source: server/major/bind.xml@ 9a591635

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY bind-download-http " ">
  <!ENTITY bind-download-ftp  "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.xz">
  <!ENTITY bind-md5sum        "8025b8f8463b3b9d9c902bab27f185a2">
  <!ENTITY bind-size          "4.8 MB">
  <!ENTITY bind-buildsize     "117 MB (20 MB installed)">
  <!ENTITY bind-time          "0.8 SBU (with parallelism=4; add 30+ minutes, somewhat processor independent, to run the complete test suite)">
]>

<sect1 id="bind" xreflabel="BIND-&bind-version;">
  <?dbhtml filename="bind.html"?>

  <sect1info>
    <date>$Date$</date>
  </sect1info>

  <title>BIND-&bind-version;</title>

  <indexterm zone="bind">
    <primary sortas="a-BIND">BIND</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to BIND</title>

    <para>
      The <application>BIND</application> package provides a DNS server
      and client utilities. If you are only interested in the utilities, refer
      to the <xref linkend="bind-utils"/>.
    </para>

    &lfs110a_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&bind-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&bind-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &bind-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &bind-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &bind-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &bind-time;
        </para>
      </listitem>
    </itemizedlist>
<!--
    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch:
          <ulink url="&patch-root;/bind-&bind-version;-upstream_fixes-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>
-->
    <bridgehead renderas="sect3">BIND Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="libuv"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="json-c"/> and
      <xref linkend="libcap-pam"/>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="curl"/>,
      <xref linkend="libidn2"/>,
      <xref linkend="libxml2"/>,
      <xref linkend="lmdb"/>,
      <xref linkend="mitkrb"/>,
      <ulink url="https://cmocka.org/">cmocka</ulink>,
      <ulink url="https://github.com/cjheath/geoip">geoip</ulink>,
      <ulink url="https://docs.pytest.org/en/stable/">pytest</ulink>,
      <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink>, and
      <ulink url="&w3m-url;">w3m</ulink>
    </para>

    <bridgehead renderas="sect4">Optional database backends</bridgehead>
    <para role="optional">
      <xref linkend="db"/>,
      <xref linkend="mariadb"/> or <ulink url="http://www.mysql.com/">MySQL</ulink>,
      <xref linkend="openldap"/>,
      <xref linkend="postgresql"/>, and
      <xref linkend="unixodbc"/>
    </para>

    <bridgehead renderas="sect4">Optional (to run the test suite)</bridgehead>
    <para role="optional">
      <xref linkend="perl-net-dns"/>
    </para>

    <bridgehead renderas="sect4">Optional (to rebuild the documentation)</bridgehead>
    <para role="optional">
      <xref linkend="doxygen"/>,
      <xref linkend="libxslt"/>, and
      <xref linkend="texlive"/> (or <xref linkend="tl-installer"/>)
    </para>

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/bind"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of BIND</title>

    <para>
      To ensure <application>BIND</application> will build dnssec-keymgr,
      install a python module as the <systemitem
      class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>pip3 install ply</userinput></screen>
<!--
    <para>
      First, fix a few regressions that were reported upstream:
    </para>

<screen><userinput remap="pre">patch -Np1 -i ../bind-&bind-version;-upstream_fixes-1.patch</userinput></screen>
-->
    <para>
      Fix a regression identified upstream:
    </para>

<screen><userinput remap="pre">sed -i 's/MAPAPI=2.0/MAPAPI=3.0/' lib/dns/mapapi</userinput></screen>

    <para>
      Install <application>BIND</application> by running the
      following commands:
    </para>

<screen><userinput>./configure --prefix=/usr           \
            --sysconfdir=/etc       \
            --localstatedir=/var    \
            --mandir=/usr/share/man \
            --with-libtool          \
            --disable-static        &amp;&amp;
make</userinput></screen>

    <para>
      Issue the following commands to run the complete suite of tests.
      First, as the <systemitem class="username">root</systemitem> user, set up
      some test interfaces:
    </para>

    <note>
      <para>
        If IPv6 is not enabled in the kernel, there will be several
        error messages: "RTNETLINK answers: Operation not permitted".  These
        messages do not affect the tests.
      </para>
    </note>

<screen role="root"
        remap="test"><userinput>bin/tests/system/ifconfig.sh up</userinput></screen>

    <para>
      The test suite may indicate some skipped tests depending on
      what configuration options are used. Some tests are marked
      <quote>UNTESTED</quote> if <xref linkend="perl-net-dns"/> is not
      installed. <!--One test, <quote>CPU</quote>, is known to fail.-->
      To run the tests, as an unprivileged user, execute:
    </para>

<screen remap="test"><userinput>make -k check</userinput></screen>

    <para>
      Again as <systemitem class="username">root</systemitem>, clean up the
      test interfaces:
    </para>

<screen role="root"
        remap="test"><userinput>bin/tests/system/ifconfig.sh down</userinput></screen>

    <para>
      Finally, install the package as the <systemitem
      class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make install</userinput></screen>
  </sect2>

<!-- Documentation is an issue - The docs are now all in .rst format and appear
to be sphinx based.
-->

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--sysconfdir=/etc</parameter>: This parameter forces
      <application>BIND</application> to look for configuration
      files in <filename class='directory'>/etc</filename> instead of
      <filename class='directory'>/usr/etc</filename>.
    </para>

    <para>
      <parameter>--with-libtool</parameter>: This parameter forces the
      building of dynamic libraries and links the installed binaries to these
      libraries.
    </para>
    
    <para>
      <option>--with-libidn2</option>: This parameter enables
      the IDNA2008 (Internationalized Domain Names in Applications)
      support.
    </para>

    <para>
      <option>--enable-fetchlimit</option>: Use this option if you want
      to be able to limit the rate of recursive client queries. This may be
      useful on servers which receive a large number of queries.
    </para>

    <para>
      <option>--disable-linux-caps</option>: BIND can also be built without
      capability support by using this option, at the cost of some loss of
      security.
    </para>

    <para>
      <option>--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}</option>: Use
      one (or more) of those options to add Dynamically Loadable Zones support.
      For more information refer to <ulink
      url="http://bind-dlz.sourceforge.net/">bind-dlz.sourceforge.net</ulink>.
    </para>
    
    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/static-libraries.xml"/>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring BIND</title>

    <sect3 id="bind-config">
      <title>Config files</title>

      <para>
        <filename>named.conf</filename>,
        <filename>root.hints</filename>,
        <filename>127.0.0</filename>,
        <filename>rndc.conf</filename>, and
        <filename>resolv.conf</filename>
      </para>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-named.conf">/etc/named.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
      <primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary
        sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary
        sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
      </indexterm>
    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        <application>BIND</application> will be configured to run in a
        <command>chroot</command> jail as an unprivileged user (<systemitem
        class="username">named</systemitem>). This configuration is more secure
        in that a DNS compromise can only affect a few files in the <systemitem
        class="username">named</systemitem> user's <envar>HOME</envar>
        directory.
      </para>

      <para>
        Create the unprivileged user and group <systemitem
        class="username">named</systemitem>:
      </para>

<screen role="root"><userinput>groupadd -g 20 named &amp;&amp;
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &amp;&amp;
install -d -m770 -o named -g named /srv/named</userinput></screen>

      <para>
        Set up some files, directories and devices needed by
        <application>BIND</application>:
      </para>

<screen role="root"><userinput>mkdir -p /srv/named &amp;&amp;
cd       /srv/named &amp;&amp;
mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named &amp;&amp;
mknod /srv/named/dev/null c 1 3 &amp;&amp;
mknod /srv/named/dev/urandom c 1 9 &amp;&amp;
chmod 666 /srv/named/dev/{null,urandom} &amp;&amp;
cp /etc/localtime etc</userinput></screen>

      <para>
        The <filename>rndc.conf</filename> file contains information for
        controlling <command>named</command> operations with the
        <command>rndc</command> utility. Generate a key for use in the
        <filename>named.conf</filename> and <filename>rndc.conf</filename>
        with the <command>rndc-confgen</command> command:
      </para>

<screen role="root"><userinput>rndc-confgen -a -b 512 -t /srv/named</userinput></screen>

      <para>
        Complete the <filename>named.conf</filename> file from which
        <command>named</command> will read the location of zone files, root
        name servers and secure DNS keys:
      </para>

<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt;&gt; /srv/named/etc/named.conf &lt;&lt; "EOF"
<literal>options {
    directory "/etc/named";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

};
zone "." {
    type hint;
    file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
};

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
      null;                               // toss anything sent to
                                          // this channel
  };
};</literal>
EOF</userinput></screen>

      <para>
        Create a zone file with the following contents:
      </para>

<screen role="root"><userinput>cat &gt; /srv/named/etc/named/pz/127.0.0 &lt;&lt; "EOF"
<literal>$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.</literal>
EOF</userinput></screen>

      <para>
        Create the <filename>root.hints</filename> file with the following
        commands:
      </para>

      <note>
        <para>
          Caution must be used to ensure there are no leading spaces in
          this file.
        </para>
      </note>

<screen role="root"><userinput>cat &gt; /srv/named/etc/named/root.hints &lt;&lt; "EOF"
<literal>.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
B.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:200::b
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
C.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2::c
D.ROOT-SERVERS.NET.     6D  IN      A       199.7.91.13
D.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2d::d
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
E.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:a8::e
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
G.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:12::d0d
H.ROOT-SERVERS.NET.     6D  IN      A       198.97.190.53
H.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:1::53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
I.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fe::53
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
L.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:9f::42
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:dc3::35</literal>
EOF</userinput></screen>

      <para>
        The <filename>root.hints</filename> file is a list of root name
        servers. This file must be updated periodically with the
        <command>dig</command> utility. A current copy of root.hints can be
        obtained from <ulink url="ftp://rs.internic.net/domain/named.root" />.
        For details, consult the "BIND 9 Administrator Reference Manual",
        included in every source archive of BIND 9 distributed by ISC, in HTML
        and PDF formats, also available at <ulink
        url="ftp://ftp.isc.org/isc/bind9/cur/&bind-minor-version;/doc/arm/Bv9ARM.html">
        BIND 9 Administrator Reference Manual</ulink>.
      </para>

      <para>
        Create or modify <filename>resolv.conf</filename> to use the new
        name server with the following commands:
      </para>

      <note>
        <para>
          Replace <replaceable>&lt;yourdomain.com&gt;</replaceable> with
          your own valid domain name.
        </para>
      </note>

<screen role="root"><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"
<literal>search <replaceable>&lt;yourdomain.com&gt;</replaceable>
nameserver 127.0.0.1</literal>
EOF</userinput></screen>

      <para>
        Set permissions on the <command>chroot</command> jail with the
        following command:
      </para>

<screen role="root"><userinput>chown -R named:named /srv/named</userinput></screen>

    </sect3>

    <sect3  id="bind-init">
      <title><phrase revision="sysv">Boot Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para>
        To start the DNS server at boot, install the
        <phrase revision="sysv"><filename>/etc/rc.d/init.d/bind</filename> init
        script</phrase>
        <phrase revision="systemd"><filename>named.service</filename>
        unit</phrase> included in the
        <xref linkend="bootscripts" revision="sysv"/>
        <xref linkend="systemd-units" revision="systemd"/> package:
      </para>

      <indexterm zone="bind bind-init">
        <primary sortas="f-bind">bind</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-bind</userinput></screen>
<screen role="root" revision="systemd"><userinput>make install-named</userinput></screen>

      <para>
        Now start <application>BIND</application> with the following command:
      </para>

<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/bind start</userinput></screen>
<screen role="root" revision="systemd"><userinput>systemctl start named</userinput></screen>

    </sect3>

    <sect3>
      <title>Testing BIND</title>

      <para>
        Test out the new <application>BIND</application> 9 installation.
        First query the local host address with <command>dig</command>:
      </para>

<screen><userinput>dig -x 127.0.0.1</userinput></screen>

      <para>
        Now try an external name lookup, taking note of the speed
        difference in repeated lookups due to the caching. Run the
        <command>dig</command> command twice on the same address:
      </para>

<screen><userinput>dig www.&lfs-domainname; &amp;&amp;
dig www.&lfs-domainname;</userinput></screen>

      <para>
        You can see almost instantaneous results with the named caching
        lookups. Consult the <application>BIND</application> Administrator
        Reference Manual located at 
        <ulink url="https://bind9.readthedocs.io/en/v9_16/"/>
        for further configuration options.
      </para>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>

        <seg>arpaname, <!--bind9-config hardlinked to isc-config.sh,--> 
        ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage, 
        dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, 
        dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone, 
        dnssec-verify, host, mdig, named, named-checkconf,
        named-checkzone, named-compilezone (symlink), named-journalprint, 
        named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, 
        rndc-confgen, and tsig-keygen (symlink)</seg>

        <seg>libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so,
        libisccfg.so, and libns.so</seg>

        <seg>/usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11},
        /usr/lib/named, /usr/lib/python&python3-majorver;/site-packages/isc,
        and /srv/named</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="arpaname">
        <term><command>arpaname</command></term>
        <listitem>
          <para>
            translates IP addresses to the corresponding ARPA names
          </para>
          <indexterm zone="bind arpaname">
            <primary sortas="b-arpaname">arpaname</primary>
          </indexterm>
        </listitem>
      </varlistentry>

<!-- Not present as of 9.16.5
      <varlistentry id="bind9-config">
        <term><command>bind9-config</command></term>
        <listitem>
          <para>
            is hardlinked to <command>isc-config.sh</command>.
          </para>
          <indexterm zone="bind bind9-config">
            <primary sortas="b-bind9-config">bind9-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="ddns-confgen">
        <term><command>ddns-confgen</command></term>
        <listitem>
          <para>
            generates a key for use by nsupdate and named
          </para>
          <indexterm zone="bind ddns-confgen">
            <primary sortas="b-ddns-confgen">ddns-confgen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="delv">
        <term><command>delv</command></term>
        <listitem>
          <para>
            is a new debugging tool that is a successor to
            <command>dig</command>
          </para>
          <indexterm zone="bind delv">
            <primary sortas="b-delv">delv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dig">
        <term><command>dig</command></term>
        <listitem>
          <para>
            interrogates DNS servers
          </para>
          <indexterm zone="bind dig">
            <primary sortas="b-dig">dig</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-cds">
        <term><command>dnssec-cds</command></term>
        <listitem>
          <para>
            changes DS records for a child zone based on
            CDS/CDNSKEY
          </para>
          <indexterm zone="bind dnssec-cds">
            <primary sortas="b-dnssec-cds">dnssec-cds</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-checkds">
        <term><command>dnssec-checkds</command></term>
        <listitem>
          <para>
            is a DNSSEC delegation consistency checking tool
          </para>
          <indexterm zone="bind dnssec-checkds">
            <primary sortas="b-dnssec-checkds">dnssec-checkds</primary>
          </indexterm>
        </listitem>
      </varlistentry>

     <varlistentry id="dnssec-coverage">
        <term><command>dnssec-coverage</command></term>
        <listitem>
          <para>
            verifies that the DNSSEC keys for a given zone or a set of zones
            have timing metadata set properly to ensure no future lapses
            in DNSSEC coverage
          </para>
          <indexterm zone="bind dnssec-coverage">
            <primary sortas="b-dnssec-coverage">dnssec-coverage</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-dsfromkey">
        <term><command>dnssec-dsfromkey</command></term>
        <listitem>
          <para>
            outputs the Delegation Signer (DS) resource record (RR)
          </para>
          <indexterm zone="bind dnssec-dsfromkey">
            <primary sortas="b-dnssec-dsfromkey">dnssec-dsfromkey</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-importkey">
        <term><command>dnssec-importkey</command></term>
        <listitem>
          <para>
             reads a public DNSKEY record and generates a pair of
             .key/.private files
          </para>
          <indexterm zone="bind dnssec-importkey">
            <primary sortas="b-dnssec-importkey">dnssec-importkey</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keyfromlabel">
        <term><command>dnssec-keyfromlabel</command></term>
        <listitem>
          <para>
            gets keys with the given label from a cryptography hardware device
            and builds key files for DNSSEC
          </para>
          <indexterm zone="bind dnssec-keyfromlabel">
            <primary sortas="b-dnssec-keyfromlabel">dnssec-keyfromlabel</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keygen">
        <term><command>dnssec-keygen</command></term>
        <listitem>
          <para>
            is a key generator for secure DNS
          </para>
          <indexterm zone="bind dnssec-keygen">
            <primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keymgr">
        <term><command>dnssec-keymgr</command></term>
        <listitem>
          <para>
            ensures correct DNSKEY coverage based on a defined policy
          </para>
          <indexterm zone="bind dnssec-keymgr">
            <primary sortas="b-dnssec-keymgr">dnssec-keymgr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-revoke">
        <term><command>dnssec-revoke</command></term>
        <listitem>
          <para>
            sets the REVOKED bit on a DNSSEC key
          </para>
          <indexterm zone="bind dnssec-revoke">
            <primary sortas="b-dnssec-revoke">dnssec-revoke</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-settime">
        <term><command>dnssec-settime</command></term>
        <listitem>
          <para>
            sets the key timing metadata for a DNSSEC key
          </para>
          <indexterm zone="bind dnssec-settime">
            <primary sortas="b-dnssec-settime">dnssec-settime</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-signzone">
        <term><command>dnssec-signzone</command></term>
        <listitem>
          <para>
            generates signed versions of zone files
          </para>
          <indexterm zone="bind dnssec-signzone">
            <primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-verify">
        <term><command>dnssec-verify</command></term>
        <listitem>
          <para>
            verifies that a zone is fully signed for each algorithm found
            in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
            chains are complete
          </para>
          <indexterm zone="bind dnssec-verify">
            <primary sortas="b-dnssec-verify">dnssec-verify</primary>
          </indexterm>
        </listitem>
      </varlistentry>

<!-- No longer present with 9.16.5
      <varlistentry id="genrandom">
        <term><command>genrandom</command></term>
        <listitem>
          <para>
            generates a file containing random data.
          </para>
          <indexterm zone="bind genrandom">
            <primary sortas="b-genrandom">genrandom</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="host">
        <term><command>host</command></term>
        <listitem>
          <para>
            is a utility for DNS lookups
          </para>
          <indexterm zone="bind host">
            <primary sortas="b-host">host</primary>
          </indexterm>
        </listitem>
      </varlistentry>

 <!-- No longer present with 9.16.5
      <varlistentry id="isc-config.sh">
        <term><command>isc-config.sh</command></term>
        <listitem>
          <para>
            prints information related to the installed version of ISC BIND.
          </para>
          <indexterm zone="bind isc-config.sh">
            <primary sortas="b-isc-config.sh">isc-config.sh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="isc-hmac-fixup">
        <term><command>isc-hmac-fixup</command></term>
        <listitem>
          <para>
            fixes HMAC keys generated by older versions of BIND.
          </para>
          <indexterm zone="bind isc-hmac-fixup">
            <primary sortas="b-isc-hmac-fixup">isc-hmac-fixup</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="lwresd">
        <term><command>lwresd</command></term>
        <listitem>
          <para>
            is a caching-only name server for local process use.
          </para>
          <indexterm zone="bind lwresd">
            <primary sortas="b-lwresd">lwresd</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="mdig">
        <term><command>mdig</command></term>
        <listitem>
          <para>
            is a version of dig that allows multiple queries at once
          </para>
          <indexterm zone="bind mdig">
            <primary sortas="b-mdig">mdig</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named">
        <term><command>named</command></term>
        <listitem>
          <para>
            is the name server daemon
          </para>
          <indexterm zone="bind named">
            <primary sortas="b-named">named</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkconf">
        <term><command>named-checkconf</command></term>
        <listitem>
          <para>
            checks the syntax of <filename>named.conf</filename>
            files
          </para>
          <indexterm zone="bind named-checkconf">
            <primary sortas="b-named-checkconf">named-checkconf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkzone">
        <term><command>named-checkzone</command></term>
        <listitem>
          <para>
            checks zone file validity
          </para>
          <indexterm zone="bind named-checkzone">
            <primary sortas="b-named-checkzone">named-checkzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-compilezone">
        <term><command>named-compilezone</command></term>
        <listitem>
          <para>
            is similar to <command>named-checkzone</command>, but it always
            dumps the zone contents to a specified file in a specified format
          </para>
          <indexterm zone="bind named-compilezone">
            <primary sortas="b-named-compilezone">named-compilezone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-journalprint">
        <term><command>named-journalprint</command></term>
        <listitem>
          <para>
            prints the zone journal in human-readable form
          </para>
          <indexterm zone="bind named-journalprint">
            <primary sortas="b-named-journalprint">named-journalprint</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-rrchecker">
        <term><command>named-rrchecker</command></term>
        <listitem>
          <para>
            reads an individual DNS resource record from standard input and
            checks if it is syntactically correct
          </para>
          <indexterm zone="bind named-rrchecker">
            <primary sortas="b-named-rrchecker">named-rrchecker</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-nzd2nzf">
        <term><command>named-nzd2nzf</command></term>
        <listitem>
          <para>
            converts an NZD database to NZF text format
          </para>
          <indexterm zone="bind named-nzd2nzf">
            <primary sortas="b-named-nzd2nzf">named-nzd2nzf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nsec3hash">
        <term><command>nsec3hash</command></term>
        <listitem>
          <para>
            generates an NSEC3 hash based on a set of NSEC3 parameters
          </para>
          <indexterm zone="bind nsec3hash">
            <primary sortas="b-nsec3hash">nsec3hash</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nslookup">
        <term><command>nslookup</command></term>
        <listitem>
          <para>
            is a program used to query Internet domain nameservers
          </para>
          <indexterm zone="bind nslookup">
            <primary sortas="b-nslookup">nslookup</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nsupdate">
        <term><command>nsupdate</command></term>
        <listitem>
          <para>
            is used to submit DNS update requests
          </para>
          <indexterm zone="bind nsupdate">
            <primary sortas="b-nsupdate">nsupdate</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc">
        <term><command>rndc</command></term>
        <listitem>
          <para>
            controls the operation of <application>BIND</application>
          </para>
          <indexterm zone="bind rndc">
            <primary sortas="b-rndc">rndc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc-confgen">
        <term><command>rndc-confgen</command></term>
        <listitem>
          <para>
            generates <filename>rndc.conf</filename> files
          </para>
          <indexterm zone="bind rndc-confgen">
            <primary sortas="b-rndc-confgen">rndc-confgen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tsig-keygen">
        <term><command>tsig-keygen</command></term>
        <listitem>
          <para>
            is a symlink to <command>ddns-confgen</command>
          </para>
          <indexterm zone="bind tsig-keygen">
            <primary sortas="b-tsig-keygen">tsig-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>