Merge branch 'prep-release' into v9_16

CHANGES

@@ -1,3 +1,5 @@
+	--- 9.16.0 released ---
+
 5356.	[func]		Update dnssec-policy configuration statements:
 			- Rename "zone-max-ttl" dnssec-policy option to
 			  "max-zone-ttl" for consistency with the existing
@@ -40,7 +42,7 @@
 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
 
 5348.	[bug]		dnssec-settime -Psync was not being honoured.
-			[GL !2893]
+			[GL !2925]
 
 	--- 9.15.8 released ---
 

HISTORY

@@ -143,7 +143,7 @@ releases. New features include:
   * "rndc modzone" reconfigures a single zone, without requiring the
     entire server to be reconfigured.
   * "rndc showzone" displays the current configuration of a zone.
-  * "rndc managed-keys" can be used to check the status of RFC 5001
+  * "rndc managed-keys" can be used to check the status of RFC 5011
     managed trust anchors, or to force trust anchors to be refreshed.
   * "max-cache-size" can now be set to a percentage of available memory.
     The default is 90%.

README

@@ -111,9 +111,9 @@ format-patch.
 
 BIND 9.16 features
 
-BIND 9.16 is the current stable branch of BIND 9. It includes all
-changes from the 9.15 development branch, updating the previous stable
-branch, 9.14. New features include:
+BIND 9.16 is the current stable branch of BIND 9. It includes all changes
+from the 9.15 development branch, updating the previous stable branch,
+9.14. New features include:
 
   * New dnssec-policy statement to configure a key and signing policy for
     zones, enabling automatic key regeneration and rollover.
@@ -237,12 +237,10 @@ github.com/farsightsec/fstrm and libprotobuf-c https://
 developers.google.com/protocol-buffers, and BIND must be configured with
 --enable-dnstap.
 
-Certain compiled-in constants and default settings can be increased to
-values better suited to large servers with abundant memory resources (e.g,
-64-bit servers with 12G or more of memory) by specifying --with-tuning=
-large on the configure command line. This can improve performance on big
-servers, but will consume more memory and may degrade performance on
-smaller systems.
+Certain compiled-in constants and default settings can be decreased to
+values better suited to small machines, e.g. OpenWRT boxes, by specifying
+--with-tuning=small on the configure command line. This will decrease
+memory usage by using smaller structures, but will degrade performance.
 
 On Linux, process capabilities are managed in user space using the libcap
 library, which can be installed on most Linux systems via the libcap-dev

README.md

@@ -254,7 +254,7 @@ and `libprotobuf-c`
 [https://developers.google.com/protocol-buffers](https://developers.google.com/protocol-buffers),
 and BIND must be configured with `--enable-dnstap`.
 
-Certain compiled-in constants and default settings can be increased to
+Certain compiled-in constants and default settings can be decreased to
 values better suited to small machines, e.g. OpenWRT boxes, by specifying
 `--with-tuning=small` on the `configure` command line. This will decrease
 memory usage by using smaller structures, but will degrade performance.

bin/dig/nslookup.1

@@ -233,7 +233,10 @@ Change the default TCP/UDP name server port to
 .RS 4
 Change the type of the information query\&.
 .sp
-(Default = A; abbreviations = q, ty)
+(Default = A and then AAAA; abbreviations = q, ty)
+.sp
+\fBNote:\fR
+It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
 .RE
 .PP
 \fB\fI[no]\fR\fR\fBrecurse\fR

bin/dig/nslookup.html

@@ -229,27 +229,27 @@ <h2>Synopsis</h2>
                     The class specifies the protocol group of the information.
 
                   </p>
-		  <p>
+                  <p>
                     (Default = IN; abbreviation = cl)
                   </p>
                 </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
 <dd>
                   <p>
-		    Turn on or off the display of the full response packet and
-		    any intermediate response packets when searching.
+                    Turn on or off the display of the full response packet and
+                    any intermediate response packets when searching.
                   </p>
-		  <p>
+                  <p>
                     (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
                   </p>
                 </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
 <dd>
                   <p>
                     Turn debugging mode on or off.  This displays more about
-	            what nslookup is doing.
+                    what nslookup is doing.
                   </p>
-		  <p>
+                  <p>
                     (Default = nod2)
                   </p>
                 </dd>
@@ -267,7 +267,7 @@ <h2>Synopsis</h2>
                     names in the domain search list to the request until an
                     answer is received.
                   </p>
-		  <p>
+                  <p>
                     (Default = search)
                   </p>
                 </dd>
@@ -276,7 +276,7 @@ <h2>Synopsis</h2>
                   <p>
                     Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
                   </p>
-		  <p>
+                  <p>
                     (Default = 53; abbreviation = po)
                   </p>
                 </dd>
@@ -289,9 +289,15 @@ <h2>Synopsis</h2>
                   <p>
                     Change the type of the information query.
                   </p>
-		  <p>
-                    (Default = A; abbreviations = q, ty)
+                  <p>
+                    (Default = A and then AAAA; abbreviations = q, ty)
                   </p>
+                    <p>
+                      <span class="bold"><strong>Note:</strong></span> It is
+                      only possible to specify one query type, only
+                      the default behavior looks up both when an
+                      alternative is not specified.
+                    </p>
                 </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
 <dd>
@@ -300,16 +306,16 @@ <h2>Synopsis</h2>
                     have the
                     information.
                   </p>
-		  <p>
+                  <p>
                     (Default = recurse; abbreviation = [no]rec)
                   </p>
                 </dd>
 <dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
 <dd>
                   <p>
-		    Set the number of dots (label separators) in a domain
-		    that will disable searching.  Absolute names always
-		    stop searching.
+                    Set the number of dots (label separators) in a domain
+                    that will disable searching.  Absolute names always
+                    stop searching.
                   </p>
                 </dd>
 <dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
@@ -331,21 +337,21 @@ <h2>Synopsis</h2>
                     Always use a virtual circuit when sending requests to the
                     server.
                   </p>
-		  <p>
+                  <p>
                     (Default = novc)
                   </p>
                 </dd>
 <dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
 <dd>
                   <p>
-		    Try the next nameserver if a nameserver responds with
-		    SERVFAIL or a referral (nofail) or terminate query
-		    (fail) on such a response.
-		  </p>
-		  <p>
+                    Try the next nameserver if a nameserver responds with
+                    SERVFAIL or a referral (nofail) or terminate query
+                    (fail) on such a response.
+                  </p>
+                  <p>
                     (Default = nofail)
                   </p>
-	        </dd>
+                </dd>
 </dl></div>
 <p>
           </p>

bin/dnssec/dnssec-keyfromlabel.8

@@ -92,7 +92,7 @@ Specifies the label for a key pair in the crypto hardware\&.
 .sp
 When
 BIND
-9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&. It may be preceded by an optional OpenSSL engine name, followed by a colon, as in "pkcs11:\fIkeylabel\fR"\&.
+9 is built with OpenSSL\-based PKCS#11 support, the label is an arbitrary string that identifies a particular key\&.
 .sp
 When
 BIND

bin/dnssec/dnssec-keyfromlabel.html

@@ -146,9 +146,7 @@ <h2>Synopsis</h2>
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
 	    PKCS#11 support, the label is an arbitrary string that
-	    identifies a particular key.  It may be preceded by an
-	    optional OpenSSL engine name, followed by a colon, as in
-	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
+	    identifies a particular key.
 	  </p>
 	  <p>
 	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11

bin/named/named.8

@@ -187,7 +187,7 @@ Allow
 \fBnamed\fR
 to use up to
 \fI#max\-socks\fR
-sockets\&. The default value is 4096 on systems built with default configuration options, and 21000 on systems built with "configure \-\-with\-tuning=large"\&.
+sockets\&. The default value is 21000 on systems built with default configuration options, and 4096 on systems built with "configure \-\-with\-tuning=small"\&.
 .if n \{\
 .sp
 .\}

bin/named/named.conf.5

@@ -10,12 +10,12 @@
 .\"     Title: named.conf
 .\"    Author: 
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 2019-08-12
+.\"      Date: 2020-02-07
 .\"    Manual: BIND9
 .\"    Source: ISC
 .\"  Language: English
 .\"
-.TH "NAMED\&.CONF" "5" "2019\-08\-12" "ISC" "BIND9"
+.TH "NAMED\&.CONF" "5" "2020\-02\-07" "ISC" "BIND9"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -97,6 +97,31 @@ dlz \fIstring\fR {
 .if n \{\
 .RE
 .\}
+.SH "DNSSEC-POLICY"
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+dnssec\-policy \fIstring\fR {
+	dnskey\-ttl \fIduration\fR;
+	keys { ( csk | ksk | zsk ) [ ( key\-directory ) ] lifetime
+	    \fIduration_or_unlimited\fR algorithm \fIstring\fR [ \fIinteger\fR ]; \&.\&.\&. };
+	max\-zone\-ttl \fIduration\fR;
+	parent\-ds\-ttl \fIduration\fR;
+	parent\-propagation\-delay \fIduration\fR;
+	parent\-registration\-delay \fIduration\fR;
+	publish\-safety \fIduration\fR;
+	retire\-safety \fIduration\fR;
+	signatures\-refresh \fIduration\fR;
+	signatures\-validity \fIduration\fR;
+	signatures\-validity\-dnskey \fIduration\fR;
+	zone\-propagation\-delay \fIduration\fR;
+};
+.fi
+.if n \{\
+.RE
+.\}
 .SH "DYNDB"
 .sp
 .if n \{\
@@ -150,7 +175,7 @@ logging {
 .\}
 .SH "MANAGED-KEYS"
 .PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
@@ -262,6 +287,7 @@ options {
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-policy \fIstring\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	dnssec\-update\-mode ( maintain | no\-resign );
 	dnssec\-validation ( yes | no | auto );
@@ -411,8 +437,8 @@ options {
 	    \fIinteger\fR;
 	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
 	    \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
-	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
-	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
+	    | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@@ -567,7 +593,7 @@ trust\-anchors { \fIstring\fR ( static\-key |
 .\}
 .SH "TRUSTED-KEYS"
 .PP
-Deprecated \- see TRUST\-ANCHORS\&.
+Deprecated \- see DNSSEC\-KEYS\&.
 .sp
 .if n \{\
 .RS 4
@@ -657,6 +683,7 @@ view \fIstring\fR [ \fIclass\fR ] {
 	dnssec\-dnskey\-kskonly \fIboolean\fR;
 	dnssec\-loadkeys\-interval \fIinteger\fR;
 	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
+	dnssec\-policy \fIstring\fR;
 	dnssec\-secure\-to\-insecure \fIboolean\fR;
 	dnssec\-update\-mode ( maintain | no\-resign );
 	dnssec\-validation ( yes | no | auto );
@@ -780,8 +807,8 @@ view \fIstring\fR [ \fIclass\fR ] {
 	    \fIinteger\fR;
 	response\-policy { zone \fIstring\fR [ add\-soa \fIboolean\fR ] [ log
 	    \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [ min\-update\-interval
-	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op |
-	    nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
+	    \fIduration\fR ] [ policy ( cname | disabled | drop | given | no\-op
+	    | nodata | nxdomain | passthru | tcp\-only \fIquoted_string\fR ) ] [
 	    recursive\-only \fIboolean\fR ] [ nsip\-enable \fIboolean\fR ] [
 	    nsdname\-enable \fIboolean\fR ]; \&.\&.\&. } [ add\-soa \fIboolean\fR ] [
 	    break\-dnssec \fIboolean\fR ] [ max\-policy\-ttl \fIduration\fR ] [
@@ -1067,30 +1094,6 @@ zone \fIstring\fR [ \fIclass\fR ] {
 .if n \{\
 .RE
 .\}
-.SH "DNSSEC-POLICY"
-.sp
-.if n \{\
-.RS 4
-.\}
-.nf
-dnssec\-policy \fIstring\fR {
-	dnskey\-ttl \fIduration\fR;
-	keys { ( csk | ksk | zsk ) key\-directory lifetime \fIduration\fR algorithm \fIinteger\fR [ \fIinteger\fR ] ; \&.\&.\&. };
-	parent\-ds\-ttl \fIduration\fR;
-	parent\-propagation\-delay \fIduration\fR;
-	parent\-registration\-delay \fIduration\fR;
-	publish\-safety \fIduration\fR;
-	retire\-safety \fIduration\fR;
-	signatures\-refresh \fIduration\fR;
-	signatures\-validity \fIduration\fR;
-	signatures\-validity\-dnskey \fIduration\fR;
-	zone\-max\-ttl \fIduration\fR;
-	zone\-propagation\-delay \fIduration\fR;
-};
-.fi
-.if n \{\
-.RE
-.\}
 .SH "FILES"
 .PP
 /etc/named\&.conf

bin/named/named.conf.docbook

@@ -13,7 +13,7 @@
 
 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
   <info>
-    <date>2019-12-12</date>
+    <date>2020-02-07</date>
   </info>
   <refentryinfo>
     <corpname>ISC</corpname>
@@ -115,8 +115,8 @@ dlz <replaceable>string</replaceable> {
     <literallayout class="normal">
 dnssec-policy <replaceable>string</replaceable> {
 	dnskey-ttl <replaceable>duration</replaceable>;
-	keys { ( csk | ksk | zsk ) ( key-directory ) lifetime ( <replaceable>duration</replaceable> | unlimited )
-	    algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ]; ... };
+	keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime
+	    <replaceable>duration_or_unlimited</replaceable> algorithm <replaceable>string</replaceable> [ <replaceable>integer</replaceable> ]; ... };
 	max-zone-ttl <replaceable>duration</replaceable>;
 	parent-ds-ttl <replaceable>duration</replaceable>;
 	parent-propagation-delay <replaceable>duration</replaceable>;