From 5b7b2ddd6ca364c39ea6ce95cdeb75fcf7399a15 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Sun, 22 Aug 2004 23:53:39 +0000 Subject: [PATCH] regen --- bin/check/named-checkconf.html | 36 +- bin/check/named-checkzone.html | 124 +- bin/dig/dig.html | 596 ++-- bin/dig/host.html | 246 +- bin/dig/nslookup.html | 248 +- bin/dnssec/dnssec-keygen.html | 214 +- bin/dnssec/dnssec-signzone.html | 270 +- bin/named/lwresd.html | 212 +- bin/named/named.conf.html | 2168 ++++------- bin/named/named.html | 240 +- bin/nsupdate/nsupdate.html | 384 +- bin/rndc/rndc-confgen.html | 168 +- bin/rndc/rndc.conf.html | 120 +- bin/rndc/rndc.html | 166 +- doc/arm/Bv9ARM.ch01.html | 234 +- doc/arm/Bv9ARM.ch02.html | 40 +- doc/arm/Bv9ARM.ch03.html | 580 +-- doc/arm/Bv9ARM.ch04.html | 268 +- doc/arm/Bv9ARM.ch05.html | 20 +- doc/arm/Bv9ARM.ch06.html | 4369 +++++++---------------- doc/arm/Bv9ARM.ch07.html | 68 +- doc/arm/Bv9ARM.ch08.html | 44 +- doc/arm/Bv9ARM.ch09.html | 426 +-- doc/arm/Bv9ARM.html | 52 +- lib/lwres/man/lwres.html | 156 +- lib/lwres/man/lwres_buffer.html | 270 +- lib/lwres/man/lwres_config.html | 86 +- lib/lwres/man/lwres_context.html | 210 +- lib/lwres/man/lwres_gabn.html | 144 +- lib/lwres/man/lwres_gai_strerror.html | 60 +- lib/lwres/man/lwres_getaddrinfo.html | 230 +- lib/lwres/man/lwres_gethostent.html | 380 +- lib/lwres/man/lwres_getipnode.html | 166 +- lib/lwres/man/lwres_getnameinfo.html | 98 +- lib/lwres/man/lwres_getrrsetbyname.html | 148 +- lib/lwres/man/lwres_gnba.html | 120 +- lib/lwres/man/lwres_hstrerror.html | 50 +- lib/lwres/man/lwres_inetntop.html | 62 +- lib/lwres/man/lwres_noop.html | 142 +- lib/lwres/man/lwres_packet.html | 120 +- lib/lwres/man/lwres_resutil.html | 166 +- 41 files changed, 5076 insertions(+), 8825 deletions(-) diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html index c313984395..2f392cf759 100644 --- a/bin/check/named-checkconf.html +++ b/bin/check/named-checkconf.html @@ -15,16 +15,16 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + + named-checkconf

named-checkconf

named-checkconf [ [-v] [-v] [-j] [-j] [-t -t directory] {filename} [directory] {filename} [-z-z]

-t -t directorydirectory

- + + named-checkzone

named-checkzone

named-checkzone [ [-d] [-d] [-j] [-j] [-q] [-q] [-v] [-v] [-c -c class] [class] [-k -k mode] [mode] [-n -n mode] [mode] [-o -o filename] [filename] [-t -t directory] [directory] [-w -w directory] [directory] [-D-D] {zonename} {filename}

-c -c classclass

-k -k modemode

-n -n modemode

-o -o filenamefilename

-t -t directorydirectory

-w -w directorydirectory

- + + dig

dig

dig
dig [@server] [ [@server] [-b -b address] [address] [-c -c class] [class] [-f -f filename] [filename] [-k -k filename] [filename] [-p -p port#] [port#] [-t -t type] [type] [-x -x addr] [addr] [-y -y name:key] [name:key] [-4] [-4] [-6-6] [name] [type] [class] [queryopt...]

dig [ [-h-h]

is normally used with command-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command-line arguments -and options is printed when the -h-h option is given. Unlike earlier versions, the BIND9 implementation of

serverserver

is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colon-delimited notation. When the supplied -serverserver argument is a hostname, dig resolves that name before querying that name -server. If no serverserver argument is provided,

namename

is the name of the resource record that is to be looked up.

typetype

indicates what type of query is required — ANY, A, MX, SIG, etc. -typetype can be any valid query type. If no -typetype argument is supplied,

OPTIONS

The The -b-b option sets the source IP address of the query -to addressaddress. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"

The default query class (IN for internet) is overridden by the --c option. -c option. classclass is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.

The The -f-f option makes dig operate in batch mode by reading a list of lookup requests to process from the -file filenamefilename. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to @@ -358,14 +328,12 @@ CLASS="COMMAND" > using the command-line interface.

If a non-standard port number is to be queried, the --p option is used. -p option is used. port#port# is the port number that

The The -4-4 option forces dig to only -use IPv4 query transport. The -6-6 option forces dig to only use IPv6 query transport.

The The -t-t option sets the query type to -typetype. It can be any valid query type which is supported in BIND9. The default query type "A", unless the --x-x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required, -type is set to type is set to ixfr=Nixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was -NN.

Reverse lookups - mapping addresses to names - are simplified by the --x option. -x option. addraddr is an IPv4 address in dotted-decimal notation, or a colon-delimited IPv6 address. When this option is used, there is no need to provide the -name, name, classclass and -typetype arguments. dig automatically performs a lookup for a name like -11.12.13.10.in-addr.arpa11.12.13.10.in-addr.arpa and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain -specify the -i-i option. Bit string labels (RFC2874) are now experimental and are not attempted.

dig and their responses using transaction signatures (TSIG), specify a TSIG key file -using the -k-k option. You can also specify the TSIG -key itself on the command line using the -y-y option; -namename is the name of the TSIG key and -keykey is the actual key. The key is a base-64 encoded string, typically generated by (8). -Caution should be taken when using the -y-y option on multi-user systems as the key can be visible in the output from

Each query option is identified by a keyword preceded by a plus sign -(++). Some keywords set or reset an option. These may be preceded -by the string nono to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They -have the form +keyword=value+keyword=value. The query options are: @@ -574,9 +524,9 @@ The query options are: CLASS="VARIABLELIST" >

+[no]tcp+[no]tcp

+[no]vc+[no]vc

Use [do not use] TCP when querying name servers. This alternate -syntax to +[no]tcp+[no]tcp is provided for backwards compatibility. The "vc" stands for "virtual circuit".

+[no]ignore+[no]ignore

+domain=somename+domain=somename

Set the search list to contain the single domain -somenamesomename, as if specified in a /etc/resolv.conf, and enable search list -processing as if the +search+search option were given.

+[no]search+[no]search

+[no]defname+[no]defname

Deprecated, treated as a synonym for Deprecated, treated as a synonym for +[no]search+[no]search

+[no]aaonly+[no]aaonly

Sets the "aa" flag in the query.

+[no]aaflag+[no]aaflag

A synonym for A synonym for +[no]aaonly+[no]aaonly.

+[no]adflag+[no]adflag

+[no]cdflag+[no]cdflag

+[no]cl+[no]cl

Display [do not display] the CLASS when printing the record.

+[no]ttlid+[no]ttlid

Display [do not display] the TTL when printing the record.

+[no]recurse+[no]recurse

dig normally sends recursive queries. Recursion is automatically disabled -when the +nssearch+nssearch or -+trace+trace query options are used.

+[no]nssearch+[no]nssearch

+[no]trace+[no]trace

+[no]cmd+[no]cmd

+[no]short+[no]short

+[no]identify+[no]identify

Show [or do not show] the IP address and port number that supplied the -answer when the +short+short option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.

+[no]comments+[no]comments

+[no]stats+[no]stats

+[no]qr+[no]qr

+[no]question+[no]question

+[no]answer+[no]answer

+[no]authority+[no]authority

+[no]additional+[no]additional

+[no]all+[no]all

Set or clear all display flags.

+time=T+time=T

Sets the timeout for a query to -TT seconds. The default time out is 5 seconds. -An attempt to set TT to less than 1 will result in a query timeout of 1 second being applied.

+tries=T+tries=T

Sets the number of times to try UDP queries to server to -TT instead of the default, 3. If -TT is less than or equal to zero, the number of tries is silently rounded up to 1.

+retry=T+retry=T

Sets the number of times to retry UDP queries to server to -TT instead of the default, 2. Unlike -+tries+tries, this does not include the initial query.

+ndots=D+ndots=D

Set the number of dots that have to appear in -name to name to DD for it to be considered absolute. The default value is that defined using the ndots statement in , or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the -search or search or domaindomain directive in .

+bufsize=B+bufsize=B

Set the UDP message buffer size advertised using EDNS0 to -BB bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.

+[no]multiline+[no]multiline

output.

+[no]fail+[no]fail

+[no]besteffort+[no]besteffort

+[no]dnssec+[no]dnssec

+[no]sigchase+[no]sigchase

+trusted-key=####+trusted-key=####

Specify a trusted key to be used with Specify a trusted key to be used with +sigchase+sigchase. Requires dig be compiled with -DDIG_SIGCHASE.

+[no]topdown+[no]topdown

dig supports specifying multiple queries on the command line (in addition to -supporting the -f-f batch file option). Each of those queries can be supplied with its own set of flags, options and query options.

In this case, each In this case, each queryquery argument represent an individual query in the command-line syntax described above. Each consists of any of the standard options and flags, the name to be @@ -1148,9 +1062,9 @@ should be applied to that query.

+[no]cmd+[no]cmd option) can be overridden by a query-specific set of query options. For example: 
dig could be used from the command line
-to make three lookups: an ANY query for www.isc.orgwww.isc.org, a
 reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.orgisc.org.
 
-A global query option of +qr+qr is applied, so
 that dig shows the initial query it made for each
 lookup.  The final query has a local query option of
-+noqr+noqr which means that dig
 will not print the initial query when it looks up the NS records for
-isc.orgisc.org.
- + + host

host

host
host [ [-aCdlnrTwv] [-aCdlnrTwv] [-c -c class] [class] [-N -N ndots] [ndots] [-R -R number] [number] [-t -t type] [type] [-W -W wait] [wait] [-4] [-4] [-6-6] {name} [server]

prints a short summary of its command line arguments and options.

namename is the domain name that is to be looked up. It can also be a dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which case host will by default perform a reverse lookup for that address. -serverserver is an optional argument which is either the name or IP address of the name server that /etc/resolv.conf.

The The -a-a (all) option is equivalent to setting the --v-v option and asking host to make a query of type ANY.

When the When the -C-C option is used, host will attempt to display the SOA records for zone -namename from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.

The The -c-c option instructs to make a DNS query of class -classclass. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).

host when the --d or -d or -v-v option is used. The two options are equivalent. They have been provided for backwards -compatibility. In previous versions, the -d-d option -switched on debugging traces and -v-v enabled verbose output.

List mode is selected by the List mode is selected by the -l-l option. This makes host perform a zone transfer for zone -namename. Transfer the zone printing out the NS, PTR -and address records (A/AAAA). If combined with -a-a all records will be printed.

The The -i-i option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.

The The -N-N option sets the number of dots that have to be -in namename for it to be considered absolute. The default value is that defined using the ndots statement in .

The number of UDP retries for a lookup can be changed with the --R option. -R option. numbernumber indicates how many times host will repeat a query that does not get answered. The default number of retries is 1. If -numbernumber is negative or zero, the number of retries will default to 1.

Non-recursive queries can be made via the Non-recursive queries can be made via the -r-r option. Setting this option clears the host makes. This should mean that the name server receiving the query will not -attempt to resolve namename. The --r-r option enables hosthost uses UDP when making queries. The --T-T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.

The The -4-4 option forces host to only -use IPv4 query transport. The -6-6 option forces host to only use IPv6 query transport.

The The -t-t option is used to select the query type. -typetype can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified, host automatically selects an appropriate query type. By default it looks for A records, but if the --C-C option was given, queries will be made for SOA -records, and if namename is a dotted-decimal IPv4 address or colon-delimited IPv6 address,

The time to wait for a reply can be controlled through the --W and -W and -w-w options. The --W-W option makes host wait for -wait seconds. If wait seconds. If waitwait is less than one, the wait interval is set to one second. When the --w-w option is used, host - + + nslookup

nslookup

nslookup
nslookup [ [-option-option] [name | -] [server]

nslookup -query=hinfo  -timeout=10
server server domaindomain

lserver lserver domaindomain

Change the default server to Change the default server to domain; domain; lserverlserver uses the initial -server to look up information about domain, while domain, while serverserver uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.

rootroot

not implemented

fingerfinger

not implemented

lsls

not implemented

viewview

not implemented

helphelp

not implemented

??

not implemented

exitexit

Exits the program.

set set keyword[=value]]

allall

class=class=valuevalue

ININ

the Internet class

CHCH

the Chaos class

HSHS

the Hesiod class

ANYANY

[no]debug]debug

[no]d2]d2

domain=domain=namename

Sets the search list to Sets the search list to namename.

[no]search]search

port=port=valuevalue

Change the default TCP/UDP name server port to Change the default TCP/UDP name server port to valuevalue.

querytype=querytype=valuevalue

type=type=valuevalue

[no]recurse]recurse

retry=retry=numbernumber

timeout=timeout=numbernumber

[no]vc]vc

- + + dnssec-keygen

dnssec-keygen

dnssec-keygen {-a {-a algorithm} {-b algorithm} {-b keysize} {-n keysize} {-n nametype} [nametype} [-c -c class] [class] [-e] [-e] [-f -f flag] [flag] [-g -g generator] [generator] [-h] [-h] [-k] [-k] [-p -p protocol] [protocol] [-r -r randomdev] [randomdev] [-s -s strength] [strength] [-t -t type] [type] [-v -v levellevel] {name}

-a -a algorithmalgorithm

Selects the cryptographic algorithm. The value of - algorithmalgorithm must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC-MD5. These values are case insensitive. @@ -207,11 +183,9 @@ CLASS="OPTION"

-b -b keysizekeysize

-n -n nametypenametype

Specifies the owner type of the key. The value of - nametypenametype must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are @@ -243,11 +215,9 @@ CLASS="OPTION"

-c -c classclass

-f -f flagflag

-g -g generatorgenerator

-p -p protocolprotocol

-r -r randomdevrandomdev

-s -s strengthstrength

-t -t typetype

Indicates the use of the key. Indicates the use of the key. typetype must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate @@ -384,11 +342,9 @@ CLASS="OPTION"

-v -v levellevel

EXAMPLE

To generate a 768-bit DSA key for the domain - example.comexample.com, the following command would be issued:

dnssec-keygen -a DSA -b 768 -n ZONE example.comdnssec-keygen -a DSA -b 768 -n ZONE example.com

The command would print a string of the form:

Kexample.com.+003+26160Kexample.com.+003+26160

- + + dnssec-signzone

dnssec-signzone

dnssec-signzone [ [-a] [-a] [-c -c class] [class] [-d -d directory] [directory] [-e -e end-time] [end-time] [-f -f output-file] [output-file] [-g] [-g] [-h] [-h] [-k -k key] [key] [-l -l domain] [domain] [-i -i interval] [interval] [-n -n nthreads] [nthreads] [-o -o origin] [origin] [-p] [-p] [-r -r randomdev] [randomdev] [-s -s start-time] [start-time] [-t] [-t] [-v -v level] [level] [-z-z] {zonefile} [key...]

-c -c classclass

-k -k keykey

-l -l domaindomain

-d -d directorydirectory

keyset files in - directorydirectory as the directory

-s -s start-timestart-time

start-timestart-time is specified, the current time minus 1 hour (to allow for clock skew) is used.

-e -e end-timeend-time

Specify the date and time when the generated RRSIG records - expire. As with start-timestart-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is - indicated with now+N. If no end-timeend-time is specified, 30 days from the start time is used as a default.

-f -f output-fileoutput-file

-i -i intervalinterval

When a previously signed zone is passed as input, records - may be resigned. The intervalinterval option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the @@ -380,12 +340,12 @@ CLASS="OPTION" >

The default cycle interval is one quarter of the difference between the signature end and start times. So if neither - end-time or end-time or start-timestart-time are specified,

-n -n ncpusncpus

-o -o originorigin

-r -r randomdevrandomdev

-v -v levellevel

EXAMPLE

The following command signs the The following command signs the example.comexample.com zone with the DSA key generated in the keyset files associated with child zones, they must be in the current directory. - example.comexample.com, the following command would be issued:

dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160

- + + lwresd

lwresd

lwresd [ [-C -C config-file] [config-file] [-d -d debug-level] [debug-level] [-f] [-f] [-g] [-g] [-i -i pid-file] [pid-file] [-n -n #cpus] [#cpus] [-P -P port] [port] [-p -p port] [port] [-s] [-s] [-t -t directory] [directory] [-u -u user] [user] [-v-v]

/etc/resolv.conf contains any - nameservernameserver entries, lwresd sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no - nameservernameserver entries are present, or if forwarding fails,
-C -C config-fileconfig-file

Use Use config-fileconfig-file as the configuration file instead of the default,

-d -d debug-leveldebug-level

Set the daemon's debug level to Set the daemon's debug level to debug-leveldebug-level. Debugging traces from

-n -n #cpus#cpus

Create Create #cpus#cpus worker threads to take advantage of multiple CPUs. If not specified,

-P -P portport

Listen for lightweight resolver queries on port - portport. If not specified, the default is port 921.

-p -p portport

Send DNS lookups to port Send DNS lookups to port portport. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a @@ -370,22 +334,18 @@ CLASS="NOTE" >

-t -t directorydirectory

chroot() to chroot() to directorydirectory after processing the command line arguments, but before reading the configuration file. @@ -410,14 +370,14 @@ ALIGN="CENTER" ALIGN="LEFT" >

This option should be used in conjunction with the - -u-u option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot()chroot() is defined allows a process with root privileges to escape a chroot jail. @@ -428,22 +388,18 @@ CLASS="FUNCTION" >

-u -u useruser

setuid() to setuid() to useruser after completing privileged operations, such as creating sockets that listen on privileged ports. diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index e1b42c5e86..db4cb82add 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -14,16 +14,16 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + + named.conf

named.conf

ACL

acl acl string { string { address_match_elementaddress_match_element; ... };

KEY

key key domain_namedomain_name {
- algorithm stringstring;
- secret stringstring;
};

MASTERS

masters masters stringstring [ port port integerinteger ] {
- ( masters | masters | ipv4_addressipv4_address [port port integerinteger] |
- ipv6_addressipv6_address [port port integerinteger] ) [ key key stringstring ]; ...
};

SERVER

server ( server ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) {
- bogus booleanboolean;
- edns booleanboolean;
- provide-ixfr booleanboolean;
- request-ixfr booleanboolean;
- keys server_keyserver_key;
- transfers integerinteger;
transfer-format ( many-answers | one-answer );
- transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];

- support-ixfr booleanboolean; // obsolete
};

trusted-keys {
- domain_name domain_name flags flags protocol protocol algorithm algorithm keykey; ... 
};

controls {
- inet ( ipv4_address | ipv4_address | ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ]
- allow { address_match_elementaddress_match_element; ... }
[ keys { keys { stringstring; ... } ];
- unix unsupportedunsupported; // not implemented
};

logging {
- channel stringstring {
- file log_filelog_file;
- syslog optional_facilityoptional_facility;
null;
stderr;
- severity log_severitylog_severity;
- print-time booleanboolean;
- print-severity booleanboolean;
- print-category booleanboolean;
};
- category string { string { stringstring; ... };
};

lwres {
listen-on [ port port integerinteger ] {
- ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) [ port port integerinteger ]; ...
};
- view string string optional_classoptional_class;
- search { stringstring; ... };
- ndots integerinteger;
};

options {
- avoid-v4-udp-ports { portport; ... };
- avoid-v6-udp-ports { portport; ... };
- blackhole { address_match_elementaddress_match_element; ... };
- coresize sizesize;
- datasize sizesize;
- directory quoted_stringquoted_string;
- dump-file quoted_stringquoted_string;
- files sizesize;
- heartbeat-interval integerinteger;
- host-statistics booleanboolean; // not implemented
- hostname ( quoted_stringquoted_string | none );
- interface-interval integerinteger;
listen-on [ port port integerinteger ] { ] { address_match_elementaddress_match_element; ... };
listen-on-v6 [ port port integerinteger ] { ] { address_match_elementaddress_match_element; ... };
- match-mapped-addresses booleanboolean;
- memstatistics-file quoted_stringquoted_string;
- pid-file ( quoted_stringquoted_string | none );
- port integerinteger;
- querylog booleanboolean;
- recursing-file quoted_stringquoted_string;
- random-device quoted_stringquoted_string;
- recursive-clients integerinteger;
- serial-query-rate integerinteger;
- server-id ( quoted_stringquoted_string | none |;
- stacksize sizesize;
- statistics-file quoted_stringquoted_string;
- statistics-interval integerinteger; // not yet implemented
- tcp-clients integerinteger;
- tcp-listen-queue integerinteger;
- tkey-dhkey quoted_string quoted_string integerinteger;
- tkey-gssapi-credential quoted_stringquoted_string;
- tkey-domain quoted_stringquoted_string;
- transfers-per-ns integerinteger;
- transfers-in integerinteger;
- transfers-out integerinteger;
- use-ixfr booleanboolean;
- version ( quoted_stringquoted_string | none );
- allow-recursion { address_match_elementaddress_match_element; ... };
- sortlist { address_match_elementaddress_match_element; ... };
- topology { address_match_elementaddress_match_element; ... }; // not implemented
- auth-nxdomain booleanboolean; // default changed
- minimal-responses booleanboolean;
- recursion booleanboolean;
rrset-order {
[ class class stringstring ] [ type type stringstring ]
[ name name quoted_stringquoted_string string string stringstring; ...
};
- provide-ixfr booleanboolean;
- request-ixfr booleanboolean;
- rfc2308-type1 booleanboolean; // not yet implemented
- additional-from-auth booleanboolean;
- additional-from-cache booleanboolean;
- query-source querysource4querysource4;
- query-source-v6 querysource6querysource6;
- cleaning-interval integerinteger;
- min-roots integerinteger; // not implemented
- lame-ttl integerinteger;
- max-ncache-ttl integerinteger;
- max-cache-ttl integerinteger;
transfer-format ( many-answers | one-answer );
- max-cache-size size_no_defaultsize_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
- cache-file quoted_stringquoted_string;
- suppress-initial-notify booleanboolean; // not yet implemented
- preferred-glue stringstring;
dual-stack-servers [ port port integerinteger ] {
- ( quoted_stringquoted_string [port port integerinteger] |
- ipv4_addressipv4_address [port port integerinteger] |
- ipv6_addressipv6_address [port port integerinteger] ); ...
}
- edns-udp-size integerinteger;
root-delegation-only [ exclude { exclude { quoted_stringquoted_string; ... } ];
- disable-algorithms string { string { stringstring; ... };
- dnssec-enable booleanboolean;
- dnssec-lookaside string trust-anchor string trust-anchor stringstring;
- dnssec-must-be-secure string string booleanboolean;

- dialup dialuptypedialuptype;
- ixfr-from-differences ixfrdiffixfrdiff;

- allow-query { address_match_elementaddress_match_element; ... };
- allow-transfer { address_match_elementaddress_match_element; ... };
- allow-update-forwarding { address_match_elementaddress_match_element; ... };

- notify notifytypenotifytype;
- notify-source ( ipv4_addressipv4_address | * ) [ port ( port ( integerinteger | * ) ];
- notify-source-v6 ( ipv6_addressipv6_address | * ) [ port ( port ( integerinteger | * ) ];
also-notify [ port port integerinteger ] { ( ] { ( ipv4_address | ipv4_address | ipv6_addressipv6_address )
[ port port integerinteger ]; ... };
- allow-notify { address_match_elementaddress_match_element; ... };

forward ( first | only );
forwarders [ port port integerinteger ] {
- ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) [ port port integerinteger ]; ...
};

- max-journal-size size_no_defaultsize_no_default;
- max-transfer-time-in integerinteger;
- max-transfer-time-out integerinteger;
- max-transfer-idle-in integerinteger;
- max-transfer-idle-out integerinteger;
- max-retry-time integerinteger;
- min-retry-time integerinteger;
- max-refresh-time integerinteger;
- min-refresh-time integerinteger;
- multi-master booleanboolean;
- sig-validity-interval integerinteger;

- transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];

- alt-transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- alt-transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];
- use-alt-transfer-source booleanboolean;

- zone-statistics booleanboolean;
- key-directory quoted_stringquoted_string;

- allow-v6-synthesis { address_match_elementaddress_match_element; ... }; // obsolete
- deallocate-on-exit booleanboolean; // obsolete
- fake-iquery booleanboolean; // obsolete
- fetch-glue booleanboolean; // obsolete
- has-old-clients booleanboolean; // obsolete
- maintain-ixfr-base booleanboolean; // obsolete
- max-ixfr-log-size sizesize; // obsolete
- multiple-cnames booleanboolean; // obsolete
- named-xfer quoted_stringquoted_string; // obsolete
- serial-queries integerinteger; // obsolete
- treat-cr-as-space booleanboolean; // obsolete
- use-id-pool booleanboolean; // obsolete
};

VIEW

view view string string optional_classoptional_class {
- match-clients { address_match_elementaddress_match_element; ... };
- match-destinations { address_match_elementaddress_match_element; ... };
- match-recursive-only booleanboolean;

- key stringstring {
- algorithm stringstring;
- secret stringstring;
};

- zone string string optional_classoptional_class {
...
};

- server ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) {
...
};

trusted-keys {
- string string integer integer integer integer integer integer quoted_stringquoted_string; ...
};

- allow-recursion { address_match_elementaddress_match_element; ... };
- sortlist { address_match_elementaddress_match_element; ... };
- topology { address_match_elementaddress_match_element; ... }; // not implemented
- auth-nxdomain booleanboolean; // default changed
- minimal-responses booleanboolean;
- recursion booleanboolean;
rrset-order {
[ class class stringstring ] [ type type stringstring ]
[ name name quoted_stringquoted_string string string stringstring; ...
};
- provide-ixfr booleanboolean;
- request-ixfr booleanboolean;
- rfc2308-type1 booleanboolean; // not yet implemented
- additional-from-auth booleanboolean;
- additional-from-cache booleanboolean;
- query-source querysource4querysource4;
- query-source-v6 querysource6querysource6;
- cleaning-interval integerinteger;
- min-roots integerinteger; // not implemented
- lame-ttl integerinteger;
- max-ncache-ttl integerinteger;
- max-cache-ttl integerinteger;
transfer-format ( many-answers | one-answer );
- max-cache-size size_no_defaultsize_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
- cache-file quoted_stringquoted_string;
- suppress-initial-notify booleanboolean; // not yet implemented
- preferred-glue stringstring;
dual-stack-servers [ port port integerinteger ] {
- ( quoted_stringquoted_string [port port integerinteger] |
- ipv4_addressipv4_address [port port integerinteger] |
- ipv6_addressipv6_address [port port integerinteger] ); ...
};
- edns-udp-size integerinteger;
root-delegation-only [ exclude { exclude { quoted_stringquoted_string; ... } ];
- disable-algorithms string { string { stringstring; ... };
- dnssec-enable booleanboolean;
- dnssec-lookaside string trust-anchor string trust-anchor stringstring;

- dnssec-must-be-secure string string booleanboolean;
- dialup dialuptypedialuptype;
- ixfr-from-differences ixfrdiffixfrdiff;

- allow-query { address_match_elementaddress_match_element; ... };
- allow-transfer { address_match_elementaddress_match_element; ... };
- allow-update-forwarding { address_match_elementaddress_match_element; ... };

- notify notifytypenotifytype;
- notify-source ( ipv4_addressipv4_address | * ) [ port ( port ( integerinteger | * ) ];
- notify-source-v6 ( ipv6_addressipv6_address | * ) [ port ( port ( integerinteger | * ) ];
also-notify [ port port integerinteger ] { ( ] { ( ipv4_address | ipv4_address | ipv6_addressipv6_address )
[ port port integerinteger ]; ... };
- allow-notify { address_match_elementaddress_match_element; ... };

forward ( first | only );
forwarders [ port port integerinteger ] {
- ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) [ port port integerinteger ]; ...
};

- max-journal-size size_no_defaultsize_no_default;
- max-transfer-time-in integerinteger;
- max-transfer-time-out integerinteger;
- max-transfer-idle-in integerinteger;
- max-transfer-idle-out integerinteger;
- max-retry-time integerinteger;
- min-retry-time integerinteger;
- max-refresh-time integerinteger;
- min-refresh-time integerinteger;
- multi-master booleanboolean;
- sig-validity-interval integerinteger;

- transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];

- alt-transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- alt-transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];
- use-alt-transfer-source booleanboolean;

- zone-statistics booleanboolean;
- key-directory quoted_stringquoted_string;

- allow-v6-synthesis { address_match_elementaddress_match_element; ... }; // obsolete
- fetch-glue booleanboolean; // obsolete
- maintain-ixfr-base booleanboolean; // obsolete
- max-ixfr-log-size sizesize; // obsolete
};

ZONE

zone zone string string optional_classoptional_class {
type ( master | slave | stub | hint |
forward | delegation-only );
- file quoted_stringquoted_string;

masters [ port port integerinteger ] {
- ( mastersmasters |
- ipv4_addressipv4_address [port port integerinteger] |
- ipv6_addressipv6_address [ port port integerinteger ] ) [ key key stringstring ]; ...
};

- database stringstring;
- delegation-only booleanboolean;
check-names ( fail | warn | ignore );
- dialup dialuptypedialuptype;
- ixfr-from-differences booleanboolean;

- allow-query { address_match_elementaddress_match_element; ... };
- allow-transfer { address_match_elementaddress_match_element; ... };
- allow-update { address_match_elementaddress_match_element; ... };
- allow-update-forwarding { address_match_elementaddress_match_element; ... };
update-policy {
- ( grant | deny ) stringstring
- ( name | subdomain | wildcard | self ) stringstring
- rrtypelistrrtypelist; ...
};

- notify notifytypenotifytype;
- notify-source ( ipv4_addressipv4_address | * ) [ port ( port ( integerinteger | * ) ];
- notify-source-v6 ( ipv6_addressipv6_address | * ) [ port ( port ( integerinteger | * ) ];
also-notify [ port port integerinteger ] { ( ] { ( ipv4_address | ipv4_address | ipv6_addressipv6_address )
[ port port integerinteger ]; ... };
- allow-notify { address_match_elementaddress_match_element; ... };

forward ( first | only );
forwarders [ port port integerinteger ] {
- ( ipv4_address | ipv4_address | ipv6_addressipv6_address ) [ port port integerinteger ]; ...
};

- max-journal-size size_no_defaultsize_no_default;
- max-transfer-time-in integerinteger;
- max-transfer-time-out integerinteger;
- max-transfer-idle-in integerinteger;
- max-transfer-idle-out integerinteger;
- max-retry-time integerinteger;
- min-retry-time integerinteger;
- max-refresh-time integerinteger;
- min-refresh-time integerinteger;
- multi-master booleanboolean;
- sig-validity-interval integerinteger;

- transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];

- alt-transfer-source ( ipv4_addressipv4_address | * )
[ port ( port ( integerinteger | * ) ];
- alt-transfer-source-v6 ( ipv6_addressipv6_address | * )
[ port ( port ( integerinteger | * ) ];
- use-alt-transfer-source booleanboolean;

- zone-statistics booleanboolean;
- key-directory quoted_stringquoted_string;

- ixfr-base quoted_stringquoted_string; // obsolete
- ixfr-tmp-file quoted_stringquoted_string; // obsolete
- maintain-ixfr-base booleanboolean; // obsolete
- max-ixfr-log-size sizesize; // obsolete
- pubkey integer integer integer integer integer integer quoted_stringquoted_string; // obsolete
};

- + + named

named

named [ [-4] [-4] [-6] [-6] [-c -c config-file] [config-file] [-d -d debug-level] [debug-level] [-f] [-f] [-g] [-g] [-n -n #cpus] [#cpus] [-p -p port] [port] [-s] [-s] [-t -t directory] [directory] [-u -u user] [user] [-v] [-v] [-x -x cache-filecache-file]

Use IPv4 only even if the host machine is capable of IPv6. - -4 and -4 and -6-6 are mutually exclusive.

Use IPv6 only even if the host machine is capable of IPv4. - -4 and -4 and -6-6 are mutually exclusive.

-c -c config-fileconfig-file

Use Use config-fileconfig-file as the configuration file instead of the default, directorydirectory option in the configuration - file, config-fileconfig-file should be an absolute pathname.

-d -d debug-leveldebug-level

Set the daemon's debug level to Set the daemon's debug level to debug-leveldebug-level. Debugging traces from

-n -n #cpus#cpus

Create Create #cpus#cpus worker threads to take advantage of multiple CPUs. If not specified,

-p -p portport

Listen for queries on port Listen for queries on port portport. If not specified, the default is port 53.

-t -t directorydirectory

chroot() to chroot() to directorydirectory after processing the command line arguments, but before reading the configuration file. @@ -390,14 +354,14 @@ ALIGN="CENTER" ALIGN="LEFT" >

This option should be used in conjunction with the - -u-u option, as chrooting a process running as root doesn't enhance security on most - systems; the way chroot()chroot() is defined allows a process with root privileges to escape a chroot jail. @@ -408,22 +372,18 @@ CLASS="FUNCTION" >

-u -u useruser

setuid() to setuid() to useruser after completing privileged operations, such as creating sockets that listen on privileged ports. @@ -440,14 +400,14 @@ CLASS="COMMAND" >named uses the kernel's capability mechanism to drop all root privileges - except the ability to bind()bind() to a privileged port and set process resource limits. - Unfortunately, this means that the -u-u option only works when is run on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since previous kernels did not allow privileges - to be retained after setuid()setuid().

-x -x cache-filecache-file

Load data from Load data from cache-filecache-file into the cache of the default view.

- + + nsupdate

nsupdate

nsupdate
nsupdate [ [-d] [-d] [-y -y keyname:secret | keyname:secret | -k -k keyfile] [keyfile] [-t -t timeout] [timeout] [-u -u udptimeout] [udptimeout] [-r -r udpretries] [udpretries] [-v-v] [filename]

The --d-d option makes nsupdate uses the --y-y or --k-k option (with an HMAC-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the --k-k option, nsupdate reads the shared secret from the file -keyfilekeyfile, whose name is of the form K{name}.+157.+{random}.key must also be present. When the --y-y option is used, a signature is generated from -keyname:secret.keyname:secret. -keynamekeyname is the name of the key, and -secretsecret is the base64 encoded shared secret. Use of the --y-y option is discouraged because the shared secret is supplied as a command line argument in clear text. @@ -288,9 +270,9 @@ CLASS="REFENTRYTITLE" > or in a history file maintained by the user's shell.

The The -k-k may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC-MD5 key.

-v-v option makes

The The -t-t option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.

The The -u-u option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries.

The The -r-r option sets the number of UDP retries. The default is 3. If zero only one update request will be made.

nsupdate reads input from -filenamefilename or standard input. Each command is supplied on exactly one line of input. @@ -391,11 +371,9 @@ CLASS="COMMAND" >

Sends all dynamic update requests to the name server -servernameservername. When no server statement is provided, portport is the port number on -servernameservername where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is @@ -432,11 +406,9 @@ CLASS="COMMAND" >

Sends all dynamic update requests using the local -addressaddress. When no local statement is provided, @@ -445,11 +417,9 @@ CLASS="COMMAND" >nsupdate will send updates using an address and port chosen by the system. -portport can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.

Specifies that all updates are to be made to the zone -zonenamezonename. If no -zonezone statement is provided,

Specify the default class. -If no classclass is specified the default class is -ININ.

Specifies that all updates are to be TSIG signed using the -keyname keyname keysecretkeysecret pair. The key command overrides any key specified on the command line via --y or -y or -k-k.

Requires that no resource record of any type exists with name -domain-namedomain-name.

Requires that -domain-namedomain-name exists (has as at least one resource record, of any type).

Requires that no resource record exists of the specified -typetype, -classclass and -domain-namedomain-name. If -classclass is omitted, IN (internet) is assumed.

This requires that a resource record of the specified -typetype, -classclass and -domain-namedomain-name must exist. If -classclass is omitted, IN (internet) is assumed.

The -datadata from each set of prerequisites of this form sharing a common -typetype, -classclass, and -domain-namedomain-name are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given -typetype, -classclass, and -domain-namedomain-name. The -datadata are written in the standard text representation of the resource record's RDATA.

Deletes any resource records named -domain-namedomain-name. If -typetype and -datadata is provided, only matching resource records will be removed. The internet class is assumed if -classclass is not supplied. The -ttlttl is ignored, and is only allowed for compatibility.

Adds a new resource record with the specified -ttlttl, -classclass and -datadata.

/etc/resolv.conf/etc/resolv.conf

used to identify default name server

K{name}.+157.+{random}.keyK{name}.+157.+{random}.key

.

K{name}.+157.+{random}.privateK{name}.+157.+{random}.private

- + + rndc-confgen

rndc-confgen

rndc-confgen [ [-a] [-a] [-b -b keysize] [keysize] [-c -c keyfile] [keyfile] [-h] [-h] [-k -k keyname] [keyname] [-p -p port] [port] [-r -r randomfile] [randomfile] [-s -s address] [address] [-t -t chrootdir] [chrootdir] [-u -u useruser]

/etc (or whatever - sysconfdirsysconfdir - was specified as when BINDBIND was built) that is read by both
-b -b keysizekeysize

-c -c keyfilekeyfile

-k -k keynamekeyname

Specifies the key name of the rndc authentication key. This must be a valid domain name. - The default is rndc-keyrndc-key.

-p -p portport

-r -r randomfilerandomfile

-s -s addressaddress

-t -t chrootdirchrootdir

-u -u useruser

rndc-confgen -arndc-confgen -a

rndc-confgenrndc-confgen

- + + rndc.conf

rndc.conf

The The optionsoptions statement contains five clauses. - The default-serverdefault-server clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to rndc. The . The default-keydefault-key clause is followed by the name of a key which is identified by - a keykey statement. If no - keyidkeyid is provided on the rndc command line, - and no keykey clause is found in a matching - serverserver statement, this default key will be used to authenticate the server's commands and responses. The - default-portdefault-port clause is followed by the port to connect to on the remote name server. If no - portport option is provided on the rndc command - line, and no portport clause is found in a - matching serverserver statement, this default port will be used to connect. - The default-source-addressdefault-source-address and - default-source-address-v6default-source-address-v6 clauses which can be used to set the IPv4 and IPv6 source addresses respectively.

After the After the serverserver keyword, the server statement includes a string which is the hostname or address for a name server. The statement has three possible clauses: - key, key, portport and - addressesaddresses. The key name must match the name of a key statement in the file. The port number - specifies the port to connect to. If an addressesaddresses clause is supplied these addresses will be used instead of the server name. Each address can take a optional port. - If an source-address or source-address or source-address-v6source-address-v6 of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively.

The The keykey statement begins with an identifying string, the name of the key. The statement has two clauses. - algorithmalgorithm identifies the encryption algorithm for :

rndc-confgenrndc-confgen

rndc.conf file, including the randomly generated key, will be written to the standard - output. Commented out keykey and - controlscontrols statements for :

echo "known plaintext for a secret" | mmencodeecho "known plaintext for a secret" | mmencode

named.conf. - See the sections on the controlscontrols statement in the BIND 9 Administrator Reference Manual for details.

- + + rndc

rndc

rndc [ [-b -b source-address] [source-address] [-c -c config-file] [config-file] [-k -k key-file] [key-file] [-s -s server] [server] [-p -p port] [port] [-V] [-V] [-y -y key_idkey_id] {command}

-b -b source-addresssource-address

Use Use source-addresssource-address as the source address for the connection to the server. Multiple instances are permitted to allow setting of both @@ -203,19 +187,15 @@ CLASS="REPLACEABLE"

-c -c config-fileconfig-file

Use Use config-fileconfig-file as the configuration file instead of the default,

-k -k key-filekey-file

Use Use key-filekey-file as the key file instead of the default, /etc/rndc.key will be used to authenticate - commands sent to the server if the config-fileconfig-file does not exist.

-s -s serverserver

serverserver is the name or address of the server which matches a server statement in the configuration file for @@ -284,20 +254,16 @@ CLASS="COMMAND"

-p -p portport

Send commands to TCP port - portport instead of BIND 9's default control channel port, 953.

-y -y keyidkeyid

Use the key Use the key keyidkeyid from the configuration file. - keyidkeyid must be known by named with the same algorithm and secret string in order for control message validation to succeed. - If no keyidkeyid is specified,

There is currently no way to provide the shared secret for a - key_idkey_id without using the configuration file.

Introduction

Chapter 1. Introduction

Chapter 1. Introduction
1.4. The Domain Name System (The Domain Name System (DNSDNS)

The Internet Domain Name System (The Internet Domain Name System (DNSDNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the rules used for delegating authority over names, and the system implementation that actually maps names to Internet - addresses. DNSDNS data is maintained in a group of distributed hierarchical databases.

1.1. Scope of Document

The Berkeley Internet Name Domain (The Berkeley Internet Name Domain (BINDBIND) implements an domain name server for a number of operating systems. This document provides basic information about the installation and - care of the Internet Software Consortium (ISCISC) - BINDBIND version 9 software package for system administrators.

Section 1 introduces - the basic DNS and DNS and BINDBIND concepts. Section 2 - describes resource requirements for running BINDBIND in various environments. Information in in its presentation and is organized functionally, to aid in the process of installing the - BINDBIND 9 software. The task-oriented section is followed by Section 5 - describes the BINDBIND 9 lightweight resolver. The contents of Bibliography and - historic information related to BINDBIND and the Domain Name System.

The following conventions are used in descriptions of the -BINDBIND configuration file:

a pathname, filename, URL, hostname, mailing list name, or new term or concept

literal user input

Fixed Width BoldFixed Width Bold

program output

Fixed WidthFixed Width

keywords

Fixed WidthFixed Width

variables

Fixed WidthFixed Width

Optional input

[1.4. The Domain Name System (1.4. The Domain Name System (DNSDNS)

The purpose of this document is to explain the installation -and upkeep of the BINDBIND software package, and we begin by reviewing the fundamentals of the Domain Name System -(DNS) as they relate to DNS) as they relate to BINDBIND.

name servers and interprets the responses. -The BINDBIND 9 software distribution contains a name server, Example, Inc. could be -mail.example.commail.example.com, -where comcom is the top level domain to which -ourhost.example.comourhost.example.com belongs, -exampleexample is -a subdomain of comcom, and -ourhostourhost is the name of the host.

resource records ( (RRRRs). Some of the supported resource record types are described in .

As we stated previously, a zone is a point of delegation in -the DNSDNS tree. A zone consists of those contiguous parts of the domain tree for which a name server has complete information and over which @@ -726,36 +676,36 @@ CLASS="emphasis" parent zone, which should be matched by equivalent NS records at the root of the delegated zone.

For instance, consider the For instance, consider the example.comexample.com domain which includes names -such as host.aaa.example.comhost.aaa.example.com and -host.bbb.example.comhost.bbb.example.com even though -the example.comexample.com zone includes -only delegations for the aaa.example.comaaa.example.com and -bbb.example.combbb.example.com zones. A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other -name servers. Every name in the DNSDNS tree is a

Though Though BINDBIND is called a "domain name server", it deals primarily in terms of zones. The master and slave declarations in the DNSDNS servers and an Internet firewall. Servers unable to pass packets through the firewall would forward to the server -that can do it, and that server would query the Internet DNSDNS servers on the internal server's behalf. An added benefit of using the forwarding feature is that the central machine develops a much more complete @@ -1080,9 +1030,9 @@ NAME="AEN218" >1.4.6. Name Servers in Multiple Roles

The The BINDBIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for a set of local clients.

BINDBIND Resource Requirements
BIND Resource Requirements

Chapter 2. Chapter 2. BIND Resource Requirements

BIND Resource Requirements
2.1. Hardware requirements

DNSDNS hardware requirements have traditionally been quite modest. For many installations, servers that have been pensioned off from -active duty have performed admirably as DNSDNS servers.

The DNSSEC and IPv6 features of The DNSSEC and IPv6 features of BINDBIND 9 may prove to be quite CPU intensive however, so organizations that make heavy use of these features may wish to consider larger systems for these applications. -BINDBIND 9 is fully multithreaded, allowing full utilization of multiprocessor systems for installations that need it.

2.2. CPU Requirements

CPU requirements for CPU requirements for BINDBIND 9 range from i486-class machines for serving of static zones without caching, to enterprise-class machines if you intend to process many dynamic updates and DNSSEC @@ -172,9 +172,9 @@ CLASS="command" >max-cache-size option can be used to limit the amount of memory used by the cache, -at the expense of reducing cache hit rates and causing more DNSDNS traffic. It is still good practice to have enough memory to load all zone and cache data into memory — unfortunately, the best way @@ -212,9 +212,9 @@ NAME="AEN248" >2.5. Supported Operating Systems

ISC ISC BINDBIND 9 compiles and runs on a large number of Unix-like operating system and on Windows NT / 2000. For an up-to-date list of supported systems, see the README file in the top level directory diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index f73d942d0e..204d64ced9 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -1,11 +1,11 @@ + Name Server Configuration

Chapter 3. Name Server Configuration

Chapter 3. Name Server Configuration

A primitive form of load balancing can be achieved in -the DNSDNS by using multiple A records for one name.

For example, if you have three WWW servers with network addresses @@ -214,11 +214,11 @@ following means that clients will connect to each machine one third of the time:

When a resolver queries for these records, When a resolver queries for these records, BINDBIND will rotate them and respond to the query with the records in a different order. In the example above, clients will randomly receive @@ -442,9 +382,9 @@ HREF="Bv9ARM.ch06.html#rrset_ordering" >. This substatement is not supported in - BINDBIND 9, and only the ordering scheme described above is available.

dig [@ [@server] server] domain [domain [query-type] [query-type] [query-class] [+query-class] [+query-option] [-query-option] [-dig-option] [%dig-option] [%commentcomment]

The usual simple use of dig will take the form

host [-aCdlrTwv] [-c [-aCdlrTwv] [-c class] [-N class] [-N ndots] [-t ndots] [-t type] [-W type] [-W timeout] [-R timeout] [-R retries] retries] hostname [hostname [serverserver]

For more information and a list of available commands and @@ -647,11 +559,9 @@ the name and requested information for a host or domain.

nslookup [-option...] [ [-option...] [host-to-findhost-to-find | - [server]]

Interactive mode is entered when no arguments are given (the @@ -695,10 +605,10 @@ CLASS="variablelist" >

named-checkconf

named-checkconf [-t [-t directory] [directory] [filenamefilename]

named-checkzone

named-checkzone [-dq] [-c [-dq] [-c class] class] zone [zone [filenamefilename]

rndc

rndc [-c [-c config] [-s config] [-s server] [-p server] [-p port] [-y port] [-y key] key] command [command [commandcommand...]

reloadreload

Reload configuration file and zones.

reload reload zonezone [classclass [viewview]]]

Reload the given zone.

refresh refresh zonezone [classclass [viewview]]]

Schedule zone maintenance for the given zone.

retransfer retransfer zonezone [classclass [viewview]]]

Retransfer the given zone from the master.

freeze freeze zonezone [classclass [viewview]]]

unfreeze unfreeze zonezone [classclass [viewview]]]

reconfigreconfig

statsstats

Write server statistics to the statistics file.

querylogquerylog

.

dumpdbdumpdb

Dump the server's caches to the dump file.

stopstop

halthalt

tracetrace

Increment the servers debugging level by one.

trace trace levellevel

notracenotrace

Sets the server's debugging level to 0.

flushflush

Flushes the server's cache.

statusstatus

In In BINDBIND 9.2, rndc/etc/rndc.conf, but an alternate -location can be specified with the -c-c option. If the configuration file is not found, /etc/rndc.key (or whatever -sysconfdirsysconfdir was defined when -the BINDBIND build was configured). The default-server takes a host name or address argument and represents the server that will -be contacted if no -s-s option is provided on the command line. key statement in named.conf. -The keyword keykey is followed by a key name, which must be a valid domain name, though it need not actually be hierarchical; thus, -a string like "rndc_keyrndc_key" is a valid name. The secret. While the configuration parser will accept any string as the argument -to algorithm, currently only the string "hmac-md5hmac-md5" has any meaning. The secret is a base-64 encoded string.

key statement with a server. -The keyword serverserver is followed by a host name or address. The , would allow the command:

$ $ rndc reloadrndc reload

to connect to 127.0.0.1 port 953 and cause the name server @@ -1461,9 +1273,9 @@ CLASS="programlisting"

and it had an identical key statement for -rndc_keyrndc_key.

Running the command.

Name

TTL

CLASS

TYPE

Resource Record (RR) Data

wwwwww

600600

ININ

AA

10.0.0.110.0.0.1

600600

ININ

AA

10.0.0.210.0.0.2

600600

ININ

AA

10.0.0.310.0.0.3

BINDBIND Resource Requirements

Causes the server to read

Causes the server to clean up and exit.

Causes the server to clean up and exit.

 Advanced DNS Features

Chapter 4. Advanced DNS Features

Chapter 4. Advanced DNS Features
4.9. IPv6 Support in IPv6 Support in BINDBIND 9
4.1. Notify

DNSDNS NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In response to a

DNSDNS For more information about rndc freeze rndc freeze zonezone. This will also remove the zone's rndc unfreeze rndc unfreeze zonezone to reload the changed zone and re-enable dynamic updates.

Proposed Standards.

When acting as a master, When acting as a master, BINDBIND 9 supports IXFR for those zones where the necessary change history information is available. These @@ -316,17 +312,15 @@ transfer (AXFR), IXFR is supported only if the option CLASS="command" >ixfr-from-differences is set -to yesyes.

When acting as a slave, When acting as a slave, BINDBIND 9 will attempt to use IXFR unless it is explicitly disabled. For more information about disabling @@ -381,9 +375,9 @@ CLASS="emphasis" >Example, Inc. -(example.comexample.com) has several corporate sites that have an internal network with reserved Internet Protocol (IP) space and an external demilitarized zone (DMZ), @@ -495,9 +489,9 @@ internal hosts.

Here's an example of a wildcard MX record:

*   IN MX 10 external1.example.com.*   IN MX 10 external1.example.com.

Now that they accept mail on behalf of anything in the internal @@ -534,24 +528,24 @@ internal clients will now be able to:

  • Look up any hostnames in the Look up any hostnames in the site1site1 and -site2.example.comsite2.example.com zones.

  • Look up any hostnames in the Look up any hostnames in the site1.internalsite1.internal and -site2.internalsite2.internal domains.

    • Look up any hostnames in the Look up any hostnames in the site1site1 and -site2.example.comsite2.example.com zones.

    • Exchange mail with anyone in the Exchange mail with anyone in the site1site1 and -site2.example.comsite2.example.com zones.

    acl internals { 172.16.72.0/24; 192.168.1.0/24; }; -acl externals { bastion-ips-go-herebastion-ips-go-here; }; options { @@ -615,9 +609,9 @@ options { ... forward only; forwarders { // forward to external servers - bastion-ips-go-herebastion-ips-go-here; }; allow-transfer { none; }; // sample allow-transfer (no one) @@ -719,25 +713,25 @@ NAME="tsig" >

    This is a short guide to setting up Transaction SIGnatures -(TSIG) based transaction security in BINDBIND. It describes changes to the configuration file as well as what changes are required for different features, including the process of creating transaction -keys and using transaction signatures with BINDBIND.

    BINDBIND primarily supports TSIG for server to server communication. This includes zone transfer, notify, and recursive query messages. -Resolvers based on newer versions of BINDBIND 8 have limited support for TSIG.

    nsupdate - program supports TSIG via the -k-k and - -y-y command line options.

    dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.

    The key is in the file Khost1-host2.+157+00000.private. Nothing directly uses this file, but the base-64 encoded string -following "Key:Key:" can be extracted from the file and used as a shared secret:

    Key: La/E5CjG9O+os1jq0a2jdA==

    The string "The string "La/E5CjG9O+os1jq0a2jdA==La/E5CjG9O+os1jq0a2jdA==" can be used as the shared secret.

    The algorithm, hmac-md5, is the only one supported by The algorithm, hmac-md5, is the only one supported by BINDBIND. The secret is the one generated above. Since this is a secret, it is recommended that either 4.5.5. TSIG Key Based Access Control

    BINDBIND allows IP addresses and ranges to be specified in ACL definitions and TKEY that specify how the key is - generated or assigned. BINDBIND 9 implements only one of these modes, the Diffie-Hellman key exchange. Both hosts are required to have @@ -1145,9 +1137,9 @@ NAME="AEN932" >4.7. SIG(0)

    BINDBIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC2931. SIG(0) uses public/private keys to authenticate messages. Access control @@ -1161,9 +1153,9 @@ CLASS="acronym" >SIG(0) signing of multiple-message TCP streams is not supported.

    The only tool shipped with The only tool shipped with BINDBIND 9 that generates SIG(0) signed messages is

    In order to set up a DNSSEC secure zone, there are a series - of steps which must be followed. BINDBIND 9 ships with several tools that are used in this process, which are explained in more detail - below. In all cases, the -h-h option prints a full list of parameters. Note that the DNSSEC tools require the keyset files to be in the working directory or the - directory specified by the -h-h option, and that the tools shipped with BIND 9.2.x and earlier are not compatible with the current ones.

    DSDS record at the delegation point.

    child.example zone:

    dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.

    Two output files will be produced: @@ -1323,24 +1313,24 @@ CLASS="filename" >keyset files corresponding to secure subzones should be present. The zone signer will - generate NSEC and NSEC and RRSIGRRSIG - records for the zone, as well as DSDS for - the child zones if '-d''-d' is specified. - If '-d''-d' is not specified then DS RRsets for the secure child zones need to be added manually.

    dnssec-signzone -o child.example zone.child.examplednssec-signzone -o child.example zone.child.example

    One output file is produced: @@ -1376,12 +1364,12 @@ CLASS="command" > will also produce a keyset and dsset files and optionally a dlvset file. These are used to provide the parent zone administators with the - DNSKEYs (or their corresponding DNSKEYs (or their corresponding DSDS records) that are the secure entry point to the zone.

4.8.3. Configuring Servers

Unlike Unlike BINDBIND 8, -BINDBIND 9 does not verify signatures on load, so zone keys for authoritative zones do not need to be specified in the configuration file.

4.9. IPv6 Support in 4.9. IPv6 Support in BINDBIND 9

BINDBIND 9 fully supports all currently defined forms of IPv6 name to address and address to name lookups. It will also use IPv6 addresses to make queries when running on an IPv6 capable system.

For forward lookups, For forward lookups, BINDBIND 9 supports only AAAA records. The use of A6 records is deprecated by RFC 3363, and the - support for forward lookups in BINDBIND 9 is removed accordingly. - However, authoritative BINDBIND 9 name servers still load zone files containing A6 records correctly, answer queries for A6 records, and accept zone transfer for a zone containing A6 records.

For IPv6 reverse lookups, For IPv6 reverse lookups, BINDBIND 9 supports the traditional "nibble" format used in the ip6.int domain. - BINDBIND 9 formerly supported the "binary label" (also known as "bitstring") format. The support of binary labels, however, is now completely removed according to the changes in RFC 3363. - Any applications in BINDBIND 9 do not understand the format any more, and will return an error if given. - In particular, an authoritative BINDBIND 9 name server rejects to load a zone file containing binary labels.

It is recommended that IPv4-in-IPv6 mapped addresses not be used. If a host has an IPv4 address, use an A record, not - a AAAA, with ::ffff:192.168.42.1::ffff:192.168.42.1 as the address.

When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and - ip6.arpa.ip6.arpa. is appended to the resulting name. For example, the following would provide reverse name lookup for a host with address - 2001:db8::12001:db8::1.

The The BINDBIND 9 Lightweight Resolver
The BIND 9 Lightweight Resolver

Chapter 5. The Chapter 5. The BIND 9 Lightweight Resolver

BIND 9 Lightweight Resolver

Instead, Instead, BINDBIND 9 provides resolution services to local clients using a combination of a lightweight resolver library and a resolver daemon process running on the local host. These communicate using @@ -253,9 +253,9 @@ VALIGN="top" WIDTH="33%" ALIGN="right" VALIGN="top" ->BINDBIND 9 Configuration Reference BIND 9 Configuration Reference

Chapter 6. Chapter 6. BIND 9 Configuration Reference

BIND 9 Configuration Reference

BINDBIND 9 configuration is broadly similar -to BINDBIND 8; however, there are a few new areas -of configuration, such as views. BINDBIND -8 configuration files should work with few alterations in BINDBIND 9, although more complex configurations should be reviewed to check if they can be more efficiently implemented using the new features -found in BINDBIND 9.

BINDBIND 4 configuration files can be converted to the new format using the shell script 6.1. Configuration File Elements

Following is a list of elements used throughout the Following is a list of elements used throughout the BINDBIND configuration file documentation:

address_match_listaddress_match_list = address_match_list_element ;
   [ address_match_list_element; ... ]
-address_match_list_elementaddress_match_list_element = [ ! 6.1.2. Comment Syntax
The The BINDBIND 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a BINDBIND configuration
 file. To appeal to programmers of all kinds, they can be written
 in the C, C++, or shell/perl style.
/* This is a /* This is a BINDBIND comment as in C */

 
// This is a // This is a BINDBIND comment as in C++

 
# This is a # This is a BINDBIND comment as in common UNIX shells and perl

       
Comments may appear anywhere that whitespace may appear in
-a BINDBIND configuration file.
C-style comments start with the two characters /* (slash,
@@ -1004,9 +862,9 @@ CLASS="programlisting"
 >
Shell-style (or perl-style, if you prefer) comments start
-with the character ## (number sign) and continue to the end of the
 physical line, as in C++ comments.
6.2. Configuration File Grammar
A A BINDBIND 9 configuration consists of statements and comments.
     Statements end with a semicolon. Statements and comments are the
     only elements that can appear without enclosing braces. Many
@@ -1071,11 +929,11 @@ CLASS="acronym"
 >The following statements are supported:

acl_nameacl_name

The name of an The name of an address_match_listaddress_match_list as defined by the

address_match_listaddress_match_list

A list of one or more A list of one or more ip_addrip_addr, -ip_prefix, ip_prefix, key_idkey_id, -or acl_nameacl_name elements, see

domain_namedomain_name

A quoted string which will be used as -a DNS name, for example "my.test.domainmy.test.domain".

dotted_decimaldotted_decimal

One to four integers valued 0 through 255 separated by dots (`.'), such as

ip4_addrip4_addr

An IPv4 address with exactly four elements -in dotted_decimaldotted_decimal notation.

ip6_addrip6_addr

An IPv6 address, such as

ip_addrip_addr

An An ip4_addr or ip4_addr or ip6_addrip6_addr.

ip_portip_port

An IP port An IP port numbernumber. -numbernumber is limited to 0 through 65535, with values below 1024 typically restricted to use by processes running as root. In some cases an asterisk (`*') character can be used as a placeholder to @@ -398,28 +350,22 @@ select a random high-numbered port.

ip_prefixip_prefix

An IP network specified as an An IP network specified as an ip_addrip_addr, followed by a slash (`/') and then the number of bits in the netmask. -Trailing zeros in a ip_addrip_addr may omitted. For example,

key_idkey_id

A A domain_namedomain_name representing the name of a shared key, to be used for transaction security.

key_listkey_list

A list of one or more A list of one or more key_idkey_ids, separated by semicolons and ending with a semicolon.

numbernumber

A non-negative 32 bit integer (i.e., a number between 0 and 4294967295, inclusive). @@ -514,19 +442,13 @@ be limited by the context in which it is used.

path_namepath_name

A quoted string which will be used as a pathname, such as

size_specsize_spec

A number, the word A number, the word unlimitedunlimited, -or the word defaultdefault.

An An unlimited unlimited size_specsize_spec requests unlimited -use, or the maximum available amount. A default size_specdefault size_spec uses the limit that was in force when the server was started.

A A numbernumber can -optionally be followed by a scaling factor: K or K or kk for -kilobytes, M or M or mm for -megabytes, and G or G or gg for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.

The value must be representable as a 64-bit unsigned integer (0 to 18446744073709551615, inclusive). -Using unlimitedunlimited is the best way to safely set a really large number.

yes_or_noyes_or_no

Either Either yes or yes or nono. -The words true and true and falsefalse are -also accepted, as are the numbers 1 and 1 and 00.

dialup_optiondialup_option

One of One of yesyes, -no, no, notifynotify, -notify-passive, notify-passive, refreshrefresh or -passivepassive. -When used in a zone, notify-passivenotify-passive, -refresh, and refresh, and passivepassive are restricted to slave and stub zones.

The following ACLs are built-in:

defines a named IP address matching list, for access control and other uses.

declares control channels to be used by the

includes a file.

specifies key information for use in authentication and authorization using TSIG.

specifies what the server logs, and where the log messages are sent.

configures

defines a named masters list for inclusion in stub and slave zone masters clauses.

controls global server configuration options and sets defaults for other statements.

sets certain configuration options on a per-server basis.

defines trusted DNSSEC keys.

defines a view.

defines a zone.

Matches all hosts.

Matches no hosts.

Matches the IPv4 and IPv6 addresses of all network interfaces on the system.

Matches any host on an IPv4 or IPv6 network for which the system has an interface. @@ -1517,17 +1279,13 @@ CLASS="command" inet ( ip_addr | * ) [ port ip_port ] allow { ] allow { address_match_list address_match_list } - keys { key_list key_list }; [ip_addr - of ** is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, use an ip_addr of of ::::. If you will only use rndc on the local host, - using the loopback address (127.0.0.1127.0.0.1 - or ::1::1) is recommended for maximum security.

If no port is specified, port 953 - is used. "**" cannot be used for /etc (or whatever (or whatever sysconfdirsysconfdir -was specified as when BINDBIND was built). To create a rndc.key file, run -rndc-confgen -arndc-confgen -a.

rndc.key feature was created to - ease the transition of systems from BINDBIND 8, which did not have digital signatures on its command channel messages and thus did not have a keys clause. -It makes it possible to use an existing BINDBIND 8 -configuration file in BINDBIND 9 unchanged, and still have ndc worked in BIND 8, simply by executing the -command rndc-confgen -arndc-confgen -a after BIND 9 is installed.

rndc.key feature is only intended to allow the backward-compatible usage of - BINDBIND 8 configuration files, this feature does not have a high degree of configurability. You cannot easily change the key name or the size of the secret, so you should make a @@ -1794,18 +1548,18 @@ CLASS="filename" > and make it group readable by a group that contains the users who should have access.

The UNIX control channel type of The UNIX control channel type of BINDBIND 8 is not supported - in BINDBIND 9, and is not expected to be added in future releases. If it is present in the controls statement from a - BINDBIND 8 configuration file, it is ignored and a warning is logged.

include include filenamefilename;
key key key_idkey_id {
-    algorithm stringstring;
-    secret stringstring;
 };

The The key_idkey_id, also known as the key name, is a domain name uniquely identifying the key. It can be used in a

The The algorithm_idalgorithm_id is a string that specifies a security/authentication algorithm. The only algorithm currently supported with TSIG authentication is -hmac-md5hmac-md5. The -secret_stringsecret_string is the secret to be used by the algorithm, and is treated as a base-64 encoded string.

channel channel_namechannel_name { ( file path namepath name [ versions ( ( number | number | unlimitedunlimited ) ] [ size size specsize spec ] | syslog syslog_facilitysyslog_facility | severity ( (critical | critical | error | error | warning | warning | noticenotice | - info | info | debug [ debug [ level ] | level ] | dynamicdynamic ); ] [ print-category yes or yes or nono; ] [ print-severity yes or yes or nono; ] [ print-time yes or yes or nono; ] }; ] [ category category_namecategory_name { - channel_name ; [ channel_name ; [ channel_namchannel_name ; ... ] }; ] ... @@ -2194,13 +1916,13 @@ CLASS="programlisting" };

In In BINDBIND 9, the logging configuration is only established when -the entire configuration file has been parsed. In BINDBIND 8, it was established as soon as the statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default -channels, or to standard error if the "-g-g" option was specified.

named server -with the -d-d flag followed by a positive integer, or by running options are on:

28-Feb-2000 15:05:32.863 general: notice: running28-Feb-2000 15:05:32.863 general: notice: running

There are four predefined channels that are used for @@ -2645,9 +2367,9 @@ CLASS="filename" > in the server's working directory.

For security reasons, when the "For security reasons, when the "-u-u" command line option is used, the named is starting up and still running as root is discarded. If you need -to capture this output, you must run the server with the "-g-g" option and redirect standard error to a file.

Following are the available categories and brief descriptions of the types of log information they contain. More -categories may be added in future BINDBIND releases.

The default category defines the logging options for those categories where no specific configuration has been @@ -2764,9 +2480,6 @@ defined.

The catch-all. Many things still aren't classified into categories, and they all end up here.

Messages relating to the databases used internally by the name server to store zone and cache data.

Approval and denial of requests.

Configuration file parsing and processing.

DNS resolution, such as the recursive lookups performed on behalf of clients by a caching name server.

Zone transfers the server is receiving.

Zone transfers the server is sending.

The NOTIFY protocol.

Processing of client requests.

Messages that named was unable to determine the class of or for which there was no matching

Network operations.

Dynamic updates.

Approval and denial of update requests.

Specify where queries should be logged to.

@@ -3063,13 +2695,13 @@ query was signed (S).

client 127.0.0.1#62536: query: www.example.com IN AAAA +SEclient 127.0.0.1#62536: query: www.example.com IN AAAA +SE
-client ::1#62537: query: www.example.net IN AAAA -SEclient ::1#62537: query: www.example.net IN AAAA -SE
@@ -3077,9 +2709,6 @@ CLASS="computeroutput" >

Dispatching of incoming packets to the server modules where they are to be processed. @@ -3098,9 +2724,6 @@ server modules where they are to be processed. >

DNSSEC and TSIG protocol processing.

Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query @@ -3140,9 +2754,6 @@ those servers during resolution. >

Delegation only. Logs queries that have have been forced to NXDOMAIN as the result of a delegation-only zone or @@ -3198,70 +2806,54 @@ CLASS="command" > { [ listen-on { listen-on { ip_addrip_addr [port port ip_portip_port] ; [ ip_addrip_addr [port port ip_portip_port] ; ... ] }; ] [ view view view_nameview_name; ] [ search { search { domain_namedomain_name ; [ domain_namedomain_name ; ... ] }; ] [ ndots ndots numbernumber; ] }; @@ -3357,44 +2949,32 @@ CLASS="programlisting" > masters namename [port port ip_portip_port] { ( ] { ( masters_list | masters_list | ip_addrip_addr [port port ip_portip_port] [key key keykey] ) ; [options { [ version version version_stringversion_string; ] [ hostname hostname hostname_stringhostname_string; ] [ server-id server-id server_id_stringserver_id_string; ] [ directory directory path_namepath_name; ] [ key-directory key-directory path_namepath_name; ] [ named-xfer named-xfer path_namepath_name; ] [ tkey-domain tkey-domain domainnamedomainname; ] [ tkey-dhkey tkey-dhkey key_name key_name key_tagkey_tag; ] [ dump-file dump-file path_namepath_name; ] [ memstatistics-file memstatistics-file path_namepath_name; ] [ pid-file pid-file path_namepath_name; ] [ statistics-file statistics-file path_namepath_name; ] [ zone-statistics zone-statistics yes_or_noyes_or_no; ] [ auth-nxdomain auth-nxdomain yes_or_noyes_or_no; ] [ deallocate-on-exit deallocate-on-exit yes_or_noyes_or_no; ] [ dialup dialup dialup_optiondialup_option; ] [ fake-iquery fake-iquery yes_or_noyes_or_no; ] [ fetch-glue fetch-glue yes_or_noyes_or_no; ] [ flush-zones-on-shutdown flush-zones-on-shutdown yes_or_noyes_or_no; ] [ has-old-clients has-old-clients yes_or_noyes_or_no; ] [ host-statistics host-statistics yes_or_noyes_or_no; ] [ minimal-responses minimal-responses yes_or_noyes_or_no; ] [ multiple-cnames multiple-cnames yes_or_noyes_or_no; ] [ notify notify yes_or_no | yes_or_no | explicit | explicit | master-onlymaster-only; ] [ recursion recursion yes_or_noyes_or_no; ] [ rfc2308-type1 rfc2308-type1 yes_or_noyes_or_no; ] [ use-id-pool use-id-pool yes_or_noyes_or_no; ] [ maintain-ixfr-base maintain-ixfr-base yes_or_noyes_or_no; ] [ dnssec-enable dnssec-enable yes_or_noyes_or_no; ] [ dnssec-lookaside dnssec-lookaside domain trust-anchor domain trust-anchor domaindomain; ] [ dnssec-must-be-secure dnssec-must-be-secure domain yes_or_nodomain yes_or_no; ] [ forward ( forward ( only | only | firstfirst ); ] [ forwarders { forwarders { ip_addrip_addr [port port ip_portip_port] ; [ ip_addrip_addr [port port ip_portip_port] ; ... ] }; dual-stack-servers [port port ip_portip_port] { ( ] { ( domain_namedomain_name [port port ip_portip_port] | ] | ip_addrip_addr [port port ip_portip_port] ) ; ... }; ] [ check-names ( check-names ( master | master | slave | slave | response )( response )( warn | warn | fail | fail | ignoreignore ); ] [ allow-notify { allow-notify { address_match_listaddress_match_list }; ] [ allow-query { allow-query { address_match_listaddress_match_list }; ] [ allow-transfer { allow-transfer { address_match_listaddress_match_list }; ] [ allow-recursion { allow-recursion { address_match_listaddress_match_list }; ] [ allow-update-forwarding { allow-update-forwarding { address_match_listaddress_match_list }; ] [ allow-v6-synthesis { allow-v6-synthesis { address_match_listaddress_match_list }; ] [ blackhole { blackhole { address_match_listaddress_match_list }; ] [ avoid-v4-udp-ports { avoid-v4-udp-ports { port_listport_list }; ] [ avoid-v6-udp-ports { avoid-v6-udp-ports { port_listport_list }; ] [ listen-on [ port port ip_portip_port ] { ] { address_match_listaddress_match_list }; ] [ listen-on-v6 [ port port ip_portip_port ] { ] { address_match_listaddress_match_list }; ] [ query-source ( ( query-source ( ( ip4_addr | ip4_addr | ** ) [ port ( port ( ip_port | ip_port | ** ) ] | [ address ( address ( ip4_addr | ip4_addr | ** ) ] [ port ( port ( ip_port | ip_port | ** ) ] ) ; ] [ query-source-v6 ( ( query-source-v6 ( ( ip6_addr | ip6_addr | ** ) [ port ( port ( ip_port | ip_port | ** ) ] | [ address ( address ( ip6_addr | ip6_addr | ** ) ] [ port ( port ( ip_port | ip_port | ** ) ] ) ; ] [ max-transfer-time-in max-transfer-time-in numbernumber; ] [ max-transfer-time-out max-transfer-time-out numbernumber; ] [ max-transfer-idle-in max-transfer-idle-in numbernumber; ] [ max-transfer-idle-out max-transfer-idle-out numbernumber; ] [ tcp-clients tcp-clients numbernumber; ] [ recursive-clients recursive-clients numbernumber; ] [ serial-query-rate serial-query-rate numbernumber; ] [ serial-queries serial-queries numbernumber; ] [ tcp-listen-queue tcp-listen-queue numbernumber; ] [ transfer-format transfer-format ( one-answer | many-answers )( one-answer | many-answers ); ] [ transfers-in transfers-in numbernumber; ] [ transfers-out transfers-out numbernumber; ] [ transfers-per-ns transfers-per-ns numbernumber; ] [ transfer-source ( transfer-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ] [ transfer-source-v6 ( transfer-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ] [ alt-transfer-source ( alt-transfer-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ] [ alt-transfer-source-v6 ( alt-transfer-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ] [ use-alt-transfer-source use-alt-transfer-source yes_or_noyes_or_no; ] [ notify-source ( notify-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ] [ notify-source-v6 ( notify-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ] [ also-notify { also-notify { ip_addrip_addr [port port ip_portip_port] ; [ ip_addrip_addr [port port ip_portip_port] ; ... ] }; ] [ max-ixfr-log-size max-ixfr-log-size numbernumber; ] [ max-journal-size max-journal-size size_specsize_spec; ] [ coresize coresize size_specsize_spec ; ] [ datasize datasize size_specsize_spec ; ] [ files files size_specsize_spec ; ] [ stacksize stacksize size_specsize_spec ; ] [ cleaning-interval cleaning-interval numbernumber; ] [ heartbeat-interval heartbeat-interval numbernumber; ] [ interface-interval interface-interval numbernumber; ] [ statistics-interval statistics-interval numbernumber; ] [ topology { topology { address_match_listaddress_match_list }]; [ sortlist { sortlist { address_match_listaddress_match_list }]; [ rrset-order { rrset-order { order_specorder_spec ; [ order_specorder_spec ; ... ] ] }; [ lame-ttl lame-ttl numbernumber; ] [ max-ncache-ttl max-ncache-ttl numbernumber; ] [ max-cache-ttl max-cache-ttl numbernumber; ] [ sig-validity-interval sig-validity-interval numbernumber ; ] [ min-roots min-roots numbernumber; ] [ use-ixfr use-ixfr yes_or_noyes_or_no ; ] [ provide-ixfr provide-ixfr yes_or_noyes_or_no; ] [ request-ixfr request-ixfr yes_or_noyes_or_no; ] [ treat-cr-as-space treat-cr-as-space yes_or_noyes_or_no ; ] [ min-refresh-time min-refresh-time numbernumber ; ] [ max-refresh-time max-refresh-time numbernumber ; ] [ min-retry-time min-retry-time numbernumber ; ] [ max-retry-time max-retry-time numbernumber ; ] [ port port ip_portip_port; ] [ additional-from-auth additional-from-auth yes_or_noyes_or_no ; ] [ additional-from-cache additional-from-cache yes_or_noyes_or_no ; ] [ random-device random-device path_namepath_name ; ] [ max-cache-size max-cache-size size_specsize_spec ; ] [ match-mapped-addresses match-mapped-addresses yes_or_noyes_or_no; ] [ preferred-glue ( preferred-glue ( A | A | AAAA | AAAA | NONENONE ); ] [ edns-udp-size edns-udp-size numbernumber; ] [ root-delegation-only [ exclude { exclude { namelistnamelist } ] ; ] [ querylog querylog yes_or_noyes_or_no ; ] }; [ disable-algorithms disable-algorithms domain { domain { algorithmalgorithm; [ algorithmalgorithm; ] }; ] @@ -4747,9 +4021,9 @@ CLASS="command" CLASS="command" >options statement sets up global options -to be used by BINDBIND. This statement may appear only once in a configuration file. If there is no This option is obsolete. -It was used in BINDBIND 8 to specify the pathname to the named-xfer program. -In BINDBIND 9, no separate named-xferTKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared -key will be "client specified partclient specified part" + -"tkey-domaintkey-domain". -Otherwise, the name of the shared key will be "random hex -digits" + "" + "tkey-domaintkey-domain". In most cases, the

Specify heirachies which must / may not be secure (signed and validated). -If yesyes then named will only accept answers if they are secure. -If nono then normal dnssec validation applies allowing for insecure answers to be accepted. The specified domain must be under a

If If yesyes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually -authoritative. The default is nono; this is -a change from BINDBIND 8. If you are using very old DNS software, you -may need to set it to yesyes.

This option was used in This option was used in BINDBIND 8 to enable checking -for memory leaks on exit. BINDBIND 9 ignores the option and always performs the checks.

If If yesyes, then the server treats all zones as if they are doing zone transfers across a dial on demand dialup link, which can be brought up by traffic @@ -5188,11 +4450,9 @@ CLASS="command" >heartbeat-interval and hopefully during the one call. It also suppresses some of the normal -zone maintenance traffic. The default is nono.

The

Finer control can be achieved by using -notifynotify which only sends NOTIFY messages, -notify-passivenotify-passive which sends NOTIFY messages and -suppresses the normal refresh queries, refreshrefresh which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires, and -passivepassive which just disables normal refresh processing.

In In BINDBIND 8, this option enabled simulating the obsolete DNS query type -IQUERY. BINDBIND 9 never does IQUERY simulation.

This option is obsolete. -In BIND 8, fetch-glue yesfetch-glue yes caused the server to attempt to fetch glue resource records it didn't have when constructing the additional @@ -5567,11 +4733,9 @@ flush / do not flush any pending zone writes. The default is flush-zones-on-shutdown nono.

This option was incorrectly implemented -in BIND 8, and is ignored by BIND 8, and is ignored by BINDBIND 9. To achieve the intended effect of has-old-clients yesyes, specify the two separate options auth-nxdomain yesyes and rfc2308-type1 nono instead.

This option is obsolete. - It was used in BINDBIND 8 to determine whether a transaction log was -kept for Incremental Zone Transfer. BINDBIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone transfers, use provide-ixfr nono.

If If yesyes, then when generating responses the server will only add records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This may improve the performance of the server. -The default is nono.

This option was used in This option was used in BINDBIND 8 to allow a domain name to have multiple CNAME records in violation of the -DNS standards. BINDBIND 9.2 always strictly enforces the CNAME rules both in master files and dynamic updates.

If If yesyes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see option.

If If master-onlymaster-only, notifies are only sent for master zones. -If explicitexplicit, notifies are sent only to servers explicitly listed using also-notify. -If nono, no notifies are sent.

If If yesyes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a -referral response. The default is yesyes. Note that setting

Setting this to Setting this to yesyes will cause the server to send NS records along with the SOA record for negative -answers. The default is nono.

Note: Not yet implemented in Not yet implemented in BINDBIND 9.

This option is obsolete. -BINDBIND 9 always allocates query IDs from a pool.

If If yesyes, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying

This option was used in This option was used in BINDBIND 8 to make the server treat carriage return ("") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated -on an NT or DOS machine. In BINDBIND 9, both UNIX "\n

When both of these options are set to When both of these options are set to yesyes (the default) and a query is being answered from authoritative data (a zone @@ -6030,17 +5162,17 @@ at the possible expense of additional queries to resolve what would otherwise be provided in the additional section.

For example, if a query asks for an MX record for host For example, if a query asks for an MX record for host foo.example.comfoo.example.com, -and the record found is "MX 10 mail.example.netMX 10 mail.example.net", normally the address -records (A and AAAA) for mail.example.netmail.example.net will be provided as well, if known, even though they are not in the example.com zone. Setting these options to

If If yesyes, then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address. @@ -6147,11 +5277,9 @@ CLASS="command" > This should be set when you have multiple masters for a zone and the addresses refer to different machines. If 'yes' named will not log when the serial number on the master is less than what named currently -has. The default is nono.

Enable DNSSEC support in named. Unless set to Enable DNSSEC support in named. Unless set to yesyes named behaves as if it does not support DNSSEC. -The default is nono.

This option is only meaningful if the -forwarders list is not empty. A value of firstfirst, the default, causes the server to query the forwarders first, and if that doesn't answer the question the server will then look for -the answer itself. If onlyonly is specified, the server will only query the forwarders.

Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the -master. The default is { none; }{ none; }, which means that no update forwarding will be performed. To enable update forwarding, specify -allow-update-forwarding { any; };allow-update-forwarding { any; };. -Specifying values other than { none; }{ none; } or -{ any; }{ any; } is usually counterproductive, since the responsibility for update access control should rest with the master server, not the slaves.

Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries -from these addresses will not be responded to. The default is nonenone.

listen-on takes -an optional port, and an address_match_listaddress_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.

{ any; } is specified -as the address_match_listaddress_match_list for the 6.2.16.7. Zone Transfers

BINDBIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers.

many-answers is more efficient, but is only supported by relatively new slave servers, -such as BIND 9, BIND 9, BINDBIND 8.x and patched -versions of BINDBIND 4.9.5. The default is

The maximum number of inbound zone transfers -that can be running concurrently. The default value is 1010. Increasing

The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess -of the limit will be refused. The default value is 1010.

The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. -The default value is 22. Increasing transfers-per-ns

The maximum size of a core dump. The default -is defaultdefault.

The maximum amount of data memory the server -may use. The default is defaultdefault. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this @@ -7221,9 +6335,9 @@ CLASS="command" >

The maximum number of files the server -may have open concurrently. The default is unlimitedunlimited.

The maximum amount of stack memory the server -may use. The default is defaultdefault.

). When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically removed. The default is -unlimitedunlimited.

The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is -10001000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the

The maximum number of simultaneous client TCP connections that the server will accept. -The default is 100100.

unlimitedunlimited, meaning that records are purged from the cache only when their TTLs expire.

Note: Not yet implemented in Not yet implemented in BINDBIND9.

topology option -is not implemented in BINDBIND 9.

The following example will give reasonable behavior for the local host and hosts on directly connected networks. It is similar -to the behavior of the address sort in BINDBIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly @@ -7691,34 +6805,26 @@ CLASS="command" CLASS="programlisting" >[ class class class_nameclass_name ][ type type type_nametype_name ][ name name "domain_name""domain_name"] - order orderingordering

are:

dialup mode

normal refresh

heart-beat refresh

heart-beat notify

(default)

yes

no

no

no

yes

yes

yes

no

yes

no

yes

no

no

no

no

no

no

yes

Records are returned in the order they are defined in the zone file.

Records are returned in some random order.

Records are returned in a round-robin order.

will cause any responses for type A records in class IN that -have "host.example.comhost.example.com" as a suffix, to always be returned in random order. All other records are returned in cyclic order.

rrset-order statement -is not yet fully implemented in BINDBIND 9. BIND 9 currently does not support "fixed" ordering.

NOT recommended.) -Default is 600600 (10 minutes). Maximum value is -18001800 (30 minutes).

max-ncache-ttl is is 1080010800 seconds (3 hours).

The minimum number of root servers that is required for a request for the root servers to be accepted. Default -is 22.

Note: Not implemented in Not implemented in BINDBIND9.

Section 4.2) -will expire. The default is 3030 days. The maximum value is 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time @@ -8047,9 +7133,9 @@ NAME="builtin" >

The server provides some helpful diagnostic information through a number of built-in zones under the -pseudo-top-level-domain bindbind in the

The version the server should report -via a query of the name version.bindversion.bind with type 6.2.16.17. The Statistics File

The statistics file generated by The statistics file generated by BINDBIND 9 is similar, but not identical, to that -generated by BINDBIND 8.

The following statistics counters are maintained:

The number of successful queries made to the server or zone. A successful query @@ -8257,9 +7337,6 @@ one answer RR.

The number of queries which resulted in referral responses.

The number of queries which resulted in NOERROR responses with no data.

The number of queries which resulted in NXDOMAIN responses.

The number of queries which resulted in a failure response other than those above.

The number of queries which caused the server to perform recursion in order to find the final answer.

server server ip_addrip_addr {
     [ bogus  bogus yes_or_noyes_or_no ; ]
     [ provide-ixfr  provide-ixfr yes_or_noyes_or_no ; ]
     [ request-ixfr  request-ixfr yes_or_noyes_or_no ; ]
     [ edns  edns yes_or_noyes_or_no ; ]
     [ transfers  transfers numbernumber ; ]
     [ transfer-format  transfer-format ( one-answer | many-answers )( one-answer | many-answers ) ; ]]
     [ keys  keys { string ; [ string ; [...]] }] } ; ]
     [ transfer-source ( transfer-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ]
     [ transfer-source-v6 ( transfer-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ]
@@ -8651,16 +7677,16 @@ as many resource records as possible into a message. many-answers is
-more efficient, but is only known to be understood by BIND 9, BIND 9, BINDBIND
-8.x, and patched versions of BINDBIND 4.9.5. You can specify which method
 to use for a server with the 
trusted-keys {
-    string string number number number number number number stringstring ;
     [  string string number number number number number number stringstring ; [...
view view view_nameview_name 
       [classclass] {
-      match-clients { address_match_listaddress_match_list } ;
-      match-destinations { address_match_listaddress_match_list } ;
-      match-recursive-only yes_or_noyes_or_no ;
       [  view_optionview_option; ...]
       [  zone_statementzone_statement; ...]
 };
@@ -8946,9 +7938,9 @@ CLASS="command"
 CLASS="command"
 >view statement is a powerful new feature
-of BINDBIND 9 that lets a name server answer a DNS query differently
 depending on who is asking. It is particularly useful for implementing
 split DNS setups without having to run multiple servers.
 statement defines a view of the
 DNS namespace that will be seen by a subset of clients.  A client matches
 a view if its source IP address matches the 
-address_match_listaddress_match_list of the view's
 match-clients clause and its destination IP address matches
-the address_match_listaddress_match_list of the view's
 
zone zone zone_namezone_name [classclass] [ allow-notify {  allow-notify { address_match_listaddress_match_list } ; ]
     [ allow-query {  allow-query { address_match_listaddress_match_list } ; ]
     [ allow-transfer {  allow-transfer { address_match_listaddress_match_list } ; ]
     [ allow-update {  allow-update { address_match_listaddress_match_list } ; ]
     [ update-policy {  update-policy { update_policy_ruleupdate_policy_rule [...]
     [ allow-update-forwarding {  allow-update-forwarding { address_match_listaddress_match_list } ; ]
     [ also-notify {  also-notify { ip_addrip_addr [port port ip_portip_port] ; [  ip_addrip_addr [port port ip_portip_port] ; ... ] }; ]
     [ check-names ( check-names (warn|warn|fail|fail|ignoreignore) ; ]
     [ dialup  dialup dialup_optiondialup_option ; ]
     [ delegation-only  delegation-only yes_or_noyes_or_no ; ]
     [ file  file stringstring ; ]
     [ forward ( forward (only|only|firstfirst) ; ]
     [ forwarders {  forwarders { ip_addrip_addr [port port ip_portip_port] ; [  ip_addrip_addr [port port ip_portip_port] ; ... ] }; ]
     [ ixfr-base  ixfr-base stringstring ; ]
     [ ixfr-tmp-file  ixfr-tmp-file stringstring ; ]
     [ maintain-ixfr-base  maintain-ixfr-base yes_or_noyes_or_no ; ]
     [ masters [port port ip_portip_port] { ( ] { ( masters_list | masters_list | ip_addrip_addr [port port ip_portip_port] [key key keykey] ) ; []
     [ max-ixfr-log-size  max-ixfr-log-size numbernumber ; ]
     [ max-transfer-idle-in  max-transfer-idle-in numbernumber ; ]
     [ max-transfer-idle-out  max-transfer-idle-out numbernumber ; ]
     [ max-transfer-time-in  max-transfer-time-in numbernumber ; ]
     [ max-transfer-time-out  max-transfer-time-out numbernumber ; ]
     [ notify  notify yes_or_no | yes_or_no | explicit | explicit | master-onlymaster-only ; ]
     [ pubkey  pubkey number number number number number number stringstring ; ]
     [ transfer-source ( transfer-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ]
     [ transfer-source-v6 ( transfer-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ]
     [ alt-transfer-source ( alt-transfer-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ]
     [ alt-transfer-source-v6 ( alt-transfer-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ]
     [ use-alt-transfer-source  use-alt-transfer-source yes_or_noyes_or_no; ]
     [ notify-source ( notify-source (ip4_addr | ip4_addr | **) [port port ip_portip_port] ; ]
     [ notify-source-v6 ( notify-source-v6 (ip6_addr | ip6_addr | **) [port port ip_portip_port] ; ]
     [ zone-statistics  zone-statistics yes_or_noyes_or_no ; ]
     [ sig-validity-interval  sig-validity-interval numbernumber ; ]
     [ database  database stringstring ; ]
     [ min-refresh-time  min-refresh-time numbernumber ; ]
     [ max-refresh-time  max-refresh-time numbernumber ; ]
     [ min-retry-time  min-retry-time numbernumber ; ]
     [ max-retry-time  max-retry-time numbernumber ; ]
     [ multi-master  multi-master yes_or_noyes_or_no ; ]
     [ key-directory  key-directory path_namepath_name; ]
 
@@ -9710,11 +8580,11 @@ NAME="AEN3630"
 >
The zone's name may optionally be followed by a class. If
-a class is not specified, class IN (for IN (for InternetInternet),
 is assumed. This is correct for the vast majority of cases.
The The hesiodhesiod class is
 named for an information service from MIT's Project Athena. It is
 used to share information about various systems databases, such
 as users, groups, printers and so on. The keyword 
-HSHS is
 a synonym for hesiod.
Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the CHAOSCHAOS class.
notify is
 active for this zone. The set of machines that will receive a 
-DNS NOTIFYDNS NOTIFY message
 for this zone is made up of all the listed name servers (other than
 the primary master) for the zone plus any IP addresses specified
@@ -10183,11 +9017,9 @@ identifies the database type, and any subsequent words are passed
 as arguments to the database to be interpreted in a way specific
 to the database type.
The default is The default is "rbt""rbt", BIND 9's native in-memory
 red-black-tree database.  This database does not take arguments.
The flag only applies to hint and stub zones.  If set
-to yesyes then the zone will also be treated as if it
 is also a delegation-only type zone.
 
Was used in Was used in BINDBIND 8 to specify the name
 of the transaction log (journal) file for dynamic update and IXFR.
-BINDBIND 9 ignores the option and constructs the name of the journal
 file by appending "
Was an undocumented option in Was an undocumented option in BINDBIND 8.
-Ignored in BINDBIND 9.
In In BINDBIND 8, this option was intended for specifying
 a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. BINDBIND 9 does not verify signatures
 on load and ignores the option.
If If yesyes, the server will keep statistical
 information for this zone, which can be dumped to the
 6.2.24.4. Dynamic Update Policies
BINDBIND 9 supports two alternative methods of granting clients
 the right to perform dynamic updates to a zone, 
 configured by the allow-update clause works the same
-way as in previous versions of BINDBIND. It grants given clients the
 permission to update any record of any name in the zone.
The update-policy clause is new in  clause is new in BINDBIND
 9 and allows more fine-grained control over what updates are allowed.
 A set of rules is specified, where each rule either grants or denies
@@ -10697,28 +9525,20 @@ CLASS="command"
 > | deny )  ) identity identity nametype nametype namename [  typestypes ]
 identityidentity field specifies a
 wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities.  The identityidentity field must
 contain a fully qualified domain name.
The The nametypenametype field has 4 values:
-name, name, subdomainsubdomain,
-wildcard, and wildcard, and selfself.
 
mastermaster
The server has a master copy of the data
 for the zone and will be able to provide authoritative answers for
@@ -9743,19 +8607,13 @@ it.
slaveslave
A slave zone is a replica of a master
 zone. The example.comexample.com might place
 the zone contents into a file called
 
stubstub
A stub zone is similar to a slave zone,
 except that it replicates only the NS records of a master zone instead
 of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the BINDBIND implementation.
 

@@ -9827,20 +8679,20 @@ CLASS="filename"
 >.
 This usage is not recommended for new configurations, and BIND 9
 supports it only in a limited way.
-In BINDBIND 4/8, zone transfers of a parent zone
 included the NS records from stub children of that zone. This meant
 that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. BINDBIND
 9 never mixes together zone data from different zones in this
-way. Therefore, if a BINDBIND 9 master serving a parent
 zone has child stub zones configured, all the slave servers for the
 parent zone also need to have the same child stub zones
@@ -9852,9 +8704,9 @@ configured.
10.in-addr.arpa10.in-addr.arpa
 to use a set of internal name servers as the authoritative
 servers for that domain.
forwardforward
A "forward zone" is a way to configure
 forwarding on a per-domain basis.  A 
hinthint
The initial set of root name servers is
 specified using a "hint zone". When the server starts up, it uses
@@ -9942,19 +8782,13 @@ Classes other than IN have no built-in defaults hints.
delegation-onlydelegation-only
This is used to enforce the delegation only
 status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
@@ -9963,9 +8797,9 @@ section will be treated as NXDOMAIN.  This does not apply to the zone
 apex.  This SHOULD NOT be applied to leaf zones.

 
delegation-onlydelegation-only has no effect on answers received
 from forwarders.
In all cases, the In all cases, the namename field must
 specify a fully qualified domain name.
The components of a Resource Record are:
namename
Exact-match semantics.  This rule matches when the
 name being updated is identical to the contents of the
-namename field.
subdomainsubdomain
This rule matches when the name being updated
 is a subdomain of, or identical to, the contents of the
-namename field.
wildcardwildcard
The The namename field is
 subject to DNS wildcard expansion, and this rule matches when the name
 being updated name is a valid expansion of the wildcard.
selfself
This rule matches when the name being updated
-matches the contents of the identityidentity field.
-The namename field is ignored, but should be
-the same as the identityidentity field.  The
-selfself nametype is most useful when allowing using
 one key per name to update, where the key has the same name as the name
-to be updated.  The identityidentity would be
-specified as ** in this case.
owner name
the domain name where the RR is found.
type
an encoded 16 bit value that specifies
 the type of the resource record.
TTL
the time to live of the RR. This field
 is a 32 bit integer in units of seconds, and is primarily used by
@@ -11047,16 +9803,10 @@ be cached before it should be discarded.
class
an encoded 16 bit value that identifies
 a protocol family or instance of a protocol.
RDATA
the resource data.  The format of the
 data is type (and sometimes class) specific.
 of valid RRs:
A
a host address.  In the IN class, this is a
 32-bit IP address.  Described in RFC 1035.
AAAA
IPv6 address.  Described in RFC 1886.
A6
IPv6 address.  This can be a partial
 address (a suffix) and an indirection to the name where the rest of the
@@ -11157,16 +9883,10 @@ address (the prefix) can be found.  Experimental.  Described in RFC 2874.
AFSDB
location of AFS database servers.
 Experimental.  Described in RFC 1183.
APL
address prefix list.  Experimental.
 Described in RFC 3123.
CERT
holds a digital certificate.
 Described in RFC 2538.
CNAME
identifies the canonical name of an alias.
 Described in RFC 1035.
DNAME
Replaces the domain name specified with
 another name to be looked up, effectively aliasing an entire
@@ -11245,32 +9941,20 @@ Described in RFC 2672.
GPOS
Specifies the global position.  Superseded by LOC.
HINFO
identifies the CPU and OS used by a host.
 Described in RFC 1035.
ISDN
representation of ISDN addresses.
 Experimental.  Described in RFC 1183.
KEY
stores a public key associated with a
 DNS name.  Described in RFC 2535.
KX
identifies a key exchanger for this
 DNS name.  Described in RFC 2230.
LOC
for storing GPS info.  Described in RFC 1876.
 Experimental.
MX
identifies a mail exchange for the domain.
 a 16 bit preference value (lower is better)
@@ -11365,32 +10019,20 @@ Described in RFC 974, RFC 1035.
NAPTR
name authority pointer.  Described in RFC 2915.
NSAP
a network service access point.
 Described in RFC 1706.
NS
the authoritative name server for the
 domain.  Described in RFC 1035.
NXT
used in DNSSEC to securely indicate that
 RRs with an owner name in a certain name interval do not exist in
@@ -11434,16 +10064,10 @@ Described in RFC 2535.
PTR
a pointer to another part of the domain
 name space.  Described in RFC 1035.
PX
provides mappings between RFC 822 and X.400
 addresses.  Described in RFC 2163.
RP
information on persons responsible
 for the domain.  Experimental.  Described in RFC 1183.
RT
route-through binding for hosts that
 do not have their own direct wide area network addresses.
@@ -11503,16 +10109,10 @@ Experimental.  Described in RFC 1183.
SIG
("signature") contains data authenticated
 in the secure DNS.  Described in RFC 2535.
SOA
identifies the start of a zone of authority.
 Described in RFC 1035.
SRV
information about well known network
 services (replaces WKS).  Described in RFC 2782.
TXT
text records.  Described in RFC 1035.
WKS
information about which well known
 network services, such as SMTP, that a domain supports. Historical.
@@ -11588,16 +10164,10 @@ network services, such as SMTP, that a domain supports. Historical.
 >
X25
representation of X.25 network addresses.
 Experimental.  Described in RFC 1183.
IN
The Internet.
CH

CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
 Rarely used for its historical purpose, but reused for BIND's
 built-in server information zones, e.g.,
-version.bindversion.bind.
 
HS

Hesiod, an information service
 developed by MIT's Project Athena. It is used to share information
@@ -11751,11 +10303,11 @@ knowledge of the typical representation for the data.
For example, we might show the RRs carried in a message as:
Similarly we might see:
ISI.EDU.ISI.EDU.
MXMX
10 VENERA.ISI.EDU.10 VENERA.ISI.EDU.
MXMX
10 VAXA.ISI.EDU10 VAXA.ISI.EDU
VENERA.ISI.EDUVENERA.ISI.EDU
AA
128.9.0.32128.9.0.32
AA
10.1.0.5210.1.0.52
VAXA.ISI.EDUVAXA.ISI.EDU
AA
10.2.0.2710.2.0.27
AA
128.9.0.33128.9.0.33
This example shows two addresses for This example shows two addresses for XX.LCS.MIT.EDUXX.LCS.MIT.EDU,
 each of a different class.
XX.LCS.MIT.EDU. INXX.LCS.MIT.EDU. IN
AA
10.0.0.4410.0.0.44
CHCH
AA
MIT.EDU. 2420MIT.EDU. 2420
For example:
Mail delivery will be attempted to Mail delivery will be attempted to mail.example.commail.example.com and
-mail2.example.commail2.example.com (in
-any order), and if neither of those succeed, delivery to mail.backup.orgmail.backup.org will
 be attempted.
example.com.example.com.
ININ
MXMX
1010
mail.example.com.mail.example.com.
ININ
MXMX
1010
mail2.example.com.mail2.example.com.
ININ
MXMX
2020
mail.backup.org.mail.backup.org.
mail.example.com.mail.example.com.
ININ
AA
10.0.0.110.0.0.1
mail2.example.com.mail2.example.com.
ININ
AA
10.0.0.210.0.0.2
SOA
The last field in the SOA is the negative
 caching TTL. This controls how long other servers will cache no-such-domain
@@ -12416,16 +10815,10 @@ negative caching is 3 hours (3h).
$TTL
The $TTL directive at the top of the
 zone file (before the SOA) gives a default TTL for every RR without
@@ -12434,16 +10827,10 @@ a specific TTL set.
RR TTLs
Each RR can have a TTL as the second
 field in the RR, which will control how long other servers can cache
@@ -12457,9 +10844,9 @@ the it.
All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, 1h30m1h30m. 
] domain:
$ORIGIN
 domain-namedomain-name [  commentcomment]
$ORIGIN < <zone-namezone-name>. argument if it is not absolute.
$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER
is equivalent to
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
$INCLUDE
-filenamefilename [

originorigin ] [  commentcomment ]
$TTL
-default-ttldefault-ttl [

commentcomment ]
6.3.6. 6.3.6. BINDBIND Master File Extension: the  $GENERATESyntax: $GENERATE  range range lhslhs [ttlttl] [classclass] ] type type rhsrhs [  commentcomment ]
$ORIGIN 0.0.192.IN-ADDR.ARPA.
 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0
is equivalent to
0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
@@ -12881,15 +11228,15 @@ CLASS="literal"
 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
 ...
 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-
$ORIGIN$ORIGIN
2.1.10.in-addr.arpa2.1.10.in-addr.arpa
33
IN PTR foo.example.com.IN PTR foo.example.com.
This can be one of two forms: start-stop
 or start-stop/step. If the first form is used then step is set to
@@ -12918,9 +11259,6 @@ or start-stop/step. If the first form is used then step is set to
 >
At present the only supported types are
 PTR, CNAME, DNAME, A, AAAA and NS.
rhs is a domain name. It is processed
 similarly to lhs.
The $GENERATE directive is a  directive is a BINDBIND extension
 and not part of the standard zone file format.
The The BINDBIND 9 Lightweight Resolver
BINDBIND 9 Security Considerations

 BIND 9 Security Considerations
Chapter 7. Chapter 7. BIND 9 Security Considerations
BIND 9 Security Considerations
On UNIX servers, it is possible to run On UNIX servers, it is possible to run BINDBIND in a chroot()) by specifying the ") by specifying the "-t-t"
-option. This can help improve system security by placing BINDBIND in
 a "sandbox", which will limit the damage done if a server is compromised.
Another useful feature in the UNIX version of Another useful feature in the UNIX version of BINDBIND is the
-ability to run the daemon as an unprivileged user ( -u -u useruser ).
 We suggest running as an unprivileged user when using the chroot feature.
Here is an example command line to load Here is an example command line to load BINDBIND in a chroot() to
 user 202:
/usr/local/bin/named -u 202 -t /var/named/usr/local/bin/named -u 202 -t /var/named
/var/named),
 you will need to set up an environment that includes everything
-BINDBIND needs to run.
-From BINDBIND's point of view, /var/namedchown utility (to
 set the user id and/or group id) on files
-to which you want BINDBIND
 to write.  Note that if the 
Access to the dynamic
 update facility should be strictly limited.  In earlier versions of
-BINDBIND the only way to do this was based on the IP
 address of the host requesting the update, by listing an IP address or
 network prefix in the BINDBIND 9 Configuration Reference

 Troubleshooting
Chapter 8. Troubleshooting
Chapter 8. Troubleshooting
8.3. Where Can I Get Help?
The Internet Software Consortium (The Internet Software Consortium (ISCISC) offers a wide range
-    of support and service agreements for BIND and BIND and DHCPDHCP servers. Four
     levels of premium support are available and each level includes
-    support for all ISCISC programs, significant discounts on products
     and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, ISCISC offers a standard
     support agreement package which includes services ranging from bug
     fix announcements to remote support. It also includes training in
-    BIND and BIND and DHCPDHCP.
To discuss arrangements for support, contact
@@ -195,9 +195,9 @@ HREF="mailto:info@isc.org"
 TARGET="_top"
 >info@isc.org or visit the
-    ISCISC web page at BINDBIND 9 Security Considerations

 Appendices
Appendix A. Appendices
Appendix A. Appendices
A.2. General General DNSDNS Reference Information
A.1.1. A Brief History of the A.1.1. A Brief History of the DNS and DNS and BINDBIND
DNSDNS implementations are
       built.
 
DNSDNS server for Unix machines, the Berkeley Internet
-Name Domain (BINDBIND) package, was written soon after by a group of
 graduate students at the University of California at Berkeley under
 a grant from the US Defense Advanced Research Projects Administration
-(DARPA). Versions of BINDBIND through 4.8.3 were maintained by the Computer
 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial BINDBIND
 project team. After that, additional work on the software package
 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on BINDBIND for 2 years, from 1985
-to 1987. Many other people also contributed to BINDBIND development
 during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. BINDBIND maintenance was subsequently
 handled by Mike Karels and O. Kure.
BINDBIND versions 4.9 and 4.9.1 were released by Digital Equipment
 Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became BINDBIND's primary caretaker. Paul was assisted
 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
 Wolfhugel, and others.
BINDBIND Version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became BINDBIND's principal architect/programmer.
BINDBIND versions from 4.9.3 onward have been developed and maintained
 by the Internet Software Consortium with support being provided
 by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of BINDBIND version
 8 in May 1997.
BINDBIND development work is made possible today by the sponsorship
 of several corporations, and by the tireless work efforts of numerous
 individuals.
A.2. General A.2. General DNSDNS Reference Information
IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the DNSDNS to facilitate
 scalable Internet routing. There are three types of addresses: The aggregatable global Unicast address format is as follows:
Where
 
3
13
8
24
16
64 bits
FP
TLA ID
RES
NLA ID
SLA ID
Interface ID
<------ Public Topology
 ------>
<-Site Topology->
<------ Interface Identifier ------>
Specification documents for the Internet protocol suite, including
-the DNSDNS, are published as part of the Request for Comments (RFCs)
 series of technical notes. The standards themselves are defined
 by the Internet Engineering Task Force (IETF) and the Internet Engineering
@@ -725,17 +591,13 @@ Steering Group (IESG). RFCs can be obtained online via FTP at
 ftp://www.isi.edu/in-notes/RFCftp://www.isi.edu/in-notes/RFCxxxxxx.txt (where  (where xxxxxx is
 the number of the RFC). RFCs are also available via the Web at
 , January 1986.
, November 1987.
R., R. Bush Elz, Clarifications to the Clarifications to the DNSDNS Specification, July 1997.
M. Andrews, Negative Caching of Negative Caching of DNSDNS Queries, March 1998.
M. Ohta, Incremental Zone Transfer in Incremental Zone Transfer in DNSDNS, August 1996.
, August 1996.
, April 1997.
and B. Wellington, Secret Key Transaction Authentication for Secret Key Transaction Authentication for DNSDNS (TSIG), May 2000.
and C. Huitema, DNSDNS Extensions to support IP version 6, December 1995.
, January 1997.
, April 1997.
Other Important RFCs About Other Important RFCs About DNSDNS Implementation
E. Gavron, A Security Problem and Proposed Correction With Widely Deployed A Security Problem and Proposed Correction With Widely Deployed DNSDNS Software., October 1993.
and S. Miller, Common Common DNSDNS Implementation Errors and Suggested Fixes, October 1993.
, August 1996.
and P. Mockapetris, New New DNSDNS RR Definitions, October 1990.
and R. Colella, DNSDNS NSAP Resource Records, October 1994.
, June 1997.
, January 1996.
and P. Vixie, A A DNSDNS RR for Specifying the Location of
 Services., October 1996.
A. Allocchio, Using the Internet Using the Internet DNSDNS to Distribute MIXER
 Conformant Global Address Mapping, January 1998.
R. Atkinson, Key Exchange Delegation Record for the Key Exchange Delegation Record for the DNSDNS, October 1997.
DNSDNS and the Internet
P. V. Mockapetris, DNSDNS Encoding of Network Names and Other Types, April 1989.
, October 1989.
, March 1994.
, March 1998.
DNSDNS Operations
P. Beertema, Common Common DNSDNS Data File Configuration Errors, October 1993.
D. Barr, Common Common DNSDNS Operational and Configuration Errors, February 1996.
, October 1996.
and R. Wright, Use of Use of DNSDNS Aliases for Network Services., October 1997.
Other Other DNSDNS-related RFCs
, May 1993.
A. Romao, Tools for Tools for DNSDNS Debugging, November 1994.
T. Brisco, DNSDNS Support for Load Balancing, April 1995.
, November 1997.
, May 1998.
, May 1998.
and D. Baldoni, DNSDNS Encoding of Geographical
 Location, November 1994.
A.3.3. Other Documents About A.3.3. Other Documents About BINDBIND
and Cricket Liu, DNS and DNS and BINDBIND, 1998.
BIND 9 Administrator Reference Manual
Copyright © 2004 by Internet Systems Consortium, Inc. ("ISC")
Copyright © 2004 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 by Internet Software Consortium
Copyright © 2000-2003 Internet Software Consortium
1.4. The Domain Name System (The Domain Name System (DNSDNS)
2. BINDBIND Resource Requirements
4.9. IPv6 Support in IPv6 Support in BINDBIND 9
5. The The BINDBIND 9 Lightweight Resolver
6. BINDBIND 9 Configuration Reference
6.3.6. BINDBIND Master File Extension: the  $GENERATE
7. BINDBIND 9 Security Considerations
A.1.1. A Brief History of the A Brief History of the DNS and DNS and BINDBIND
A.2. General General DNSDNS Reference Information
A.3.3. Other Documents About Other Documents About BINDBIND

 
-
+
 
+
 lwres
lwres
lwres
Synopsis
#include <lwres/lwres.h>
The lwresd library implements multiple name service APIs.
 The standard
-gethostbyname()gethostbyname(),
-gethostbyaddr()gethostbyaddr(),
-gethostbyname_r()gethostbyname_r(),
-gethostbyaddr_r()gethostbyaddr_r(),
-getaddrinfo()getaddrinfo(),
-getipnodebyname()getipnodebyname(),
 and
-getipnodebyaddr()getipnodebyaddr()
 functions are all supported.  To allow the lwres library to coexist
 with system libraries that define functions of the same name,
 the library defines these functions with names prefixed by
-lwres_lwres_.
 To define the standard names, applications must include the
 header file
@@ -142,23 +142,23 @@ CLASS="FILENAME"
 >
 which contains macro definitions mapping the standard function names
 into
-lwres_lwres_
 prefixed ones.  Operating system vendors who integrate the lwres
 library into their base distributions should rename the functions
 in the library proper so that the renaming macros are not needed.
The library also provides a native API consisting of the functions
-lwres_getaddrsbyname()lwres_getaddrsbyname()
 and
-lwres_getnamebyaddr()lwres_getnamebyaddr().
 These may be called by applications that require more detailed
 control over the lookup process than the standard functions
@@ -167,9 +167,9 @@ provide.
In addition to these name service independent address lookup
 functions, the library implements a new, experimental API
 for looking up arbitrary DNS resource records, using the
-lwres_getaddrsbyname()lwres_getaddrsbyname()
 function.
lwres_packet_t,
-called pktpkt below.
(2) Set (2) Set pkt.recvlengthpkt.recvlength to the maximum length we will accept.  
 This is done so the receiver of our packets knows how large our receive 
 buffer is.  The "default" is a constant in
 lwres.h: : LWRES_RECVLENGTH = 4096LWRES_RECVLENGTH = 4096.
(3) Set (3) Set pkt.serialpkt.serial
 to a unique serial number.  This value is echoed
 back to the application by the remote server.
(4) Set (4) Set pkt.pktflagspkt.pktflags.  Usually this is set to 0.
(5) Set (5) Set pkt.resultpkt.result to 0.
(6) Call (6) Call lwres_*request_render()lwres_*request_render(), 
 or marshall in the data using the primitives
-such as lwres_packet_render()lwres_packet_render()
 and storing the packet data.
(7) Transmit the resulting buffer.
(8) Call (8) Call lwres_*response_parse()lwres_*response_parse()
 to parse any packets received.
lwres_packet_t is used
-in both the _parse() and _parse() and _render()_render() calls,
 with only a few modifications made
 to the packet header's contents between uses.  This method is recommended
 as it keeps the serial, opcode, and other fields correct.
(1) When a packet is received, call (1) When a packet is received, call lwres_*request_parse()lwres_*request_parse() to
 unmarshall it.  This returns a lwres_packet_t (also called  (also called pktpkt, below)
 as well as a data specific type, such as 
(2) Process the request in the data specific type.
(3) Set the (3) Set the pkt.resultpkt.result,
-pkt.recvlengthpkt.recvlength as above.  All other fields can
-be left untouched since they were filled in by the *_parse()*_parse() call
-above.  If using lwres_*response_render()lwres_*response_render(),
-pkt.pktflagspkt.pktflags will be set up
-properly.  Otherwise, the LWRES_LWPACKETFLAG_RESPONSELWRES_LWPACKETFLAG_RESPONSE bit should be
 set.
(4) Call the data specific rendering function, such as
-lwres_gabnresponse_render()lwres_gabnresponse_render().
(5) Send the resulting packet to the client.

 
-
+
 
+
 lwres_buffer
lwres_buffer
lwres_buffer
Synopsis
#include <lwres/lwbuffer.h>
These functions provide bounds checked access to a region of memory
 where data is being read or written.
 They are based on, and similar to, the
-isc_buffer_isc_buffer_
 functions in the ISC library.
lwres_buffer_init()lwres_buffer_init()
 initializes the
 lwres_buffer_t
-*b*b
 and assocates it with the memory region of size
-lengthlength
 bytes starting at location
-base.base.
lwres_buffer_invalidate()lwres_buffer_invalidate()
 marks the buffer
-*b*b
 as invalid.  Invalidating a buffer after use is not required,
 but makes it possible to catch its possible accidental use.
The functions
-lwres_buffer_add()lwres_buffer_add()
 and
-lwres_buffer_subtract()lwres_buffer_subtract()
 respectively increase and decrease the used space in
 buffer
-*b*b
 by
-nn
 bytes.
-lwres_buffer_add()lwres_buffer_add()
 checks for buffer overflow and
-lwres_buffer_subtract()lwres_buffer_subtract()
 checks for underflow.
 These functions do not allocate or deallocate memory.
 They just change the value of
-usedused.
A buffer is re-initialised by
-lwres_buffer_clear()lwres_buffer_clear().
 The function sets
-usedused ,
-currentcurrent
 and
-activeactive
 to zero.
lwres_buffer_firstlwres_buffer_first
 makes the consumed region of buffer
-*p*p
 empty by setting
-currentcurrent
 to zero (the start of the buffer).
lwres_buffer_forward()lwres_buffer_forward()
 increases the consumed region of buffer
-*b*b
 by
-nn
 bytes, checking for overflow.
 Similarly,
-lwres_buffer_back()lwres_buffer_back()
 decreases buffer
-bb's
 consumed region by
-nn
 bytes and checks for underflow.
lwres_buffer_getuint8()lwres_buffer_getuint8()
 reads an unsigned 8-bit integer from
-*b*b
 and returns it.
-lwres_buffer_putuint8()lwres_buffer_putuint8()
 writes the unsigned 8-bit integer
-valval
 to buffer
-*b*b.
lwres_buffer_getuint16()lwres_buffer_getuint16()
 and
-lwres_buffer_getuint32()lwres_buffer_getuint32()
 are identical to
-lwres_buffer_putuint8()lwres_buffer_putuint8()
 except that they respectively read an unsigned 16-bit or 32-bit integer 
 in network byte order from
-bb.
 Similarly,
-lwres_buffer_putuint16()lwres_buffer_putuint16()
 and
-lwres_buffer_putuint32()lwres_buffer_putuint32()
 writes the unsigned 16-bit or 32-bit integer
-valval
 to buffer
-bb,
 in network byte order.
Arbitrary amounts of data are read or written from a lightweight
 resolver buffer with
-lwres_buffer_getmem()lwres_buffer_getmem()
 and
-lwres_buffer_putmem()lwres_buffer_putmem()
 respectively.
-lwres_buffer_putmem()lwres_buffer_putmem()
 copies
-lengthlength
 bytes of memory at
-basebase
 to
-bb.
 Conversely,
-lwres_buffer_getmem()lwres_buffer_getmem()
 copies
-lengthlength
 bytes of memory from
-bb
 to
-basebase.

 
-
+
 
+
 lwres_config
lwres_config
lwres_config
Synopsis
#include <lwres/lwres.h>
DESCRIPTION
lwres_conf_init()lwres_conf_init()
 creates an empty
 lwres_conf_t
 structure for lightweight resolver context
-ctxctx.
lwres_conf_clear()lwres_conf_clear()
 frees up all the internal memory used by
 that
@@ -142,30 +140,24 @@ CLASS="TYPE"
 >lwres_conf_t
 structure in resolver context
-ctxctx.
lwres_conf_parse()lwres_conf_parse()
 opens the file
-filenamefilename
 and parses it to initialise the resolver context
-ctxctx's
 
 structure.
lwres_conf_print()lwres_conf_print()
 prints the
 lwres_conf_t
 structure for resolver context
-ctxctx
 to the
 FILE
-fpfp.
RETURN VALUES
lwres_conf_parse()lwres_conf_parse()
 returns
 LWRES_R_SUCCESS
 if it successfully read and parsed
-filenamefilename.
 It returns
 LWRES_R_FAILURE
 if
-filenamefilename
 could not be opened or contained incorrect
 resolver statements.
lwres_conf_print()lwres_conf_print()
 returns
 
 
-
+
 
+
 lwres_context
lwres_context
lwres_context
Synopsis
#include <lwres/lwres.h>
DESCRIPTION
lwres_context_create()lwres_context_create()
 creates a
 lwres_context_t
 is returned through
-contextpcontextp,
 
 a pointer to a
@@ -174,33 +172,25 @@ CLASS="TYPE"
 >
When the lightweight resolver needs to perform dynamic memory
 allocation, it will call
-malloc_functionmalloc_function
 to allocate memory and
-free_functionfree_function
 
 to free it.  If 
-malloc_functionmalloc_function
 and
-free_functionfree_function
 
 are NULL, memory is allocated using
@@ -215,48 +205,36 @@ CLASS="REFENTRYTITLE"
 >.
 
 It is not permitted to have a NULL
-malloc_functionmalloc_function
 and a non-NULL
-free_functionfree_function
 or vice versa.
-argarg
 is passed as the first parameter to the memory
 allocation functions.  
 If
-malloc_functionmalloc_function
 and
-free_functionfree_function
 are NULL,
-argarg
 
 is unused and should be passed as NULL.

 
 and returned via
-*contextp*contextp.
lwres_context_destroy()lwres_context_destroy()
 destroys a 
 ,
 
 closing its socket.
-contextpcontextp
 is a pointer to a pointer to the context that is to be destroyed.
 The pointer will be set to NULL when the context has been destroyed.
The context holds a serial number that is used to identify resolver
 request packets and associate responses with the corresponding requests.
 This serial number is controlled using
-lwres_context_initserial()lwres_context_initserial()
 and
-lwres_context_nextserial()lwres_context_nextserial().
-lwres_context_initserial()lwres_context_initserial()
 sets the serial number for context
-*ctx*ctx
 to
-serialserial.
 
-lwres_context_nextserial()lwres_context_nextserial()
 increments the serial number and returns the previous value.
Memory for a lightweight resolver context is allocated and freed using
-lwres_context_allocmem()lwres_context_allocmem()
 and
-lwres_context_freemem()lwres_context_freemem().
 These use whatever allocations were defined when the context was
 created with
-lwres_context_create()lwres_context_create().
-lwres_context_allocmem()lwres_context_allocmem()
 allocates
-lenlen
 bytes of memory and if successful returns a pointer to the allocated
 storage.
-lwres_context_freemem()lwres_context_freemem()
 frees
-lenlen
 bytes of space starting at location
-memmem.
lwres_context_sendrecv()lwres_context_sendrecv()
 performs I/O for the context
-ctxctx.
 
 Data are read and written from the context's socket.
 It writes data from
-sendbasesendbase
 — typically a lightweight resolver query packet —
 and waits for a reply which is copied to the receive buffer at
-recvbaserecvbase.
 
 The number of bytes that were written to this receive buffer is
 returned in
-*recvd_len*recvd_len.
RETURN VALUES
lwres_context_create()lwres_context_create()
 returns
 
Successful calls to the memory allocator
-lwres_context_allocmem()lwres_context_allocmem()
 return a pointer to the start of the allocated space.
 It returns NULL if memory could not be allocated.
LWRES_R_SUCCESS
 is returned when
-lwres_context_sendrecv()lwres_context_sendrecv()
 completes successfully.
 LWRES_R_TIMEOUT
 is returned if
-lwres_context_sendrecv()lwres_context_sendrecv()
 times out waiting for a response.

 
-
+
 
+
 lwres_gabn
lwres_gabn
lwres_gabn
Synopsis
#include <lwres/lwres.h>
lwres_gabnrequest_render()lwres_gabnrequest_render()
 uses resolver context
-ctxctx
 to convert getaddrbyname request structure
-reqreq
 to canonical format.
 The packet header structure
-pktpkt
 is initialised and transferred to
 buffer
-bb.
 
 The contents of
-*req*req
 are then appended to the buffer in canonical format.
-lwres_gabnresponse_render()lwres_gabnresponse_render()
 performs the same task, except it converts a getaddrbyname response structure
 
 to the lightweight resolver's canonical format.
lwres_gabnrequest_parse()lwres_gabnrequest_parse()
 uses context
-ctxctx
 to convert the contents of packet
-pktpkt
 to a
 
 structure.
 Buffer
-bb
 provides space to be used for storing this structure.
 When the function succeeds, the resulting
@@ -270,21 +254,19 @@ CLASS="TYPE"
 >lwres_gabnrequest_t
 is made available through
-*structp*structp.
 
-lwres_gabnresponse_parse()lwres_gabnresponse_parse()
 offers the same semantics as
-lwres_gabnrequest_parse()lwres_gabnrequest_parse()
 except it yields a
 
 structure.
lwres_gabnresponse_free()lwres_gabnresponse_free()
 and
-lwres_gabnrequest_free()lwres_gabnrequest_free()
 release the memory in resolver context
-ctxctx
 that was allocated to the
 lwres_gabnrequest_t
 structures referenced via
-structpstructp.
 
 Any memory associated with ancillary buffers and strings for those
@@ -339,22 +317,22 @@ NAME="AEN93"
 >RETURN VALUES
The getaddrbyname opcode functions
-lwres_gabnrequest_render()lwres_gabnrequest_render(), 
-lwres_gabnresponse_render()lwres_gabnresponse_render()
-lwres_gabnrequest_parse()lwres_gabnrequest_parse()
 and
-lwres_gabnresponse_parse()lwres_gabnresponse_parse()
 all return
 LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
-bb
 is too small to accommodate the packet header or the
 lwres_gabnresponse_t
 structures.
-lwres_gabnrequest_parse()lwres_gabnrequest_parse()
 and
-lwres_gabnresponse_parse()lwres_gabnresponse_parse()
 will return
 LWRES_R_FAILURE
 if
-pktflagspktflags
 in the packet header structure
 
 
-
+
 
+
 lwres_gai_strerror
lwres_gai_strerror
lwres_gai_strerror
Synopsis
#include <lwres/netdb.h>
DESCRIPTION
lwres_gai_strerror()lwres_gai_strerror()
 returns an error message corresponding to an error code returned by
-getaddrinfo()getaddrinfo().
 The following error codes and their meaning are defined in
 
invalid value for
-ai_flagsai_flags
ai_familyai_family not supported
servname not supported for servname not supported for ai_socktypeai_socktype
ai_socktypeai_socktype not supported
invalid error code is returned if
-ecodeecode
 is out of range.
ai_flagsai_flags,
-ai_familyai_family
 and
-ai_socktypeai_socktype
 are elements of the
 struct  addrinfo
 used by
-lwres_getaddrinfo()lwres_getaddrinfo().

 
-
+
 
+
 lwres_getaddrinfo
lwres_getaddrinfo
lwres_getaddrinfo
Synopsis
#include <lwres/netdb.h>
DESCRIPTION
lwres_getaddrinfo()lwres_getaddrinfo()
 is used to get a list of IP addresses and port numbers for host
-hostnamehostname
 and service
-servnameservname.
 
 The function is the lightweight resolver's implementation of
-getaddrinfo()getaddrinfo()
 as defined in RFC2133.
-hostnamehostname
 and
-servnameservname
 are pointers to null-terminated
 strings or
@@ -156,19 +148,15 @@ CLASS="TYPE"
 >NULL.
 
-hostnamehostname
 is either a host name or a numeric host address string: a dotted decimal
 IPv4 address or an IPv6 address.
-servnameservname
 is either a decimal port number or a service name as listed in
 /etc/services.
hintshints
 is an optional pointer to a
 *hints*hints:
 
 
ai_familyai_family
The protocol family that should be used.
 When
-ai_familyai_family
 is set to
 
ai_socktypeai_socktype

 — that is wanted.
 When
-ai_socktypeai_socktype
 is zero the caller will accept any socket type.
ai_protocolai_protocol
indicates which transport protocol is wanted: IPPROTO_UDP or 
 IPPROTO_TCP.
 If
-ai_protocolai_protocol
 is zero the caller will accept any protocol.
ai_flagsai_flags
AI_CANONNAME
 bit is set, a successful call to
-lwres_getaddrinfo()lwres_getaddrinfo()
 will return a null-terminated string containing the canonical name
 of the specified hostname in
-ai_canonnameai_canonname
 of the first
 
When
-ai_flagsai_flags
 does not set the
 hostnamehostname
 is a
 AI_PASSIVE
 is not set in
-ai_flagsai_flags.
If
-ai_flagsai_flags
 is set to
 AI_NUMERICHOST
 it indicates that
-hostnamehostname
 should be treated as a numeric string defining an IPv4 or IPv6 address
 and no name resolution should be attempted.
struct addrinfo passed
-via hintshints must be zero.
A A hintshints of NULLstruct addrinfo initialized to zero
-with ai_familyai_familyset to
-PF_UNSPECPF_UNSPEC.
After a successful call to
-lwres_getaddrinfo()lwres_getaddrinfo(),
-*res*res
 is a pointer to a linked list of one or more
 
 in this list cn be processed by following
 the
-ai_nextai_next
 pointer, until a
 
 pointer is encountered.
 The three members
-ai_familyai_family,
-ai_socktypeai_socktype,
 and
-ai_protocolai_protocol
 in each
 returned
@@ -525,43 +499,41 @@ CLASS="TYPE"
 >addrinfo
 structure in the list, the
-ai_addrai_addr
 member points to a filled-in socket address structure of length
-ai_addrlenai_addrlen.
All of the information returned by
-lwres_getaddrinfo()lwres_getaddrinfo()
 is dynamically allocated: the addrinfo structures, and the socket
 address structures and canonical host name strings pointed to by the
-addrinfoaddrinfostructures.
 Memory allocated for the dynamically allocated structures created by
 a successful call to
-lwres_getaddrinfo()lwres_getaddrinfo()
 is released by
-lwres_freeaddrinfo()lwres_freeaddrinfo().
-aiai
 is a pointer to a
 struct addrinfo
 created by a call to
-lwres_getaddrinfo()lwres_getaddrinfo().
RETURN VALUES
lwres_getaddrinfo()lwres_getaddrinfo()
 returns zero on success or one of the error codes listed in
 
 if an error occurs.
 If both
-hostnamehostname
 and
-servnameservname
 are
 NULL
-lwres_getaddrinfo()lwres_getaddrinfo()
 returns
 
 
-
+
 
+
 lwres_gethostent
lwres_gethostent
lwres_gethostent
Synopsis
#include <lwres/netdb.h>
h_nameh_name
The official (canonical) name of the host.
h_aliasesh_aliases
A NULL-terminated array of alternate names (nicknames) for the host.
h_addrtypeh_addrtype
.
h_lengthh_length
The length of the address in bytes.
h_addr_listh_addr_list
For backward compatibility with very old software,
-h_addrh_addr
 is the first address in
-h_addr_list.h_addr_list.
lwres_gethostent()lwres_gethostent(),
-lwres_sethostent()lwres_sethostent(),
-lwres_endhostent()lwres_endhostent(),
-lwres_gethostent_r()lwres_gethostent_r(),
-lwres_sethostent_r()lwres_sethostent_r()
 and
-lwres_endhostent_r()lwres_endhostent_r()
 provide iteration over the known host entries on systems that
 provide such functionality through facilities like
@@ -311,33 +311,29 @@ or NIS.  The lightweight resolver does not currently implement
 these functions; it only provides them as stub functions that always
 return failure.
lwres_gethostbyname()lwres_gethostbyname() and
-lwres_gethostbyname2()lwres_gethostbyname2() look up the hostname
-namename.
-lwres_gethostbyname()lwres_gethostbyname() always looks for an IPv4
-address while lwres_gethostbyname2()lwres_gethostbyname2() looks for an
-address of protocol family afaf: either
 NULL is returned if the lookups by
-lwres_gethostbyname()lwres_gethostbyname() or
-lwres_gethostbyname2()lwres_gethostbyname2() fail.
Reverse lookups of addresses are performed by
-lwres_gethostbyaddr()lwres_gethostbyaddr().
-addraddr is an address of length
-lenlen bytes and protocol family
-typetype — PF_INETPF_INET6.
-lwres_gethostbyname_r()lwres_gethostbyname_r() is a thread-safe function
 for forward lookups.  If an error occurs, an error code is returned in
-*error*error.
-resbufresbuf is a pointer to a struct
 hostent which is initialised by a successful call to
-lwres_gethostbyname_r()lwres_gethostbyname_r() .
-bufbuf is a buffer of length
-lenlen bytes which is used to store the
-h_name, h_name, h_aliasesh_aliases, and
-h_addr_listh_addr_list elements of the struct
 hostent returned in  returned in resbufresbuf.
-Successful calls to lwres_gethostbyname_r()lwres_gethostbyname_r()
-return resbufresbuf,
 which is a pointer to the struct hostent it created.
lwres_gethostbyaddr_r()lwres_gethostbyaddr_r() is a thread-safe function
-that performs a reverse lookup of address addraddr
-which is lenlen bytes long and is of protocol
-family typetype — PF_INETPF_INET6.  If an error occurs, the error code is returned
-in *error*error.  The other function parameters are
-identical to those in lwres_gethostbyname_r()lwres_gethostbyname_r().
-resbufresbuf is a pointer to a struct
 hostent which is initialised by a successful call to
-lwres_gethostbyaddr_r()lwres_gethostbyaddr_r().
-bufbuf is a buffer of length
-lenlen bytes which is used to store the
-h_name, h_name, h_aliasesh_aliases, and
-h_addr_listh_addr_list elements of the struct
 hostent returned in  returned in resbufresbuf.  Successful
-calls to lwres_gethostbyaddr_r()lwres_gethostbyaddr_r() return
-resbufresbuf, which is a pointer to the
-struct hostent()struct hostent() it created.
RETURN VALUES
The functions
-lwres_gethostbyname()lwres_gethostbyname(),
-lwres_gethostbyname2()lwres_gethostbyname2(),
-lwres_gethostbyaddr()lwres_gethostbyaddr(),
 and
-lwres_gethostent()lwres_gethostent()
 return NULL to indicate an error.  In this case the global variable
 
HOST_NOT_FOUNDHOST_NOT_FOUND
The host or address was not found.
TRY_AGAINTRY_AGAIN
NO_RECOVERYNO_RECOVERY
A non-recoverable error occurred.
NO_DATANO_DATA

 translates these error codes to suitable error messages.
lwres_gethostent()lwres_gethostent()
 and
-lwres_gethostent_r()lwres_gethostent_r()
 always return
 NULL.
Successful calls to Successful calls to lwres_gethostbyname_r()lwres_gethostbyname_r() and
-lwres_gethostbyaddr_r()lwres_gethostbyaddr_r() return
-resbufresbuf, a pointer to the struct
@@ -698,40 +656,36 @@ hostentNULL if the lookups fail or if  if the lookups fail or if bufbuf
 was too small to hold the list of addresses and names referenced by
-the h_name, h_name, h_aliasesh_aliases, and
-h_addr_listh_addr_list elements of the struct
 hostent.  If .  If bufbuf was too small, both
-lwres_gethostbyname_r()lwres_gethostbyname_r() and
-lwres_gethostbyaddr_r()lwres_gethostbyaddr_r() set the global variable
 
BUGS
lwres_gethostbyname()lwres_gethostbyname(),
-lwres_gethostbyname2()lwres_gethostbyname2(),
-lwres_gethostbyaddr()lwres_gethostbyaddr()
 and
-lwres_endhostent()lwres_endhostent()
 are not thread safe; they return pointers to static data and 
 provide error codes through a global variable.
 Thread-safe versions for name and address lookup are provided by
-lwres_gethostbyname_r()lwres_gethostbyname_r(),
 and
-lwres_gethostbyaddr_r()lwres_gethostbyaddr_r()
 respectively.

 
-
+
 
+
 lwres_getipnode
lwres_getipnode
lwres_getipnode
Synopsis
#include <lwres/netdb.h>
h_nameh_name
The official (canonical) name of the host.
h_aliasesh_aliases
A NULL-terminated array of alternate names (nicknames) for the host.
h_addrtypeh_addrtype
.
h_lengthh_length
The length of the address in bytes.
h_addr_listh_addr_list
lwres_getipnodebyname()lwres_getipnodebyname()
 looks up addresses of protocol family
-afaf
 
 for the hostname
-namename.
 
 The
-flagsflags
 parameter contains ORed flag bits to 
 specify the types of addresses that are searched
@@ -231,44 +225,40 @@ The flag bits are:
 CLASS="VARIABLELIST"
 >
AI_V4MAPPEDAI_V4MAPPED
This is used with an
-afaf
 of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
 IPv6 addresses.
AI_ALLAI_ALL
This is used with an
-afaf
 of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
 If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
 IPv6 addresses.
AI_ADDRCONFIGAI_ADDRCONFIG
AI_DEFAULTAI_DEFAULT
This default sets the
-AI_V4MAPPEDAI_V4MAPPED
 and
-AI_ADDRCONFIGAI_ADDRCONFIG
 flag bits.
lwres_getipnodebyaddr()lwres_getipnodebyaddr()
 performs a reverse lookup
 of address
-srcsrc
 which is
-lenlen
 bytes long.
-afaf
 denotes the protocol family, typically
 PF_INET6.
lwres_freehostent()lwres_freehostent()
 releases all the memory associated with
 the
@@ -347,27 +331,25 @@ CLASS="TYPE"
 >struct hostent
 pointer
-hehe.
 
 Any memory allocated for the
-h_nameh_name,
 
-h_addr_listh_addr_list
 and
-h_aliasesh_aliases
 is freed, as is the memory for the
 RETURN VALUES
If an error occurs,
-lwres_getipnodebyname()lwres_getipnodebyname()
 and
-lwres_getipnodebyaddr()lwres_getipnodebyaddr()
 set
-*error_num*error_num
 to an appropriate error code and the function returns a
 
HOST_NOT_FOUNDHOST_NOT_FOUND
No such host is known.
NO_ADDRESSNO_ADDRESS
TRY_AGAINTRY_AGAIN
NO_RECOVERYNO_RECOVERY

 
-
+
 
+
 lwres_getnameinfo
lwres_getnameinfo
lwres_getnameinfo
Synopsis
#include <lwres/netdb.h>
getnameinfo(3) function defined in RFC2133.
-lwres_getnameinfo()lwres_getnameinfo() returns the hostname for the
 struct sockaddr  sasa which is
-salensalen bytes long.  The hostname is of length
-hostlenhostlen and is returned via
-*host.*host. The maximum length of the hostname is
-1025 bytes: NI_MAXHOSTNI_MAXHOST.
 The name of the service associated with the port number in
-sa is returned in sa is returned in *serv.*serv.
-It is servlenservlen bytes long.  The maximum length
-of the service name is NI_MAXSERVNI_MAXSERV - 32 bytes.
 The  The flagsflags argument sets the following
 bits:
 
NI_NOFQDNNI_NOFQDN
NI_NUMERICHOSTNI_NUMERICHOST
NI_NAMEREQDNI_NAMEREQD
NI_NUMERICSERVNI_NUMERICSERV
The service name is returned as a digit string representing the port number.
NI_DGRAMNI_DGRAM
RETURN VALUES
lwres_getnameinfo()lwres_getnameinfo()
 returns 0 on success or a non-zero error code if an error occurs.

 
-
+
 
+
 lwres_getrrsetbyname
lwres_getrrsetbyname
lwres_getrrsetbyname
Synopsis
#include <lwres/netdb.h>
DESCRIPTION
lwres_getrrsetbyname()lwres_getrrsetbyname()
 gets a set of resource records associated with a
-hostnamehostname,
 
-classclass,
 
 and
-typetype.
 
-hostnamehostname
 is
 a pointer a to null-terminated string.  The
-flagsflags
 field is currently unused and must be zero.
After a successful call to
-lwres_getrrsetbyname()lwres_getrrsetbyname(),
 
-*res*res
 is a pointer to an
 rri_rdclassrri_rdclass
 and
-rri_rdtyperri_rdtype
 are copied from the parameters.
-rri_ttlrri_ttl
 and
-rri_namerri_name
 are properties of the obtained rrset.
 The resource records contained in
-rri_rdatasrri_rdatas
 and
-rri_sigsrri_sigs
 are in uncompressed DNS wire format.
 Properties of the rdataset are represented in the
-rri_flagsrri_flags
 bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
 validated and the signatures verified.  
All of the information returned by
-lwres_getrrsetbyname()lwres_getrrsetbyname()
 is dynamically allocated: the
-rrsetinforrsetinfo
 and
-rdatainfordatainfo
 structures,
 and the canonical host name strings pointed to by the
-rrsetinforrsetinfostructure.
 
 Memory allocated for the dynamically allocated structures created by
 a successful call to
-lwres_getrrsetbyname()lwres_getrrsetbyname()
 is released by
-lwres_freerrset()lwres_freerrset().
 
-rrsetrrset
 is a pointer to a
 struct rrset
 created by a call to
-lwres_getrrsetbyname()lwres_getrrsetbyname().
RETURN VALUES
lwres_getrrsetbyname()lwres_getrrsetbyname()
 returns zero on success, and one of the following error
 codes if an error occurred:
@@ -296,54 +282,54 @@ codes if an error occurred:
 CLASS="VARIABLELIST"
 >
ERRSET_NONAMEERRSET_NONAME
the name does not exist
ERRSET_NODATAERRSET_NODATA
the name exists, but does not have data of the desired type
ERRSET_NOMEMORYERRSET_NOMEMORY
memory could not be allocated
ERRSET_INVALERRSET_INVAL
a parameter is invalid
ERRSET_FAILERRSET_FAIL
other failure

 
-
+
 
+
 lwres_gnba
lwres_gnba
lwres_gnba
Synopsis
#include <lwres/lwres.h>
lwres_gnbarequest_render()lwres_gnbarequest_render()
 uses resolver context
-ctxctx
 to convert getnamebyaddr request structure
-reqreq
 to canonical format.
 The packet header structure
-pktpkt
 is initialised and transferred to
 buffer
-bb.
 The contents of
-*req*req
 are then appended to the buffer in canonical format.
-lwres_gnbaresponse_render()lwres_gnbaresponse_render()
 performs the same task, except it converts a getnamebyaddr response structure
 
 to the lightweight resolver's canonical format.
lwres_gnbarequest_parse()lwres_gnbarequest_parse()
 uses context
-ctxctx
 to convert the contents of packet
-pktpkt
 to a
 
 structure.
 Buffer
-bb
 provides space to be used for storing this structure.
 When the function succeeds, the resulting
@@ -246,18 +246,18 @@ CLASS="TYPE"
 >lwres_gnbarequest_t
 is made available through
-*structp*structp.
-lwres_gnbaresponse_parse()lwres_gnbaresponse_parse()
 offers the same semantics as
-lwres_gnbarequest_parse()lwres_gnbarequest_parse()
 except it yields a
 
 structure.
lwres_gnbaresponse_free()lwres_gnbaresponse_free()
 and
-lwres_gnbarequest_free()lwres_gnbarequest_free()
 release the memory in resolver context
-ctxctx
 that was allocated to the
 lwres_gnbarequest_t
 structures referenced via
-structpstructp.
 Any memory associated with ancillary buffers and strings for those
 structures is also discarded.
RETURN VALUES
The getnamebyaddr opcode functions
-lwres_gnbarequest_render()lwres_gnbarequest_render(),
-lwres_gnbaresponse_render()lwres_gnbaresponse_render()
-lwres_gnbarequest_parse()lwres_gnbarequest_parse()
 and
-lwres_gnbaresponse_parse()lwres_gnbaresponse_parse()
 all return
 LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
-bb
 is too small to accommodate the packet header or the
 lwres_gnbaresponse_t
 structures.
-lwres_gnbarequest_parse()lwres_gnbarequest_parse()
 and
-lwres_gnbaresponse_parse()lwres_gnbaresponse_parse()
 will return
 LWRES_R_FAILURE
 if
-pktflagspktflags
 in the packet header structure
 
 
-
+
 
+
 lwres_hstrerror
lwres_hstrerror
lwres_hstrerror
Synopsis
#include <lwres/netdb.h>
DESCRIPTION
lwres_herror()lwres_herror() prints the string
-ss on stderr followed by the string
-generated by lwres_hstrerror()lwres_hstrerror() for the error code
-stored in the global variable lwres_h_errnolwres_h_errno.
lwres_hstrerror()lwres_hstrerror() returns an appropriate string
-for the error code gievn by errerr.  The values of
 the error codes and messages are as follows:
 
@@ -205,14 +201,14 @@ NAME="AEN65"
 CLASS="ERRORNAME"
 >Unknown resolver error is returned by
-lwres_hstrerror()lwres_hstrerror()
 when the value of
-lwres_h_errnolwres_h_errno
 is not a valid error code.

 
-
+
 
+
 lwres_inetntop
lwres_inetntop
lwres_inetntop
Synopsis
#include <lwres/net.h>
DESCRIPTION
lwres_net_ntop()lwres_net_ntop() converts an IP address of
-protocol family afaf — IPv4 or IPv6 —
-at location srcsrc from network format to its
 conventional representation as a string.  For IPv4 addresses, that
 string would be a dotted-decimal.  An IPv6 address would be
 represented in colon notation as described in RFC1884.
The generated string is copied to The generated string is copied to dstdst provided
-sizesize indicates it is long enough to store the
 ASCII representation of the address.
RETURN VALUES
If successful, the function returns If successful, the function returns dstdst:
 a pointer to a string containing the presentation format of the
-address.  lwres_net_ntop()lwres_net_ntop() returns
 NULL and sets the global variable
-errnoerrno to EAFNOSUPPORT if
-the protocol family given in afaf is not
 supported.

 
-
+
 
+
 lwres_noop
lwres_noop
lwres_noop
Synopsis
#include <lwres/lwres.h>
lwres_nooprequest_render()lwres_nooprequest_render() uses resolver
-context ctxctx to convert no-op request structure
-reqreq to canonical format.  The packet header
-structure pktpkt is initialised and transferred to
-buffer bb.  The contents of
-*req*req are then appended to the buffer in
-canonical format.  lwres_noopresponse_render()lwres_noopresponse_render()
 performs the same task, except it converts a no-op response structure
  to the lightweight resolver's
 canonical format.
lwres_nooprequest_parse()lwres_nooprequest_parse() uses context
-ctxctx to convert the contents of packet
-pktpkt to a lwres_nooprequest_t
-structure.  Buffer bb provides space to be used
 for storing this structure.  When the function succeeds, the resulting
 lwres_nooprequest_t is made available through
-*structp*structp.
-lwres_noopresponse_parse()lwres_noopresponse_parse() offers the same
-semantics as lwres_nooprequest_parse()lwres_nooprequest_parse() except it
 yields a lwres_noopresponse_t structure.
lwres_noopresponse_free()lwres_noopresponse_free() and
-lwres_nooprequest_free()lwres_nooprequest_free() release the memory in
-resolver context ctxctx that was allocated to the
 lwres_nooprequest_t
-structures referenced via structpstructp.
RETURN VALUES
The no-op opcode functions
-lwres_nooprequest_render()lwres_nooprequest_render(),
 
-lwres_noopresponse_render()lwres_noopresponse_render()
-lwres_nooprequest_parse()lwres_nooprequest_parse()
 and
-lwres_noopresponse_parse()lwres_noopresponse_parse()
 all return
 LWRES_R_UNEXPECTEDEND
 is returned if the available space in the buffer
-bb
 is too small to accommodate the packet header or the
 lwres_noopresponse_t
 structures.
-lwres_nooprequest_parse()lwres_nooprequest_parse()
 and
-lwres_noopresponse_parse()lwres_noopresponse_parse()
 will return
 LWRES_R_FAILURE
 if
-pktflagspktflags
 in the packet header structure
 
 
-
+
 
+
 lwres_packet
lwres_packet
lwres_packet
Synopsis
#include <lwres/lwpacket.h>
lengthlength
versionversion
pktflagspktflags
serialserial
opcodeopcode
resultresult
recvlengthrecvlength
authtypeauthtype
authlenauthlen
NOOPNOOP
GETADDRSBYNAMEGETADDRSBYNAME
GETNAMEBYADDRGETNAMEBYADDR
lwres_lwpacket_renderheader()lwres_lwpacket_renderheader() transfers the
 contents of lightweight resolver packet structure
 lwres_lwpacket_t  *pkt*pkt in network
 byte order to the lightweight resolver buffer,
-*b*b.
lwres_lwpacket_parseheader()lwres_lwpacket_parseheader() performs the
 converse operation.  It transfers data in network byte order from
-buffer *b*b to resolver packet
-*pkt*pkt.  The contents of the buffer
-bb should correspond to a
 RETURN VALUES
 Successful calls to
-lwres_lwpacket_renderheader()lwres_lwpacket_renderheader() and
-lwres_lwpacket_parseheader()lwres_lwpacket_parseheader() return
 LWRES_R_SUCCESS.  If there is insufficient
-space to copy data between the buffer *b*b and
-lightweight resolver packet *pkt*pkt both functions
 return 
 
-
+
 
+
 lwres_resutil
lwres_resutil
lwres_resutil
Synopsis
#include <lwres/lwres.h>
DESCRIPTION
lwres_string_parse()lwres_string_parse() retrieves a DNS-encoded
 string starting the current pointer of lightweight resolver buffer
-b: i.e.  b: i.e.  b->currentb->current.
 When the function returns, the address of the first byte of the
-encoded string is returned via *c*c and the
-length of that string is given by *len*len.  The
 buffer's current pointer is advanced to point at the character
 following the string length, the encoded string, and the trailing
@@ -140,45 +134,43 @@ CLASS="TYPE"
 >NULL character.
lwres_addr_parse()lwres_addr_parse() extracts an address from the
-buffer bb.  The buffer's current pointer
-b->currentb->current is presumed to point at an encoded
 address: the address preceded by a 32-bit protocol family identifier
 and a 16-bit length field.  The encoded address is copied to
-addr->addressaddr->address and
-addr->lengthaddr->length indicates the size in bytes of
-the address that was copied.  b->currentb->current is
 advanced to point at the next byte of available data in the buffer
 following the encoded address.
lwres_getaddrsbyname()lwres_getaddrsbyname()
 and
-lwres_getnamebyaddr()lwres_getnamebyaddr()
 use the
 
The lightweight resolver uses
-lwres_getaddrsbyname()lwres_getaddrsbyname() to perform foward lookups.
-Hostname namename is looked up using the resolver
-context ctxctx for memory allocation.
-addrtypesaddrtypes is a bitmask indicating which type of
 addresses are to be looked up.  Current values for this bitmask are
 LWRES_ADDRTYPE_V6 for IPv6 addresses.  Results of the
-lookup are returned in *structp*structp.
lwres_getnamebyaddr()lwres_getnamebyaddr() performs reverse lookups.
-Resolver context ctxctx is used for memory
 allocation.  The address type is indicated by
-addrtypeaddrtype: LWRES_ADDRTYPE_V4LWRES_ADDRTYPE_V6.  The address to be looked up is given
-by addraddr and its length is
-addrlenaddrlen bytes.  The result of the function call
-is made available through *structp*structp.
RETURN VALUES
Successful calls to
-lwres_string_parse()lwres_string_parse()
 and
-lwres_addr_parse()lwres_addr_parse()
 return
 
lwres_getaddrsbyname()lwres_getaddrsbyname()
 returns
 LWRES_R_NOTFOUND
 if the hostname
-namename
 could not be found.
LWRES_R_SUCCESS
 is returned by a successful call to
-lwres_getnamebyaddr()lwres_getnamebyaddr().
Both
-lwres_getaddrsbyname()lwres_getaddrsbyname()
 and
-lwres_getnamebyaddr()lwres_getnamebyaddr()
 return
 
FP
=
Format Prefix (001)
TLA ID
=
Top-Level Aggregation Identifier
RES
=
Reserved for future use
NLA ID
=
Next-Level Aggregation Identifier
SLA ID
=
Site-Level Aggregation Identifier
INTERFACE ID
=
Interface Identifier