source: server/major/bind.xml@ bf31777

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY bind-download-http "https://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.xz">
  <!ENTITY bind-download-ftp  "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.xz">
  <!ENTITY bind-md5sum        "6586d9c376e7ee9674767e1d79d63382">
  <!ENTITY bind-size          "5.0 MB">
  <!ENTITY bind-buildsize     "139 MB (26 MB installed)"><!-- differs much from prev maybe because of docs? -->
  <!ENTITY bind-time          "0.4 SBU (with parallelism=4; about 20 SBU somewhat processor independent, to run the complete test suite)">
]>

<sect1 id="bind" xreflabel="BIND-&bind-version;">
  <?dbhtml filename="bind.html"?>


  <title>BIND-&bind-version;</title>

  <indexterm zone="bind">
    <primary sortas="a-BIND">BIND</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to BIND</title>

    <para>
      The <application>BIND</application> package provides a DNS server
      and client utilities. If you are only interested in the utilities, refer
      to the <xref linkend="bind-utils"/>.
    </para>

    &lfs112_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&bind-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&bind-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &bind-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &bind-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &bind-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &bind-time;
        </para>
      </listitem>
    </itemizedlist>
<!--
    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch:
          <ulink url="&patch-root;/bind-&bind-version;-upstream_fixes-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>
-->
    <bridgehead renderas="sect3">BIND Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="libuv"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="json-c"/> and
      <xref linkend="libcap-pam"/>
    </para>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="curl"/>,
      <xref linkend="libidn2"/>,
      <xref linkend="libxml2"/>,
      <xref linkend="lmdb"/>,
      <xref linkend="mitkrb"/>,
      <ulink url="https://cmocka.org/">cmocka</ulink>,
      <ulink url="https://github.com/cjheath/geoip">geoip</ulink>,
      <ulink url="https://docs.pytest.org/en/stable/">pytest</ulink>,
      <ulink url="https://pypi.python.org/pypi/Sphinx">Sphinx</ulink> (required to build documentation), and
      <ulink url="&w3m-url;">w3m</ulink>
    </para>

    <bridgehead renderas="sect4">Optional database backends</bridgehead>
    <para role="optional">
      <xref linkend="db"/>,
      <xref linkend="mariadb"/> or <ulink url="https://www.mysql.com/">MySQL</ulink>,
      <xref linkend="openldap"/>,
      <xref linkend="postgresql"/>, and
      <xref linkend="unixodbc"/>
    </para>

    <bridgehead renderas="sect4">Optional (to run the test suite)</bridgehead>
    <para role="optional">
      <xref linkend="perl-net-dns"/>
    </para>

<!-- docs are now all sphinx based
    <bridgehead renderas="sect4">Optional (to rebuild the documentation)</bridgehead>
    <para role="optional">
      <xref linkend="doxygen"/>,
      <xref linkend="libxslt"/>, and
      <xref linkend="texlive"/> (or <xref linkend="tl-installer"/>)
    </para>
-->

    <para condition="html" role="usernotes">User Notes:
    <ulink url="&blfs-wiki;/bind"/></para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of BIND</title>

<!--
    <para>
      To ensure <application>BIND</application> will build dnssec-keymgr,
      install a python module as the <systemitem
      class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>pip3 install ply</userinput></screen>
-->

    <para>
      Install <application>BIND</application> by running the
      following commands:
    </para>

<screen><userinput>./configure --prefix=/usr           \
            --sysconfdir=/etc       \
            --localstatedir=/var    \
            --mandir=/usr/share/man \
            --disable-static        &amp;&amp;
make</userinput></screen>

    <para>
      Issue the following commands to run the complete suite of tests.
      First, as the <systemitem class="username">root</systemitem> user, set up
      some test interfaces:
    </para>

    <note>
      <para>
        If IPv6 is not enabled in the kernel, there will be several
        error messages: "RTNETLINK answers: Operation not permitted".  These
        messages do not affect the tests.
      </para>
    </note>

<screen role="root"
        remap="test"><userinput>bin/tests/system/ifconfig.sh up</userinput></screen>

    <para>
      The test suite may indicate some skipped tests depending on
      what configuration options are used. Some tests are marked
      <quote>UNTESTED</quote> or does even fail if <xref linkend="perl-net-dns"/>
      is not installed. <!--One test, <quote>CPU</quote>, is known to fail.-->
      To run the tests, as an unprivileged user, execute:
    </para>

<screen remap="test"><userinput>make -k check</userinput></screen>

    <para>
      Again as <systemitem class="username">root</systemitem>, clean up the
      test interfaces:
    </para>

<screen role="root"
        remap="test"><userinput>bin/tests/system/ifconfig.sh down</userinput></screen>

    <para>
      Finally, install the package as the <systemitem
      class="username">root</systemitem> user:
    </para>

<!-- Documentation is an issue - The docs are now all in .rst format and appear
to be sphinx based. install source .rst files for now...

leave docs untouched as they does only use disk space when not
used to recreate the docs via Sphinx. I've added a note regarding
the documentation. (thomas)

<screen role="root"><userinput>make install &amp;&amp;

install -vdm 755 /usr/share/doc/bind-&bind-version;/{arm,dnssec-guide} &amp;&amp;
install doc/arm/* /usr/share/doc/bind-&bind-version;/arm               &amp;&amp;
install doc/dnssec-guide/* /usr/share/doc/bind-&bind-version;/dnssec-guide</userinput></screen>
-->
<screen role="root"><userinput>make install</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>--sysconfdir=/etc</parameter>: This parameter forces
      <application>BIND</application> to look for configuration
      files in <filename class='directory'>/etc</filename> instead of
      <filename class='directory'>/usr/etc</filename>.
    </para>

    <!-- Seems to be removed in 9.18.0
    <para>
      <parameter>- -with-libtool</parameter>: This parameter forces the
      building of dynamic libraries and links the installed binaries to these
      libraries.
    </para>
    -->

    <para>
      <option>--with-libidn2</option>: This parameter enables
      the IDNA2008 (Internationalized Domain Names in Applications)
      support.
    </para>

    <para>
      <option>--enable-fetchlimit</option>: Use this option if you want
      to be able to limit the rate of recursive client queries. This may be
      useful on servers which receive a large number of queries.
    </para>

    <para>
      <option>--disable-linux-caps</option>: BIND can also be built without
      capability support by using this option, at the cost of some loss of
      security.
    </para>

    <para>
      <option>--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}</option>: Use
      one (or more) of those options to add Dynamically Loadable Zones support.
      For more information refer to <ulink
      url="http://bind-dlz.sourceforge.net/">bind-dlz.sourceforge.net</ulink>.
    </para>

    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
      href="../../xincludes/static-libraries.xml"/>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring BIND</title>

    <sect3 id="bind-config">
      <title>Config files</title>

      <para>
        <filename>named.conf</filename>,
        <filename>root.hints</filename>,
        <filename>127.0.0</filename>,
        <filename>rndc.conf</filename>, and
        <filename>resolv.conf</filename>
      </para>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-named.conf">/etc/named.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
      <primary sortas="e-etc-rndc.conf">/etc/rndc.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary sortas="e-etc-resolv.conf">/etc/resolv.conf</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary
        sortas="e-etc-namedb-root.hints">/etc/namedb/root.hints</primary>
      </indexterm>

      <indexterm zone="bind bind-config">
        <primary
        sortas="e-etc-namedb-pz-127.0.0.0">/etc/namedb/pz/127.0.0.0</primary>
      </indexterm>
    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        <application>BIND</application> will be configured to run in a
        <command>chroot</command> jail as an unprivileged user (<systemitem
        class="username">named</systemitem>). This configuration is more secure
        in that a DNS compromise can only affect a few files in the <systemitem
        class="username">named</systemitem> user's <envar>HOME</envar>
        directory.
      </para>

      <para>
        Create the unprivileged user and group <systemitem
        class="username">named</systemitem>:
      </para>

<screen role="root"><userinput>groupadd -g 20 named &amp;&amp;
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &amp;&amp;
install -d -m770 -o named -g named /srv/named</userinput></screen>

      <para>
        Set up some files, directories and devices needed by
        <application>BIND</application>:
      </para>

<screen role="root"><userinput>mkdir -p /srv/named &amp;&amp;
cd       /srv/named &amp;&amp;
mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named &amp;&amp;
mknod /srv/named/dev/null c 1 3 &amp;&amp;
mknod /srv/named/dev/urandom c 1 9 &amp;&amp;
chmod 666 /srv/named/dev/{null,urandom} &amp;&amp;
cp /etc/localtime etc</userinput></screen>

      <para>
        The <filename>rndc.conf</filename> file contains information for
        controlling <command>named</command> operations with the
        <command>rndc</command> utility. Generate a key for use in the
        <filename>named.conf</filename> and <filename>rndc.conf</filename>
        with the <command>rndc-confgen</command> command:
      </para>

<screen role="root"><userinput>rndc-confgen -a -b 512 -t /srv/named</userinput></screen>

      <para>
        Complete the <filename>named.conf</filename> file from which
        <command>named</command> will read the location of zone files, root
        name servers and secure DNS keys:
      </para>

<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt;&gt; /srv/named/etc/named.conf &lt;&lt; "EOF"
<literal>options {
    directory "/etc/named";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

};
zone "." {
    type hint;
    file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
};

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
      null;                               // toss anything sent to
                                          // this channel
  };
};</literal>
EOF</userinput></screen>

      <para>
        Create a zone file with the following contents:
      </para>

<screen role="root"><userinput>cat &gt; /srv/named/etc/named/pz/127.0.0 &lt;&lt; "EOF"
<literal>$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.</literal>
EOF</userinput></screen>

      <para>
        Create the <filename>root.hints</filename> file with the following
        commands:
      </para>

      <note>
        <para>
          Caution must be used to ensure there are no leading spaces in
          this file.
        </para>
      </note>

<screen role="root"><userinput>cat &gt; /srv/named/etc/named/root.hints &lt;&lt; "EOF"
<literal>.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     6D  IN      A       199.9.14.201
B.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:200::b
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
C.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2::c
D.ROOT-SERVERS.NET.     6D  IN      A       199.7.91.13
D.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2d::d
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
E.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:a8::e
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
G.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:12::d0d
H.ROOT-SERVERS.NET.     6D  IN      A       198.97.190.53
H.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:1::53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
I.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fe::53
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
L.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:9f::42
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:dc3::35</literal>
EOF</userinput></screen>

      <para>
        The <filename>root.hints</filename> file is a list of root name
        servers. This file must be updated periodically with the
        <command>dig</command> utility. A current copy of root.hints can be
        obtained from <ulink url="https://www.internic.net/domain/named.root"/>.
        For details, consult the "BIND 9 Administrator Reference Manual".
      </para>

      <para>
        Create or modify <filename>resolv.conf</filename> to use the new
        name server with the following commands:
      </para>

      <note>
        <para>
          Replace <replaceable>&lt;yourdomain.com&gt;</replaceable> with
          your own valid domain name.
        </para>
      </note>

<screen role="root"><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
cat &gt; /etc/resolv.conf &lt;&lt; "EOF"
<literal>search <replaceable>&lt;yourdomain.com&gt;</replaceable>
nameserver 127.0.0.1</literal>
EOF</userinput></screen>

      <para>
        Set permissions on the <command>chroot</command> jail with the
        following command:
      </para>

<screen role="root"><userinput>chown -R named:named /srv/named</userinput></screen>

    </sect3>

    <sect3  id="bind-init">
      <title><phrase revision="sysv">Boot Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para>
        To start the DNS server at boot, install the
        <phrase revision="sysv"><filename>/etc/rc.d/init.d/bind</filename> init
        script</phrase>
        <phrase revision="systemd"><filename>named.service</filename>
        unit</phrase> included in the
        <xref linkend="bootscripts" revision="sysv"/>
        <xref linkend="systemd-units" revision="systemd"/> package:
      </para>

      <indexterm zone="bind bind-init">
        <primary sortas="f-bind">bind</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-bind</userinput></screen>
<screen role="root" revision="systemd"><userinput>make install-named</userinput></screen>

      <para>
        Now start <application>BIND</application> with the following command:
      </para>

<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/bind start</userinput></screen>
<screen role="root" revision="systemd"><userinput>systemctl start named</userinput></screen>

    </sect3>

    <sect3>
      <title>Testing BIND</title>

      <para>
        Test out the new <application>BIND</application> 9 installation.
        First query the local host address with <command>dig</command>:
      </para>

<screen><userinput>dig -x 127.0.0.1</userinput></screen>

      <para>
        Now try an external name lookup, taking note of the speed
        difference in repeated lookups due to the caching. Run the
        <command>dig</command> command twice on the same address:
      </para>

<screen><userinput>dig www.&lfs-domainname; &amp;&amp;
dig www.&lfs-domainname;</userinput></screen>

      <para>
        You can see almost instantaneous results with the named caching
        lookups. Consult the <application>BIND</application> Administrator
        Reference Manual (see below) for further configuration options.
      </para>

    </sect3>

  </sect2>

  <sect2>
    <title>Administrator Reference Manual (ARM)</title>

    <para>
      The ARM documentation (do not confuse with the processor architecture)
      is included in the source package. The documentation is in .rst
      format which means, it can be converted in human readable formats
      if <ulink url="https://www.sphinx-doc.org/">Sphinx</ulink> is
      installed. As time of writing, sphinx is not included in
      the BLFS book and therefore, the instructions above do not
      install the docs.
    </para>

    <para>
      When <application>BIND</application> is set up, especially when
      to operate in a real live scenario, it is <emphasis>highly</emphasis>
      recommended to consult the ARM documentation. ISC provides an
      updated set of excellent documentation along with every release
      so it can be easily be viewed and/or downloaded - so there is
      no excuse to not read the docs. The formats ISC provides are PDF,
      epub and html at <ulink url="https://downloads.isc.org/isc/bind9/&bind-version;/doc/arm/"/>.
    </para>
  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>

        <seg>arpaname, <!--bind9-config hardlinked to isc-config.sh,-->
        ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage,
        dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen,
        dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone,
        dnssec-verify, host, mdig, named, named-checkconf,
        named-checkzone, named-compilezone (symlink), named-journalprint,
        named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc,
        rndc-confgen, and tsig-keygen (symlink)</seg>

        <seg>libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so,
        libisccfg.so, and libns.so</seg>

        <seg>/usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11},
        /usr/lib/named, /usr/lib/python&python3-majorver;/site-packages/isc,
        and /srv/named</seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="arpaname">
        <term><command>arpaname</command></term>
        <listitem>
          <para>
            translates IP addresses to the corresponding ARPA names
          </para>
          <indexterm zone="bind arpaname">
            <primary sortas="b-arpaname">arpaname</primary>
          </indexterm>
        </listitem>
      </varlistentry>

<!-- Not present as of 9.16.5
      <varlistentry id="bind9-config">
        <term><command>bind9-config</command></term>
        <listitem>
          <para>
            is hardlinked to <command>isc-config.sh</command>.
          </para>
          <indexterm zone="bind bind9-config">
            <primary sortas="b-bind9-config">bind9-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="ddns-confgen">
        <term><command>ddns-confgen</command></term>
        <listitem>
          <para>
            generates a key for use by nsupdate and named
          </para>
          <indexterm zone="bind ddns-confgen">
            <primary sortas="b-ddns-confgen">ddns-confgen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="delv">
        <term><command>delv</command></term>
        <listitem>
          <para>
            is a new debugging tool that is a successor to
            <command>dig</command>
          </para>
          <indexterm zone="bind delv">
            <primary sortas="b-delv">delv</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dig">
        <term><command>dig</command></term>
        <listitem>
          <para>
            interrogates DNS servers
          </para>
          <indexterm zone="bind dig">
            <primary sortas="b-dig">dig</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-cds">
        <term><command>dnssec-cds</command></term>
        <listitem>
          <para>
            changes DS records for a child zone based on
            CDS/CDNSKEY
          </para>
          <indexterm zone="bind dnssec-cds">
            <primary sortas="b-dnssec-cds">dnssec-cds</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-checkds">
        <term><command>dnssec-checkds</command></term>
        <listitem>
          <para>
            is a DNSSEC delegation consistency checking tool
          </para>
          <indexterm zone="bind dnssec-checkds">
            <primary sortas="b-dnssec-checkds">dnssec-checkds</primary>
          </indexterm>
        </listitem>
      </varlistentry>

     <varlistentry id="dnssec-coverage">
        <term><command>dnssec-coverage</command></term>
        <listitem>
          <para>
            verifies that the DNSSEC keys for a given zone or a set of zones
            have timing metadata set properly to ensure no future lapses
            in DNSSEC coverage
          </para>
          <indexterm zone="bind dnssec-coverage">
            <primary sortas="b-dnssec-coverage">dnssec-coverage</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-dsfromkey">
        <term><command>dnssec-dsfromkey</command></term>
        <listitem>
          <para>
            outputs the Delegation Signer (DS) resource record (RR)
          </para>
          <indexterm zone="bind dnssec-dsfromkey">
            <primary sortas="b-dnssec-dsfromkey">dnssec-dsfromkey</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-importkey">
        <term><command>dnssec-importkey</command></term>
        <listitem>
          <para>
             reads a public DNSKEY record and generates a pair of
             .key/.private files
          </para>
          <indexterm zone="bind dnssec-importkey">
            <primary sortas="b-dnssec-importkey">dnssec-importkey</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keyfromlabel">
        <term><command>dnssec-keyfromlabel</command></term>
        <listitem>
          <para>
            gets keys with the given label from a cryptography hardware device
            and builds key files for DNSSEC
          </para>
          <indexterm zone="bind dnssec-keyfromlabel">
            <primary sortas="b-dnssec-keyfromlabel">dnssec-keyfromlabel</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keygen">
        <term><command>dnssec-keygen</command></term>
        <listitem>
          <para>
            is a key generator for secure DNS
          </para>
          <indexterm zone="bind dnssec-keygen">
            <primary sortas="b-dnssec-keygen">dnssec-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-keymgr">
        <term><command>dnssec-keymgr</command></term>
        <listitem>
          <para>
            ensures correct DNSKEY coverage based on a defined policy
          </para>
          <indexterm zone="bind dnssec-keymgr">
            <primary sortas="b-dnssec-keymgr">dnssec-keymgr</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-revoke">
        <term><command>dnssec-revoke</command></term>
        <listitem>
          <para>
            sets the REVOKED bit on a DNSSEC key
          </para>
          <indexterm zone="bind dnssec-revoke">
            <primary sortas="b-dnssec-revoke">dnssec-revoke</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-settime">
        <term><command>dnssec-settime</command></term>
        <listitem>
          <para>
            sets the key timing metadata for a DNSSEC key
          </para>
          <indexterm zone="bind dnssec-settime">
            <primary sortas="b-dnssec-settime">dnssec-settime</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-signzone">
        <term><command>dnssec-signzone</command></term>
        <listitem>
          <para>
            generates signed versions of zone files
          </para>
          <indexterm zone="bind dnssec-signzone">
            <primary sortas="b-dnssec-signzone">dnssec-signzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="dnssec-verify">
        <term><command>dnssec-verify</command></term>
        <listitem>
          <para>
            verifies that a zone is fully signed for each algorithm found
            in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
            chains are complete
          </para>
          <indexterm zone="bind dnssec-verify">
            <primary sortas="b-dnssec-verify">dnssec-verify</primary>
          </indexterm>
        </listitem>
      </varlistentry>

<!-- No longer present with 9.16.5
      <varlistentry id="genrandom">
        <term><command>genrandom</command></term>
        <listitem>
          <para>
            generates a file containing random data.
          </para>
          <indexterm zone="bind genrandom">
            <primary sortas="b-genrandom">genrandom</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="host">
        <term><command>host</command></term>
        <listitem>
          <para>
            is a utility for DNS lookups
          </para>
          <indexterm zone="bind host">
            <primary sortas="b-host">host</primary>
          </indexterm>
        </listitem>
      </varlistentry>

 <!-- No longer present with 9.16.5
      <varlistentry id="isc-config.sh">
        <term><command>isc-config.sh</command></term>
        <listitem>
          <para>
            prints information related to the installed version of ISC BIND.
          </para>
          <indexterm zone="bind isc-config.sh">
            <primary sortas="b-isc-config.sh">isc-config.sh</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="isc-hmac-fixup">
        <term><command>isc-hmac-fixup</command></term>
        <listitem>
          <para>
            fixes HMAC keys generated by older versions of BIND.
          </para>
          <indexterm zone="bind isc-hmac-fixup">
            <primary sortas="b-isc-hmac-fixup">isc-hmac-fixup</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="lwresd">
        <term><command>lwresd</command></term>
        <listitem>
          <para>
            is a caching-only name server for local process use.
          </para>
          <indexterm zone="bind lwresd">
            <primary sortas="b-lwresd">lwresd</primary>
          </indexterm>
        </listitem>
      </varlistentry>
-->

      <varlistentry id="mdig">
        <term><command>mdig</command></term>
        <listitem>
          <para>
            is a version of dig that allows multiple queries at once
          </para>
          <indexterm zone="bind mdig">
            <primary sortas="b-mdig">mdig</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named">
        <term><command>named</command></term>
        <listitem>
          <para>
            is the name server daemon
          </para>
          <indexterm zone="bind named">
            <primary sortas="b-named">named</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkconf">
        <term><command>named-checkconf</command></term>
        <listitem>
          <para>
            checks the syntax of <filename>named.conf</filename>
            files
          </para>
          <indexterm zone="bind named-checkconf">
            <primary sortas="b-named-checkconf">named-checkconf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-checkzone">
        <term><command>named-checkzone</command></term>
        <listitem>
          <para>
            checks zone file validity
          </para>
          <indexterm zone="bind named-checkzone">
            <primary sortas="b-named-checkzone">named-checkzone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-compilezone">
        <term><command>named-compilezone</command></term>
        <listitem>
          <para>
            is similar to <command>named-checkzone</command>, but it always
            dumps the zone contents to a specified file in a specified format
          </para>
          <indexterm zone="bind named-compilezone">
            <primary sortas="b-named-compilezone">named-compilezone</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-journalprint">
        <term><command>named-journalprint</command></term>
        <listitem>
          <para>
            prints the zone journal in human-readable form
          </para>
          <indexterm zone="bind named-journalprint">
            <primary sortas="b-named-journalprint">named-journalprint</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-rrchecker">
        <term><command>named-rrchecker</command></term>
        <listitem>
          <para>
            reads an individual DNS resource record from standard input and
            checks if it is syntactically correct
          </para>
          <indexterm zone="bind named-rrchecker">
            <primary sortas="b-named-rrchecker">named-rrchecker</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="named-nzd2nzf">
        <term><command>named-nzd2nzf</command></term>
        <listitem>
          <para>
            converts an NZD database to NZF text format
          </para>
          <indexterm zone="bind named-nzd2nzf">
            <primary sortas="b-named-nzd2nzf">named-nzd2nzf</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nsec3hash">
        <term><command>nsec3hash</command></term>
        <listitem>
          <para>
            generates an NSEC3 hash based on a set of NSEC3 parameters
          </para>
          <indexterm zone="bind nsec3hash">
            <primary sortas="b-nsec3hash">nsec3hash</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nslookup">
        <term><command>nslookup</command></term>
        <listitem>
          <para>
            is a program used to query Internet domain nameservers
          </para>
          <indexterm zone="bind nslookup">
            <primary sortas="b-nslookup">nslookup</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nsupdate">
        <term><command>nsupdate</command></term>
        <listitem>
          <para>
            is used to submit DNS update requests
          </para>
          <indexterm zone="bind nsupdate">
            <primary sortas="b-nsupdate">nsupdate</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc">
        <term><command>rndc</command></term>
        <listitem>
          <para>
            controls the operation of <application>BIND</application>
          </para>
          <indexterm zone="bind rndc">
            <primary sortas="b-rndc">rndc</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="rndc-confgen">
        <term><command>rndc-confgen</command></term>
        <listitem>
          <para>
            generates <filename>rndc.conf</filename> files
          </para>
          <indexterm zone="bind rndc-confgen">
            <primary sortas="b-rndc-confgen">rndc-confgen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="tsig-keygen">
        <term><command>tsig-keygen</command></term>
        <listitem>
          <para>
            is a symlink to <command>ddns-confgen</command>
          </para>
          <indexterm zone="bind tsig-keygen">
            <primary sortas="b-tsig-keygen">tsig-keygen</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>