo /D (section.7.2) >>
>> endobj
-835 0 obj <<
+890 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 437.6796 539.579 446.6359]
+/Rect [527.6238 337.2168 539.579 346.1731]
/Subtype /Link
/A << /S /GoTo /D (subsection.7.2.1) >>
>> endobj
-836 0 obj <<
+891 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 425.7245 539.579 434.6807]
+/Rect [527.6238 325.1348 539.579 334.091]
/Subtype /Link
/A << /S /GoTo /D (subsection.7.2.2) >>
>> endobj
-837 0 obj <<
+892 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 413.7693 539.579 422.7256]
+/Rect [527.6238 313.0527 539.579 322.009]
/Subtype /Link
/A << /S /GoTo /D (section.7.3) >>
>> endobj
-838 0 obj <<
+893 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 391.8316 539.579 400.5637]
+/Rect [527.6238 290.4806 539.579 299.2128]
/Subtype /Link
/A << /S /GoTo /D (chapter.8) >>
>> endobj
-839 0 obj <<
+894 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 379.8963 539.579 388.8526]
+/Rect [527.6238 278.4184 539.579 287.3747]
/Subtype /Link
/A << /S /GoTo /D (section.8.1) >>
>> endobj
-840 0 obj <<
+895 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 367.9411 539.579 376.8974]
+/Rect [527.6238 266.3364 539.579 275.2927]
/Subtype /Link
/A << /S /GoTo /D (subsection.8.1.1) >>
>> endobj
-841 0 obj <<
+896 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 355.986 539.579 364.9423]
+/Rect [527.6238 254.2544 539.579 263.2106]
/Subtype /Link
/A << /S /GoTo /D (section.8.2) >>
>> endobj
-842 0 obj <<
+897 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 344.0308 539.579 352.9871]
+/Rect [527.6238 242.1723 539.579 251.1286]
/Subtype /Link
/A << /S /GoTo /D (section.8.3) >>
>> endobj
-843 0 obj <<
+898 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 322.0931 539.579 330.9498]
+/Rect [527.6238 219.6002 539.579 228.3323]
/Subtype /Link
/A << /S /GoTo /D (appendix.A) >>
>> endobj
-844 0 obj <<
+899 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 310.1578 539.579 319.2636]
+/Rect [527.6238 207.538 539.579 216.4943]
/Subtype /Link
/A << /S /GoTo /D (section.A.1) >>
>> endobj
-845 0 obj <<
+900 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 298.2027 539.579 307.3084]
+/Rect [527.6238 195.456 539.579 204.4123]
/Subtype /Link
/A << /S /GoTo /D (subsection.A.1.1) >>
>> endobj
-846 0 obj <<
+901 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 286.2475 539.579 295.2038]
+/Rect [527.6238 183.3739 539.579 192.3302]
/Subtype /Link
/A << /S /GoTo /D (section.A.2) >>
>> endobj
-847 0 obj <<
+902 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 274.2923 539.579 283.2486]
+/Rect [527.6238 171.2919 539.579 180.2482]
/Subtype /Link
/A << /S /GoTo /D (subsection.A.2.1) >>
>> endobj
-848 0 obj <<
+903 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 262.3372 539.579 271.2934]
+/Rect [527.6238 159.2098 539.579 168.1661]
/Subtype /Link
/A << /S /GoTo /D (section.A.3) >>
>> endobj
-849 0 obj <<
+904 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 250.382 539.579 259.3383]
+/Rect [527.6238 147.1278 539.579 156.0841]
/Subtype /Link
/A << /S /GoTo /D (subsection.A.3.1) >>
>> endobj
-850 0 obj <<
+905 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 238.4268 539.579 247.3831]
+/Rect [522.6425 135.0457 539.579 144.1515]
/Subtype /Link
/A << /S /GoTo /D (subsection.A.3.2) >>
>> endobj
-851 0 obj <<
+906 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 226.4717 539.579 235.4279]
+/Rect [522.6425 122.9637 539.579 132.0694]
/Subtype /Link
/A << /S /GoTo /D (subsection.A.3.3) >>
>> endobj
-852 0 obj <<
+907 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 204.534 539.579 213.2661]
+/Rect [522.6425 100.3916 539.579 109.2482]
/Subtype /Link
/A << /S /GoTo /D (appendix.B) >>
>> endobj
-853 0 obj <<
+908 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 192.5987 539.579 201.555]
+/Rect [522.6425 88.3294 539.579 97.4352]
/Subtype /Link
/A << /S /GoTo /D (section.B.1) >>
>> endobj
-854 0 obj <<
+909 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 180.6435 539.579 189.7493]
+/Rect [522.6425 76.2474 539.579 85.3531]
/Subtype /Link
/A << /S /GoTo /D (section.B.2) >>
>> endobj
-855 0 obj <<
+910 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 168.6883 539.579 177.7941]
+/Rect [522.6425 64.1653 539.579 73.2711]
/Subtype /Link
/A << /S /GoTo /D (section.B.3) >>
>> endobj
-856 0 obj <<
+852 0 obj <<
+/D [850 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+849 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F39 885 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+913 0 obj <<
+/Length 762
+/Filter /FlateDecode
+>>
+stream
+xKO0
+*qj qa[mUNaW!$XaǞOqL0$YR9jXmШ[UŻiaXuΔ tיjy2{?a_ ##m?SΖ>Â$o$l](-A+)7qi0ۅ&g4"1!X#ONڙ쁚$il6zQ^ίfW˳/tf0/5嗢'ѽ+N/갺[^Q2.vmq`АJ$g';`GY0boG߷J21/)dMQ`NS\OD9)HNSvA`RѴj^5uI =RXɐzR"$!zHRskX\5h`Aa' s"qADr!^oEz=\PXɂ4.(HNPv F(DG?†Lfݩ1
+1*,HFX~A@Ãr-ͯ˳~wVx='Pɼ(8D"9^^V)eY.Pޢ(Ə\Dr޲ތ"M(
+mR(ߵӫg;O0Tj(00bJ$0;P RG^biI=iQe*
+̡ˊrEi*-TËҠÅMʂtN+N֌Noewendstream
+endobj
+912 0 obj <<
+/Type /Page
+/Contents 913 0 R
+/Resources 911 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 703 0 R
+/Annots [ 915 0 R 916 0 R 917 0 R 918 0 R 919 0 R 920 0 R 921 0 R 922 0 R 926 0 R 927 0 R ]
+>> endobj
+915 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 156.7332 539.579 165.8389]
+/Rect [494.296 758.5763 511.2325 767.5824]
/Subtype /Link
/A << /S /GoTo /D (section.B.4) >>
>> endobj
-857 0 obj <<
+916 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 144.778 539.579 153.8838]
+/Rect [494.296 746.5215 511.2325 755.6272]
/Subtype /Link
/A << /S /GoTo /D (section.B.5) >>
>> endobj
-858 0 obj <<
+917 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 132.8228 539.579 141.9286]
+/Rect [494.296 734.5663 511.2325 743.672]
/Subtype /Link
/A << /S /GoTo /D (section.B.6) >>
>> endobj
-859 0 obj <<
+918 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 120.9673 539.579 129.9734]
+/Rect [494.296 722.6111 511.2325 731.7169]
/Subtype /Link
/A << /S /GoTo /D (section.B.7) >>
>> endobj
-860 0 obj <<
+919 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 108.9125 539.579 118.0182]
+/Rect [494.296 710.656 511.2325 719.7617]
/Subtype /Link
/A << /S /GoTo /D (section.B.8) >>
>> endobj
-864 0 obj <<
+920 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 96.9573 539.579 106.0631]
+/Rect [494.296 698.8005 511.2325 707.8065]
/Subtype /Link
/A << /S /GoTo /D (section.B.9) >>
>> endobj
-865 0 obj <<
+921 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 85.0022 539.579 94.1079]
+/Rect [494.296 686.8453 511.2325 695.8514]
/Subtype /Link
/A << /S /GoTo /D (section.B.10) >>
>> endobj
-808 0 obj <<
-/D [806 0 R /XYZ 85.0394 794.5015 null]
+922 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 674.7905 511.2325 683.8962]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.11) >>
>> endobj
-805 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
-/ProcSet [ /PDF /Text ]
+926 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 662.8353 511.2325 671.941]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.12) >>
>> endobj
-868 0 obj <<
-/Length 69
-/Filter /FlateDecode
->>
-stream
-x3T0
-endobj
-867 0 obj <<
-/Type /Page
-/Contents 868 0 R
-/Resources 866 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+927 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 650.8801 511.2325 659.9859]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.13) >>
>> endobj
-869 0 obj <<
-/D [867 0 R /XYZ 56.6929 794.5015 null]
+914 0 obj <<
+/D [912 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-866 0 obj <<
-/ProcSet [ /PDF ]
+911 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R >>
+/ProcSet [ /PDF /Text ]
>> endobj
-872 0 obj <<
+930 0 obj <<
/Length 2197
/Filter /FlateDecode
>>
stream
-xYݏ_G-pf)y A+qmdnC)˶|w-РX`Mp7lMᏭ"TΌ$2.+»XБJ%%4Qg||ٚS\L#Y??'va݆+_~id:cn- ~‡fr,mXbRF 悹NagaiikO}^58x h_O9c3ad[TO X6C5T(͒% $8;c(ţa;,qW.N]U5JyӀ3h{dn%ʟ6f]UyDIl?\!oJa+N>;'놃.wTØ(TA4XmO-*ZǕ+j ܳ[~v<@UQKpRcgbI Ob
-A)*aqfd
-D  R
-}7A,+c%%8yiU ^OI0SԃC>e<!8|V5TW*sUv>JDA G
-OyC֕@64* >2NgÌ&UlN.R #0Hn*؆K{hˌB/-Rvin0bHU錍
-j^h*"K4ѷ3vtgihM2c`w.˺ >,)`7!]
-> YT&dQŠQa'L,
-S^I7ka VvA D } U[o#zvos ї[gql
-R6x_?xc_ !RKeP#ĆSYVb;lWcK㡪/gn @?y
-[}[y5s,
-ADg` ^0_# r\+_O+-endstream
+xYݏ_G-pf)y A+qmdnC)˶|w-РX`Mp7lMᏭ"TΌ$2.+»XБJ%%4Qg||ٚS\L#Y??'va݆+_~id:cn- ~‡fr,mXbRF 悹NagaiikO}^58x h_O9c3ad[TO X6C5T(͒% $8;c(ţa;,qW.N]U5JyӀ3h{dn%ʟ6f]UyDIl?\!oJa+N>;'놃.wTØ(TA4XmO-*ZǕ+j ܳ[~v<@UQKpRcgbI Ob
+r\AՄ78YdH%hla+_@0F(as7 t2RN,
+A)*aqfdJfK R
+}7A,+c%%8yiU ^OI LQ=P
+FQ܇Y<P T.k^߆WOc$cUynB*q.Z
+=ABf3b؄̹j_j׼Kyd SKTy<.E#)`e1k{L&*v8 U
+H5#F%FH#U362(nx F.D؍ҝ5ɸm *޹ .2݄t)0dY$S̮ Dyغ
++Fӟ3
+hqR%KMK᳴P>GMiq_ĶV&my|B
+8'&K{ h ,$_ƜQS۔ /K;
+6L҉j6}ugA[pSm+zz=۬Fr8Mn¥!S^ՃBo8)θ 'Dn8})LlVX=|عoBJzk; x5wm?4X.9H1A_/۟
+}mDNm!s%D<}*m𾚽"@"RCTG Św?FƈCU_~
+BjYp]K~W?qO@0_kao#q$.G@
+N:((dWn6VGendstream
endobj
-871 0 obj <<
+929 0 obj <<
/Type /Page
-/Contents 872 0 R
-/Resources 870 0 R
+/Contents 930 0 R
+/Resources 928 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
+/Parent 941 0 R
>> endobj
-873 0 obj <<
-/D [871 0 R /XYZ 85.0394 794.5015 null]
+931 0 obj <<
+/D [929 0 R /XYZ 85.0394 794.5015 null]
>> endobj
6 0 obj <<
-/D [871 0 R /XYZ 85.0394 769.5949 null]
+/D [929 0 R /XYZ 85.0394 769.5949 null]
>> endobj
-874 0 obj <<
-/D [871 0 R /XYZ 85.0394 582.8476 null]
+932 0 obj <<
+/D [929 0 R /XYZ 85.0394 582.8476 null]
>> endobj
10 0 obj <<
-/D [871 0 R /XYZ 85.0394 512.9824 null]
+/D [929 0 R /XYZ 85.0394 512.9824 null]
>> endobj
-875 0 obj <<
-/D [871 0 R /XYZ 85.0394 474.7837 null]
+933 0 obj <<
+/D [929 0 R /XYZ 85.0394 474.7837 null]
>> endobj
14 0 obj <<
-/D [871 0 R /XYZ 85.0394 399.5462 null]
+/D [929 0 R /XYZ 85.0394 399.5462 null]
>> endobj
-876 0 obj <<
-/D [871 0 R /XYZ 85.0394 363.8828 null]
+934 0 obj <<
+/D [929 0 R /XYZ 85.0394 363.8828 null]
>> endobj
18 0 obj <<
-/D [871 0 R /XYZ 85.0394 223.0066 null]
+/D [929 0 R /XYZ 85.0394 223.0066 null]
>> endobj
-880 0 obj <<
-/D [871 0 R /XYZ 85.0394 190.9009 null]
+935 0 obj <<
+/D [929 0 R /XYZ 85.0394 190.9009 null]
>> endobj
-881 0 obj <<
-/D [871 0 R /XYZ 85.0394 170.4169 null]
+936 0 obj <<
+/D [929 0 R /XYZ 85.0394 170.4169 null]
>> endobj
-882 0 obj <<
-/D [871 0 R /XYZ 85.0394 158.4617 null]
+937 0 obj <<
+/D [929 0 R /XYZ 85.0394 158.4617 null]
>> endobj
-870 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F48 885 0 R >>
+928 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F48 940 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-889 0 obj <<
-/Length 3125
-/Filter /FlateDecode
->>
-stream
-x]۶~u3~ۍ3sbi<P"":뻋]P6f+` '"8S" 2Zl7bHY9_^dYz7+ DźAbJEbwo G""=|J8oqKۗvo^GIn>*0tF28܄Pk7Rݼip2kz%%Et<R'( b S(!vMU5mS?z(钑)*kve;Y;ysr!_RqR
-ht+[OD ᨯpjIdiHt $bR׭rLed^|DE'|, 29#-w(G w"0%($Qh%<kE&KJDa_вc!?𼴈O..
-3o+
-~8XWE>䛼7a~izڮwMwpfy %bl ~C4^c=VԈ#!El
-rkt}nS@FYѨ] Yj@(3{lN&mo0..*Aڢe4 :KЗӷ\[|"4ZqʭerH=C,ͦyPk/Z2rUB l;=i 淣J @Wf,S[!|
-(
-VxCk'HX-hʀV$yI2>zpd<VW8
-| SP
-B9|4xxqFPBkɆOii#[ %J;S8J#E9%h\8rve(GA?0j>md
-`npr0hf#bp`n hp(w|Ȓ@6lꊓ%DUO% ʁ]]7 ϛy2C[D.G-R[X@dB0mm^ܜhuomIڹms
-:fc< ".n0P3P( x:#0f:a^xNZ̬T2R= @:G.D50WK#yD@"6Gi5
-XGAfncS]Z0.zS8]}IRf\D{ܜ04 0^
-b5:y,+$u9@y7ےC.ƸH#Ddf
-
-J}͘2LM/ :i 5
-&Md)#jZK^ʝV8rFۂ׻=@8UWm m>v/JӣmM lZecŬ +4a XQБ5|C2:!;Oޘd>C$_ E Iғ×qHHS9k=-:wypv)
-S-깇b;=mc?*؇ m+‚%:Wϝ$E
+944 0 obj <<
+/Length 3187
+/Filter /FlateDecode
+>>
+stream
+xr_GyfB7g/3ov'&yE,E2"e{EJtvۦӌ`6qEEJe\<_/ìj 7LDxq
+jqWT"p\}r\y o~޽ƿH+G]|Տwo?к#o>wo.݀2% ϿE~!R8)T"FȘ0S]^m8prJIMgXl&bKȪGGmje@?Ml&ݥJ \AolG }p÷7oR?w9nr9eiXI:DOu&? P
+Y;> g0
+4UQHdiHL $cץRjٌy~<[TRˑN3Dd*{\;ꐏl0-piFc[tH7"5ڢuB7JK,ǗEdrvIIp.4I)ߕ}P^*?F}^I{*xv߃%Fw^O=Otj|g~]w__?pZf"M+T2c8ԝ<"J g X*&x8y1*3 ' z;D76ɷ<{n{xӘD OfI6Y]tGD^R,~ aiOmEXM|JYw}^U!rL^tܾ\{z #$[*L3uv둲qCZYLIgv5p\hAqredx݃'t~*D`ٓWA{ `@f)(L#gsL_^ D-cɧbh1)cGGGb
+7H@rWp"a8{
+Oԓu'LeE~cG{`s<h|;c&#zPڶW RUB>uUe4io;嬟/go6XΥZ>$ZqnA^&)FGlfSf.F1pUB=w
+^05y CH0ZYbmp$2zpf0/+rCrc2}g&f9 Ie&Wc7zNg<JU@y|uع9~4 EުbPV$#ź/YIuBA9P]u O` -}.T:)TrN\P4jkݿ;P@|uNF%G\
+>zw&Q`9Evdf,QETc%b;{? `A>u9\3bLQO~^s'/ͯX6Ra"86O>$ 8U*e O7х>G2[ͽ) T0ShL cϹ ;M;p8<$s*F3
+dG٩
+ FD|LsF
+bh~
+*$ ϧP EP|J 4=
+$r,)B]`DQs`Qƞp
+N1({z 9< |G joy5y-.ԨM]qsKu Ƈjveeώe˯=Qfw.!)߶7&r 89h,Yc؄= ũ$NA*f&vrusF"׸nUAܻfɄNpA!ٜ*#lI;D;i> CGX9WK3{BalRsgwFYݫ97B>uȈT 9~f$NP0 > W$`F^*ML2fେY3@->d$@71:,S6/pACo %
+}#x<<% ɡs&fF& g8k.Z(bDqE=Y1JbOo<VMa'
+OiD
+V`/FxLGC*У$ע0$zӀ gAc
+68#(t&kUMEd&y P?!t,Q +'I| jFg:0Y7՜s"փC#(2{b+$$ ]׬K"X(%C4KD8ϐ} 4(tN{j4 u1'ǡ҇Phy{aQ'۷m~4̆l%ܺguTؓNCy (340i#j ?;wv 5P`ʯZ8?m:SezΩCB3^|U87ʊ*d|ठޗ5Wsj3JfN@
+W;SQ3;W4{kc7>Ji [~5g@
+`J9dV!ȨB?ecΗ`X-zX-@f:\aG7ߕ=ȧv)@2wl(kz+0hzx6qSS> uQIC-f¡oMoqڵ|2VDW|k=_bP*4/[Df@
+!yendstream
endobj
-888 0 obj <<
+943 0 obj <<
/Type /Page
-/Contents 889 0 R
-/Resources 887 0 R
+/Contents 944 0 R
+/Resources 942 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
-/Annots [ 896 0 R 897 0 R ]
+/Parent 941 0 R
+/Annots [ 951 0 R 952 0 R ]
>> endobj
-896 0 obj <<
+951 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [272.8897 210.0781 329.1084 222.1378]
+/Rect [272.8897 207.1951 329.1084 219.2548]
/Subtype /Link
/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
>> endobj
-897 0 obj <<
+952 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [190.6691 182.1322 249.6573 191.5418]
+/Rect [190.6691 179.6723 249.6573 189.0819]
/Subtype /Link
/A << /S /GoTo /D (rfcs) >>
>> endobj
-890 0 obj <<
-/D [888 0 R /XYZ 56.6929 794.5015 null]
+945 0 obj <<
+/D [943 0 R /XYZ 56.6929 794.5015 null]
>> endobj
-891 0 obj <<
-/D [888 0 R /XYZ 56.6929 756.8229 null]
+946 0 obj <<
+/D [943 0 R /XYZ 56.6929 756.8229 null]
>> endobj
-892 0 obj <<
-/D [888 0 R /XYZ 56.6929 744.8677 null]
+947 0 obj <<
+/D [943 0 R /XYZ 56.6929 744.8677 null]
>> endobj
22 0 obj <<
-/D [888 0 R /XYZ 56.6929 649.0335 null]
+/D [943 0 R /XYZ 56.6929 651.295 null]
>> endobj
-893 0 obj <<
-/D [888 0 R /XYZ 56.6929 609.5205 null]
+948 0 obj <<
+/D [943 0 R /XYZ 56.6929 612.4036 null]
>> endobj
26 0 obj <<
-/D [888 0 R /XYZ 56.6929 551.1302 null]
+/D [943 0 R /XYZ 56.6929 555.4285 null]
>> endobj
-894 0 obj <<
-/D [888 0 R /XYZ 56.6929 525.7505 null]
+949 0 obj <<
+/D [943 0 R /XYZ 56.6929 530.6703 null]
>> endobj
30 0 obj <<
-/D [888 0 R /XYZ 56.6929 422.4834 null]
+/D [943 0 R /XYZ 56.6929 416.0112 null]
>> endobj
-895 0 obj <<
-/D [888 0 R /XYZ 56.6929 395.8284 null]
+950 0 obj <<
+/D [943 0 R /XYZ 56.6929 391.253 null]
>> endobj
34 0 obj <<
-/D [888 0 R /XYZ 56.6929 166.2827 null]
+/D [943 0 R /XYZ 56.6929 164.815 null]
>> endobj
-898 0 obj <<
-/D [888 0 R /XYZ 56.6929 138.253 null]
+953 0 obj <<
+/D [943 0 R /XYZ 56.6929 137.4068 null]
>> endobj
-887 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F21 658 0 R >>
+942 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F21 702 0 R >>
/ProcSet [ /PDF /Text ]
>> endobj
-903 0 obj <<
-/Length 3414
-/Filter /FlateDecode
->>
-stream
-xڥZKs6WjA
-afW\ t
-Bc34=r G}0N:
-$vG"Uk"}O-´79DQX4
-ڽbr uKy{ 0# _Xy4ǧǚh>*xusKOu-~f ->D)yZN/Le~ȿQtOpjE#,`9ntRO8Xu tm}|Bd@ *4I ;<j#GC c?H4n5ϯQc,RM#$B2?ԧ"'s(qr[|+R]C3tt =Fʅ_x Jӊqf疺))z@4W@1 iQ @}!^'T:
-n=*wzxK񸋨i{
- 0^!
-)c|F¡f63
-O=&wWdcZ* id6]Ь.dJ &YsM>WSM fHWUOA
-fD
-_tvMS &cQf:Mϣ
-49v}1[,\\G S=^:mZc1p/~F_ [U.rlp8 m_Sp-E*CǧgeA)p %_*{ 7(b1A!G+ܪ_ǥu7k=uU+
- XÕXT p~C,x^z;|`\5m )"_$X5Ƌj8BD^r
-H[(LXV5,w.
-piQEpd
-(
+958 0 obj <<
+/Length 3415
+/Filter /FlateDecode
+>>
+stream
+xڥZKs6WjA
+J$.\./A* _5A ôoF 6'\d"`X۵D픻@/HhBg©3&+JNaz
+ 486C\\( *'`||$㤣@kw$)\&Ԃ(L{CʱK{ OыE pg`6;:׀4"8@Y67 VvH в}J{ -wE[ o<;[9ʱ"7XpSOg211۪< ?JُUWmuH 7~]l/5xC/&^5߄WADVܛ+;YMw[5*. ]Jp./3{Ej,mI0H+z 
+&| D`Z
+<Fn.3O(_q (J@Jև'D@
+ԠH#^Q=r4P1jA6^J/5:8fʒI!TY8B,0($C}/2}?7 wŷq
+pPj]K]3Byp&؈\`怹";$`^
+ҍ3:8k8l B=&رkǹ u S=qsz \n| tM=M{^!Q%) ! ,-ϝ(,2^
+r*{4cZ; ]uο0b09713;w|rQ 'Yzlq\QFA_ ))bi|H>#J*NUF+ ⠪Lxn'sLof2q6;7`FE|lDP0b26o < $1J4DTE_OFE6}b`OFx8g// vC3R&Z̨<V4zxiၲ'd?_ V+|֎ɚ(1-ucBj9=V4jt&]GB^dݞW$/
+,,J@T&j_,07ކ/r$:]iYEEQ]bo6wC(sU#i[ܘkA
+P(&L&`稙
+?6`<s qqK N@C+s^o."E}0Ŝݦ5F;
+%^G8ʋ`%^_'kendstream
endobj
-902 0 obj <<
+957 0 obj <<
/Type /Page
-/Contents 903 0 R
-/Resources 901 0 R
+/Contents 958 0 R
+/Resources 956 0 R
/MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
-/Annots [ 906 0 R 907 0 R ]
+/Parent 941 0 R
+/Annots [ 961 0 R 962 0 R ]
>> endobj
-906 0 obj <<
+961 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [519.8432 463.1122 539.579 475.1718]
/Subtype /Link
/A << /S /GoTo /D (diagnostic_tools) >>
>> endobj
-907 0 obj <<
+962 0 obj <<
/Type /Annot
/Border[0 0 0]/H/I/C[1 0 0]
/Rect [84.0431 451.8246 133.308 463.2167]
/Subtype /Link
/A << /S /GoTo /D (diagnostic_tools) >>
>> endobj
-904 0 obj <<
-/D [902 0 R /XYZ 85.0394 794.5015 null]
+959 0 obj <<
+/D [957 0 R /XYZ 85.0394 794.5015 null]
>> endobj
38 0 obj <<
-/D [902 0 R /XYZ 85.0394 570.5252 null]
+/D [957 0 R /XYZ 85.0394 570.5252 null]
>> endobj
-905 0 obj <<
-/D [902 0 R /XYZ 85.0394 541.3751 null]
+960 0 obj <<
+/D [957 0 R /XYZ 85.0394 541.3751 null]
>> endobj
42 0 obj <<
-/D [902 0 R /XYZ 85.0394 434.1868 null]
+/D [957 0 R /XYZ 85.0394 434.1868 null]
>> endobj
-908 0 obj <<