components/bind/Solaris/migration.txt
changeset 1809 79cf56012d11
parent 1808 49bcd88a82a0
child 1810 1a4f32a21ac3
--- a/components/bind/Solaris/migration.txt	Wed Apr 02 07:43:35 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1341 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for
-terms.
-
-		   BIND 8 to BIND 9 Migration Notes
-	      includes BIND 9.2.4 to BIND 9.3.4 changes
-
-
-BIND 9 is designed to be mostly upwards compatible with BIND 8, but
-there is still a number of caveats you should be aware of when
-upgrading an existing BIND 8 installation to use BIND 9.
-
-Introduction
-------------
-
-This document provides information about differences between BIND 8 and
-BIND 9. BIND 9 is upwards compatible with most BIND 8 features. However,
-there are still a number of caveats you should be aware of when upgrading
-an existing BIND 8 installation to use BIND 9. Be sure to read this
-entire document before installing and using BIND 9.
-
-This document contains the following sections:
-	* Section A, 1-7 Overview of Differences Between BIND 8 and BIND 9
-	* Section 8      BIND 9 name server and the Service Management Facility
-	* Appendix I     Implementing rndc
-	* Appendix II    BIND 9 Commands, Options, Files, and Tools
-	* Appendix III   The named.conf Options
-
-Additional information and documentation about BIND 9, including an
-Administrator Reference Manual (ARM) is available on the ISC web site
-at http://www.isc.org
-
-The words "named", "DNS server", "name server" and "BIND 9 server"
-are used interchangeably to denote the Internet Systems Consortium
-BIND version 9 DNS server throughout this document.
-
-Overview of Differences Between BIND 8 and BIND 9
--------------------------------------------------
-
-Below is a list of changes between BIND 8 and BIND 9, including brief
-descriptions. For more detailed information, see the appropriate
-subsection for each item.
-
-Configuration File Compatibility, 	Section 1.0
-    * unimplemented options warning message	1.1
-    * "transfer-format" option changes		1.1
-    * configuration file errors 		1.2
-    * logging categories have changed		1.3
-    * configuration file startup errors		1.3
-    * "query-source" is deprecated		1.4
-    * multiple classes change			1.5
-
-Zone File Compatibility, 		Section 2.0
-    * stricter rules for TTLs in zone file	2.1
-    * SOA serial number changes			2.2
-    * unbalanced quotes cause errors		2.3
-    * line breaks, syntax change		2.4
-    * use /$ instead of $$ in domain names	2.5
-
-Interoperability Impact of New Protocol
-Features,				Section 3.0
-    * EDNS0 new in BIND 9			3.1
-    * zone transfers default change		3.2
-
-Unrestricted Character Set,		Section 4.0
-    * no restrictions on character set		4.0
-    * security issue, improper naming		4.0
-
-Server Administration Tools, 		Section 5.0
-    * the rndc program replaces ndc		5.1
-    * nsupdate: changes in multiple updates 	5.2
-
-No Information Leakage Between Zones,	Section 6.0
-    * glue NS records handled differently	6.0
-
-Umask Not Modified,			Section 7.0
-    * possible umask permissions issues		7.0
-
-
-
-1. Configuration File Compatibility
-
-1.1. Unimplemented Options and Changed Defaults
-
-The BIND 9 name server supports most, but not all, of the configuration
-options of the BIND 8 name server. For a complete list of implemented
-options, see Appendix III of this document.
-
-If your named.conf file uses an unimplemented option, the BIND 9 name
-server will log a warning message. A message is also logged about each
-option whose default has changed unless the option is set explicitly
-in named.conf.
-
-The default of the "transfer-format" option has changed from
-"one-answer" to "many-answers".  If you have slave servers that do
-not understand the "many-answers" zone transfer format (e.g., BIND
-4.9.5 and older) you need to explicitly specify
-"transfer-format one-answer;" in either the options block or a
-server statement.
-
-1.2. Handling of Configuration File Errors
-
-In BIND 9, named refuses to start if it detects an error in
-named.conf.  Earlier versions would start despite errors, causing
-the server to run with a partial configuration.  Errors detected
-during subsequent reloads do not cause the server to exit.
-
-Errors in master files do not cause the server to exit, but they
-do cause the zone not to load.
-
-1.3. Logging
-
-The set of logging categories in BIND 9 is different from that
-in BIND 8.  If you have customized your logging on a per-category
-basis, you need to modify your logging statement to use the
-new categories.
-
-Another difference is that the "logging" statement only takes effect
-after the entire named.conf file has been read.  This means that when
-the server starts up, any messages about errors in the configuration
-file are always logged to the default destination (syslog) when the
-server first starts up, regardless of the contents of the "logging"
-statement.  In BIND 8, the new logging configuration took effect
-immediately after the "logging" statement was read.
-
-1.4. Notify Messages and Refresh Queries
-
-The source address and port for these is now controlled by
-"notify-source" and "transfer-source", respectively, rather than
-"query-source" as in BIND 8.
-
-1.5. Multiple Classes
-
-Multiple classes have to be put into explicit views for each class.
-
-
-2. Zone File Compatibility
-
-2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
-
-BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
-omitted time-to-live (TTL) entries in zone files.  Omitted TTLs are
-replaced by the value specified with the $TTL directive, or by the
-previous explicit TTL if there is no $TTL directive.
-
-If there is no $TTL directive and the first Resource Record (RR) in the
-file does not have an explicit TTL field, the zone file is illegal
-according to RFC1035 since the TTL of the first RR is undefined.
-Unfortunately, BIND 4 and many versions of BIND 8 accept such files
-without warning and use the value of the SOA MINTTL field as a default
-for missing TTL values.
-
-Earlier versions of BIND 9 refused to load such files. However, BIND
-9.2.4 loads the files anyway (provided the SOA is the first record
-in the file), but will issue a TTL warning message.
-
-To avoid problems, we recommend that you use a $TTL directive in each
-zone file.
-
-2.2. Periods in SOA Serial Numbers Deprecated
-
-Some versions of BIND allow SOA serial numbers with an embedded
-period, like "3.002", and convert them into integers in a rather
-unintuitive way.  This feature is not supported by BIND 9; serial
-numbers must be integers.
-
-2.3. Handling of Unbalanced Quotes
-
-TXT records with unbalanced quotes, like 'host TXT "foo', were not
-treated as errors in some versions of BIND.  If your zone files
-contain such records, you will get potentially confusing error
-messages like "unexpected end of file" because BIND 9 will interpret
-everything up to the next quote character as a literal string.
-
-2.4. Handling of Line Breaks
-
-Some versions of BIND accept RRs containing line breaks that are not
-properly quoted with parentheses, like the following SOA:
-
-	@	IN SOA	ns.example. hostmaster.example.
-			( 1 3600 1800 1814400 3600 )
-
-This is not legal master file syntax and will be treated as an error
-by BIND 9. The fix is to move the opening parenthesis to the first
-line.
-
-2.5. Unimplemented BIND 8 Extensions
-
-$GENERATE: The "$$" construct for getting a literal $ into a domain
-name is deprecated.  Use \$ instead.
-
-2.6. TXT records are no longer automatically split.
-
-Some versions of BIND accepted strings TXT RDATA that contained more
-than 255 characters and silently split them in to multiple RDATA
-records to comply with protocol.  This feature has been removed, and
-the following error is produced upon reading these records:
-        "dns_rdata_fromtext: local.db:119: ran out of space"
-To address split the string in the zone data file at or before the 255
-character in to two or more TXT records.
-
-3. Interoperability Impact of New Protocol Features
-
-3.1. EDNS0
-
-BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
-also sets an EDNS flag bit in queries to indicate that it wishes to
-receive DNSSEC responses; this flag bit usage is not yet standardised,
-but we hope it will be.
-
-Most older servers that do not support EDNS0, including prior versions
-of BIND, will send a FORMERR or NOTIMP response to these queries.
-When this happens, BIND 9 will automatically retry the query without
-EDNS0.
-
-Unfortunately, there exists at least one non-BIND name server
-implementation that silently ignores these queries instead of sending
-an error response.  Resolving names in zones where all or most
-authoritative servers use this server will be very slow or fail
-completely. The manufacturer of the name server is working on a
-solution.
-
-When BIND 9 communicates with a server that does support EDNS0, such
-as another BIND 9 server, responses of up to 4096 bytes may be
-transmitted as a single UDP datagram which is subject to fragmentation
-at the IP level.  If a firewall incorrectly drops IP fragments, it can
-cause resolution to slow down dramatically or fail.
-
-3.2. Zone Transfers
-
-Outgoing zone transfers now use the "many-answers" format by default.
-This format is not understood by certain old versions of BIND 4.
-You can work around this problem using the option "transfer-format
-one-answer;", but since these old versions all have known security
-problems, the correct fix is to upgrade the slave servers.
-
-Zone transfers to Windows 2000 DNS servers sometimes fail due to a
-bug in the Windows 2000 DNS server where DNS messages larger than
-16K are not handled properly.  Obtain the latest service pack for
-Windows 2000 from Microsoft to address this issue.  In the meantime,
-the problem can be worked around by setting "transfer-format
-one-answer;".
-http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
-
-4. Unrestricted Character Set
-
-BIND 9 does not restrict the character set of domain names; it is
-fully 8-bit clean in accordance with RFC2181 section 11.
-
-It is strongly recommended that hostnames published in the DNS follow
-the RFC952 rules, but BIND 9.2.4 and above will not enforce this
-restriction.
-
-Historically, some applications have suffered from security flaws
-where data originating from the network, such as names returned by
-gethostbyaddr(), are used with insufficient checking and may cause a
-breach of security when containing unexpected characters; see
-<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
-for details.  Some earlier versions of BIND attempt to protect these
-flawed applications from attack by discarding data containing
-characters deemed inappropriate in host names or mail addresses, under
-the control of the "check-names" option in named.conf and/or "options
-no-check-names" in resolv.conf.  BIND 9.2.4 provided no such
-protection; advice was that applications with these flaws should be
-upgraded. Subsequently however, BIND 9.3.x implements 'check-names'.
-
-
-5. Server Administration Tools
-
-5.1 ndc Replaced by rndc
-
-The "ndc" program has been replaced by "rndc", which is capable of
-remote operation.  Unlike ndc, rndc requires a configuration file.
-The easiest way to generate a configuration file is to run
-"rndc-confgen -a"; see the man pages for rndc(1M), rndc-confgen(1M),
-and rndc.conf(5) for details. While upgrading from previous Solaris
-releases to Solaris 10, the upgrade process will detect if a
-/etc/rndc.key or /etc/rndc.conf file exists. If neither file is
-found, it runs "rndc-confgen -a" and generates /etc/rndc.key
-so that rndc can be run with a local DNS name server without
-further user intervention.
-
-More information about rndc is available in "Implementing rndc",
-later in this document.
-
-
-
-5.2. nsupdate Differences
-
-The BIND 8 implementation of nsupdate had an undocumented feature
-where an update request would be broken down into multiple requests
-based upon the discovered zones that contained the records.  This
-behaviour has not been implemented in BIND 9.  Each update request
-must pertain to a single zone, but it is still possible to do
-multiple updates in a single invocation of nsupdate by terminating
-each update with an empty line or a "send" command.
-
-
-6. No Information Leakage Between Zones
-
-BIND 9 stores the authoritative data for each zone in a separate data
-structure, as recommended in RFC1035 and as required by DNSSEC and
-IXFR.  When a BIND 9 server is authoritative for both a child zone
-and its parent, it will have two distinct sets of NS records at the
-delegation point: the authoritative NS records at the child's apex,
-and a set of glue NS records in the parent.
-
-BIND 8 was unable to properly distinguish between these two sets of
-NS records and would "leak" the child's NS records into the parent,
-effectively causing the parent zone to be silently modified: responses
-and zone transfers from the parent contained the child's NS records
-rather than the glue configured into the parent (if any).  In the
-case of children of type "stub", this behaviour was documented as a
-feature, allowing the glue NS records to be omitted from the parent
-configuration.
-
-Sites that were relying on this BIND 8 behaviour need to add any
-omitted glue NS records, and any necessary glue A records, to the
-parent zone.
-
-Although stub zones can no longer be used as a mechanism for
-injecting NS records into their parent zones, they are still useful
-as a way of directing queries for a given domain to a particular
-set of name servers.
-
-
-7. Umask Not Modified
-
-The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
-not; the umask inherited from the parent process remains in effect.
-This may cause files created by named, such as journal files, to be
-created with different file permissions than they did in BIND 8.  If
-necessary, the umask should be set explicitly in the script used to
-start the named process.
-
-8. BIND 9 name server and the Service Management Facility
-
-The DNS BIND 9 named(1M) service can be managed by using the Service
-Management Facility (SMF). For more information, see the smf(5) man
-page. The SUNWbindr package provides the BIND 9 service manifest
-and must be installed.
-
-When you use SMF, the following items apply.
-
-- Administrative actions on this service, such as enabling, disabling,
-or restarting, can be performed by using the svcadm(1M) command.
-
-- The default Fault Managed Resource Identifier (FMRI) for the BIND 9
-DNS server is svc:/network/dns/server. The FMRI for the DNS client is
-svc:/network/dns/client.
-
-- You can query the state of the BIND 9 DNS service by using svcs(1).
-  For example:
-
-	# svcs svc:network/dns/server:default
-	STATE          STIME    FMRI
-	online         16:24:04 svc:/network/dns/server:default
-
-The upgrade to Solaris 10 will detect an existing /etc/named.conf file
-and enable the BIND 9 service to startup after the upgrade is completed
-and the system is rebooted.
-
-To start the BIND 9 DNS service on a Solaris 10 system:
-
-a. Create/Copy a valid /etc/named.conf file.
-b. Verify that the SUNWbind and SUNWbindr packages, including any
-   required packages are installed correctly.
-c. Enable the default service instance using svcadm(1M). For example:
-	# svcadm enable svc:network/dns/server:default
-
-While it is recommended that you use svcadm(1M) to administer the server,
-you can use rndc(1M) as well. SMF is aware of the state change of the BIND
-9 named service, whether administered by using svcadm(1M) or rndc(1M).
-
-NOTE: smf(5) will not be aware of the BIND 9 named(1M) service
-if the service is manually executed from the command line.
-
-NOTE: rndc(1M) is not able to stop the service when used in a chroot(2)
-environment under smf(1M) control.
-
-8.1 Name Server SMF Properties
-
-Relevant named(1M) options for use with smf(1) may be applied using
-service application properties:
-
- - options/configuration_file
-
-	Specifies  the configuration file   to be used instead of
-	the  default /etc/named.conf.   To ensure  that reloading
-	the configuration file continues to work after the server
-	has  changed its working directory due  to  to a possible
-	directory  option    in   the  configuration   file,  the
-	configuration file should be  an absolute  pathname.  The
-	configuration  pathname should not include the chroot_dir
-	pathname.  This property is synonymous to the -c option.
-
- - options/ip_interfaces
-
-	specifies  which  IP  transport  BIND  will transmit  on.
-	Possible values are 'IPv4' or  'IPv6'.  Any other setting
-	assumes 'all',  the default.  This property is synonymous
-	to command line option '-4' or '-6'
-
- - options/listen_on_port
-
-	Specifies the default UDP and TCP port which will be used
-	to listen for  DNS requests.  This property is synonymous
-	to command line option '-p port'.
-
-
- - options/debug_level
-
-	Specifies the default debug  level.  The default is 0; no
-	debugging. The  Higher the number  the more verbose debug
-	information becomes.  Synonymous  to command  line option
-	'-d debug-level'.
-
- - options/threads
-
-	 Specifies  the number of cpu  worker  threads to create.
-	 The default of  0 causes named to  try and determine the
-	 number  of CPUs  present    and create one   thread  per
-	 CPU. Synonymous to command line option '-n #cpus'.
-
- - options/chroot_dir
-
-	Specifies the directory to be  used as the root directory
-	after processing SMF   properties and  the  command  line
-	arguments but before reading the configuration file.  Use
-	this   property  when  using   a   chroot(2) environment.
-	Synonymous to command line option '-t <pathname>'.
-
-	When using chroot(2) named is unable  to disable its self
-	when receiving rndc(1M) stop or halt commands and you must
-	instead use the svcadm(1M) disable command.
-
-- options/server
-
-	Specifies an alternative execution path.  If unset then the
-	default server /usr/sbin/named is assumed.
-
-The following examples show how the application properties may be used:
-
-  Example 1: Configuring named(1m) in future to only transmit
-             over IPv4 networks:
-
-	# svccfg -s svc:network/dns/server:default setprop \
-	options/ip_interfaces=IPv4
-	# svcadm refresh svc:network/dns/server:default
-	# scvadm restart svc:network/dns/server:default
-
-  Example 2: List current configuration file and change to
-             an alternative file:
-
-	# svcprop -p options/configuration_file dns/server:default
-	""
-	# svccfg -s dns/server:default setprop \
-	options/configuration_file=/var/named/named.conf
-	# svcadm refresh dns/server:default
-	# svcprop -p options/configuration_file dns/server:default
-	/var/named/named.conf
-	# scvadm restart svc:network/dns/server:default
-
-The dns/server smf_method(5) script converts the application properties
-to the relevant command line option.
-
-Changing the "start method" property of the BIND 9 service is no longer
-recommended as was stated here previously.
-
-For more information about the Service Management Facility, refer to
-"Managing Services (Overview)" in System Administration Guide: Basic
-Administration, available on http://docs.sun.com. Also refer to smf(5),
-svcs(1), svcadm(1M), svccfg(1M) man pages and the BIND 9 name service
-manifest server.xml in /lib/svc/manifest/network/dns.
-
-
-		*************************************
-
-
-			    APPENDICES I-III
-
-
-Appendix I. Implementing rndc
-            -----------------
-
-The BIND 8 ndc(1M) and BIND 9 rndc(1M) name server control tools are
-NOT backward compatible: rndc can't talk to the BIND 8 name server
-and ndc can't talk to the BIND 9 name server. Features, options,
-default modes of operation, and configuration file requirements
-have changed.
-
-
-Ia. The rndc.conf Configuration File
-    --------------------------------
-
-The most significant difference between ndc in BIND 8 and rndc in BIND 9
-is that rndc needs its own configuration file, rndc.conf. This file can
-be generated by rndc-confgen(1M) commands. The rndc.conf file specifies
-which server controls and what algorithm the server should use. Note that
-the /etc/rndc.conf and matching /etc/named.conf information is only needed
-when using rndc to manage a remote BIND 9 name server. If rndc is only
-used to manage a local BIND 9 name server, the /etc/rndc.key is sufficient.
-
-     Sample rndc.conf File
-     ---------------------
-
-     options {
-             default-server localhost;
-             default-key "rndc-key";
-     };
-
-     key "rndc-key" {
-             algorithm hmac-md5;
-             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
-     };
-
-
-     Sample named.conf File Entry for rndc
-     -------------------------------------
-
-     controls {
-             inet * allow { any; } keys { "rndc-key"; };
-     };
-
-     key "rndc-key" {
-             algorithm hmac-md5;
-             secret "qPWZ3Ndl81aBRY9AmJhVtU==";
-     };
-
-
-
-Ib. Differences in the Control Channels
-    -----------------------------------
-
-Both the ndc(1M) and the rndc(1M) utilities use a control channel to
-send commands to and retrieve information from a name server. However,
-there are differences between the utilities.
-
-  * In BIND 8, ndc can use AF_UNIX domain sockets (UNIX control
-    channel) or TCP/IP sockets (inet control channel). By default, ndc
-    does not need any support in /etc/named.conf, because BIND 8
-    servers use a UNIX domain socket with a path (/var/run/ndc.d/ndc)
-    compiled into in.named.
-
-In BIND 9, rndc uses an authenticated TCP/IP inet control channel,
-by default and is not backward compatible with BIND 8.
-
-  * When using rndc, you need to specify a 'key' clause to communicate
-    with the name server. It is mandatory that the BIND 9 server and
-    the rndc client share the same key. Using the BIND 8 controls
-    entry in BIND 9 will result in an error message.
-
-  * Some command options have changed from the ndc to the rndc
-    implementation. This includes the "-c" option, which has a
-    different syntax in BIND 9. Therefore, to specify the control
-    channel in BIND 9, use "rndc -s <server> -p <port>".
-
-
-Ic. Commands of BIND 9.3 rndc
-    ---------------------------
-  reload			 Reload configuration file and zones.
-  reload zone [class [view]]	 Reload a single zone.
-  refresh zone [class [view]] 	 Schedule immediate maintenance
-				  for a zone.
-  retransfer zone [class [view]] Retransfer a single zone without
-                                  checking serial number.
-  freeze zone [class [view]]**   Suspend updates to a dynamic zone.
-  thaw zone [class [view]]**     Enable updates to a frozen dynamic
-                                  zone and reload it.
-  reconfig      		 Reload configuration file and new
-				  zones only.
-  stats 			 Write server statistics to the
-				  statistics file.
-  querylog      		 Toggle query logging.
-  dumpdb [-all|-cache|-zones] [view ...]**
-  			         Dump cache(s) to the dump file
-				  (named_dump.db).
-  stop [-p]**		         Save pending updates to master files
-				  and stop the server; report process
-				  number if -p provided.
-  halt [-p]**                    Stop the server without saving
-				  pending updates; report process
-				  number if -p provided
-  trace				 Increment debugging level by one.
-  trace level			 Change the debugging level.
-  notrace			 Set debugging level to 0.
-  flush				 Flushes all of the server's caches.
-  flush [view]			 Flushes the server's cache for a view.
-  status			 Display status of the server.
-  recursing**		         Dump the queries that are currently
-				  recursing (named.recursing)
-  restart*			 Restart the server.
-
-  *  = not yet implemented
-  ** = New command or option in bind 9.3.
-
-
-Appendix II        BIND 9 Commands, Files, Tools, and Options
-                   ------------------------------------------
-
-IIa. Comparison of BIND 8 and BIND 9 Commands and Files
-     --------------------------------------------------
-
-The table below compares BIND 8 and BIND 9 commands and
-configuration files. BIND 9 man pages install in /usr/man.
-
-    -------------------------------------------------
-    |   BIND 8 Command     | BIND 9.3 replacement   |
-    -------------------------------------------------
-    |   dnskeygen(1M)      |   dnssec-keygen(1M)    |
-    |   ndc(1M)            |   rndc(1M)             |
-    |   named-bootconf(1M) |   NONE NEEDED          |
-    |   nsupdate(1M)       |   nsupdate(1M)         |
-    |   nslookup(1M)       |   nslookup(1M)         |
-    |   named-xfer(1M)     |   NONE NEEDED          |
-    |   in.named(1M)       |   named(1M)            |
-    |   named.conf(4)      |   named.conf*          |
-    |   dig(1M)            |   dig(1M)              |
-    -------------------------------------------------
-
-* A detailed named.conf man page was not included with BIND 9 originally.
-Appendix III includes a summary of the named.conf options that are
-supported in BIND 9.3.x at this time.
-
-
- IIb. BIND 9 Tools and Configuration Files
-      ------------------------------------
-
-The following BIND 9.3 tools are available in the SUNWbind
-package and installed in /usr/sbin:
-
-  named
-  nsupdate
-  rndc
-  dnssec-keygen
-  nslookup
-  dig
-  dnssec-signzone
-  named-checkconf
-  named-checkzone
-  rndc-confgen
-  host
-
-The following BIND 9.3 configuration files are supported.
-
-  /etc/rndc.conf
-
-
-IIc. Descriptions of Command and Option Changes from 8.x to 9.x
-     ----------------------------------------------------------
-
-Listed below are BIND 8 features/interfaces that are not supported in
-the equivalent BIND 9 binary. This is not intended to be an exhaustive
-list of the options, command line options or features for any BIND 9.x
-command.
-
-1. in.named(1M): DNS Name server in.named command line options.
-
-   In the BIND 9.3 name server, the "-g group_name", "-q", "-r" and "-w
-   directory" options are not supported, and "-c config_file" replaces
-   the BIND 8.x "-b config_file". See the named man page for further
-   details.
-
-2. dnssec-keygen: dnskeygen(1M) in BIND 8.x and dnssec-keygen from BIND
-   9.2.x and above, have no common options. See the dnssec-keygen man
-   page or further details.
-
-3. rndc(1M): See Appendix I in this document.
-
-4. nsupdate(1M): in BIND 9.2.x and above, the syntax of the "-k" option
-   changes in nsupdate. Instead of "-k keydir::keyname" the syntax is now
-   "-k keyfile". The only other difference is that whereas a blank line was
-   used to signal sending the input to the server, an explicit "send"
-   sub-command is now used to do the same. See the nsupdate man page for
-   further details.
-
-5. nslookup(1M): the following options are unsupported in the
-   BIND 9.2.x and above version.
-
-   help, host server, set ignoretc, set noignoretc,
-   set srch[list]=N1[/N2/.../N6], set ro[ot]=host, root,
-   finger [USER], ls [opt] DOMAIN [> FILE].
-
-6. named.conf: several options are unsupported, not implemented or
-   have changed defaults. For a list of the option changes and a
-   summary of all named.conf options, see Appendix III.
-
-IId. Differences in BIND 9.3 from BIND 9.2
-     -------------------------------------
-
-BIND 9.3 provides several changes from BIND 9.2, including but
-not limited to:
-
-1. DNSSEC tools provided by BIND 9.2.4 are not compatible with BIND 9.3.4
-   and are replaced where applicable.  Specifically, DNSSEC-bis
-   functionality removes the need for dnssec-signkey(1M) and
-   dnssec-makekeyset(1M); dnssec-keygen(1M) and dnssec-signzone(1M) now
-   provide alternative functionality.
-
-2. dig(1M) and nslookup(1M) now report "Not Implemented" as NOTIMP rather
-   than NOTIMPL. This will have impact on scripts that are looking for
-   NOTIMPL.
-
-3. named(1M): BIND server process includes new command line options to
-   overcome certain operating environment issues; CR 6320428.  These
-   options are:
-
-     * '-4' specifies to only send queries on IPv4 interfaces
-     * '-6' specifies to only send queries on IPv6 interfaces.
-
-   named(1M) by default will reject master zone files where hostnames
-   or mail domain names have invalid syntax or characters. The rules
-   for legal hostnames / mail domains are derived from RFC 952 and RFC
-   821 as modified by RFC 1123.
-
-     * Corrective action should be to change the host names with
-       illegal syntax or characters, such as underscore (_)
-       characters.  Use "named-checkconf -z /etc/named.conf" to check
-       validity of the named configuration file and any zone files
-       referenced by it.
-
-       To aid migration the default functionality may be
-       overridden using the check-names option of named.conf.  For
-       example to allow zones with name failures to load but log
-       warning messages (as is the default for slave (secondary)
-       zones) modify or add an option statement to named.conf:
-
-        	options {
-			check-names master warn;
-		};
-
-   named(1M) no longer provides the following functionality:
-
-   * Inverse IPv6 queries to the obsolete ip6.int domain.  The
-     ip6.arpa domain is obsoleted by the ip6.int domain.  See RFC
-     3596.
-
-   * IPv6 does not forward A6 lookups, deprecated by RFC 3363
-
-   * IPv6 "bitstring" not supported, primary will refuse to load zone
-     files with binary labels.  Deprecated by rfc3363.
-
-   * Zones containing MD (Mail Destination) and MF (Mail Forwarder)
-     will now be rejected.  The MD and MF resource record (RR) types
-     were originally introduced in RFC 882 and subsequently obsoleted
-     in RFC 1035 by the MX RR.
-
-4. named.conf: Has additional options:
-
-     * allow-update-forwarding
-     * alt-transfer-source
-     * alt-transfer-source-v6
-     * avoid-v4-udp-ports
-     * avoid-v6-udp-ports
-     * check-names: Validate names in zones (from BIND 8).
-     * disable-algorithms
-     * dnssec-enable
-     * dnssec-lookaside
-     * dnssec-must-be-secure
-     * dual-stack-servers: provides IPv4/IPv6 transition support.
-     * edns-udp-size: Set advertised EDNS UDP size.
-     * flush-zones-on-shutdown
-     * hostname (chaos)'
-     * ixfr-from-differences: use IXFR deltas when loading master files.
-     * masters: define masters for a zone.
-     * max-journal-size: specify the size of a journal
-     * multi-master
-     * querylog
-     * server-id (chaos)
-     * Server statement grammar includes:
-       * transfer-source
-       * transfer-source-v6
-     * tcp-listen-queue
-     * use-alt-transfer-source
-     * zone statement grammar:
-       * multi-master
-       * key-directory
-
-   named.conf removed options:
-
-     * allow-v6-synthesis: Obsolete. Caused named to translate ip6.int
-       requests to ip6.arpa requests.  As the ip6.int domain is now
-       obsolete this option has been removed.
-
-     * zone-statistics has been removed from the 'view' statement.
-
-5. dig(1M) has new command line options:
-    -4: use IPv4 query transport only
-    -6: use IPv6 query transport only
-    +[no]aaflag: Set AA flag in query (+[no]aaflag)
-    +[no]cl: Control display of class in records
-    +[no]ttlid: Control display of ttls in records
-    +tries=#: Set number of UDP attempts [3]
-    +retry=#: Set number of UDP retries [2]
-
-6. named.checkconf(1M) has new options:
-    -z: Perform a check load of the master zone files found in named.conf.
-    -j: When loading a  zonefile read the journal if it exists.
-
-7. named-checkzone(1M) has new options:
-    -k mode: Perform "check-name" checks with the specified failure mode.
-    -n mode: Check NS records are addresses, mode is warn, fail or ignore.
-    -o filename: Write zone output to filename.
-    -t directory: chroot to directory, useful for include statements.
-    -w directory: chdir to directory, useful for include statements.
-    -D: Dump zone file in canonical format.
-
-8. rndc(1M) has several new subcommands including:
-   freeze,  thaw, flushname and  recursing (see above).
-   Several subcommands have new options namely stop, halt and dumpdb.
-
-9. nsupdate(1M) generates SIG(0) signed messages.
-
-
-Appendix III   The named.conf Options
-               ----------------------
-
-IIIa.   Changes in the Options Section
-        ------------------------------
-
-The following list compares the named.conf options between BIND 8
-and BIND 9. It also provides a brief description of the change.
-"OK" denotes the option works unchanged for the BIND 9 named.
-
-   options {
-     [ version version_string; ]		  OK
-     [ directory path_name; ]			  OK
-     [ named-xfer path_name; ] 			  Obsolete (*1)
-     [ dump-file path_name; ] 			  OK
-     [ memstatistics-file path_name; ] 		  Not Implemented
-     [ pid-file path_name; ] 			  OK
-     [ statistics-file path_name; ]		  OK
-     [ auth-nxdomain yes_or_no; ] 		  OK (*2)
-     [ dialup yes_or_no; ]			  OK
-     [ fake-iquery yes_or_no; ] 		  Obsolete
-     [ fetch-glue yes_or_no; ]			  Obsolete
-     [ has-old-clients yes_or_no; ]		  Obsolete
-     [ host-statistics yes_or_no; ]		  Not Implemented
-     [ host-statistics-max number; ]		  Not Implemented
-     [ multiple-cnames yes_or_no; ]		  Obsolete
-     [ notify yes_or_no | explicit; ]		  OK
-     [ recursion yes_or_no; ]			  OK
-     [ rfc2308-type1 yes_or_no; ]		  Not Implemented
-     [ use-id-pool yes_or_no; ]			  Obsolete
-     [ treat-cr-as-space yes_or_no; ]		  Obsolete
-     [ also-notify yes_or_no; ] 		  Syntax Changed (*3)
-     [ forward ( only | first ); ] 		  OK (*4)
-     [ forwarders { in_addr ; \
-       [ in_addr ; ... ] }; ] 			  OK (*5)
-     [ check-names ( master | slave | \
-       response ) ( warn | fail | ignore); ] 	  OK (*8)
-     [ allow-query { address_match_list }; ]	  OK
-     [ allow-recursion { address_match_list }; ]  OK
-     [ allow-transfer { address_match_list }; ]	  OK
-     [ blackhole { address_match_list }; ]	  OK
-     [ listen-on [ port ip_port ] \
-       { address_match_list }; ]		  OK
-     [ query-source [ address ( ip_addr | * ) ]	\
-       [ port ( ip_port | * ) ] ; ]	 	  OK
-     [ lame-ttl number; ]			  OK
-     [ max-transfer-time-in number; ]		  OK
-     [ max-ncache-ttl number; ]			  OK
-     [ min-roots number; ]			  Not Implemented
-     [ transfer-format ( one-answer | \
-       many-answers ); ] 			  OK (*6)
-     [ transfers-in  number; ]			  OK
-     [ transfers-out number; ]			  OK
-     [ transfers-per-ns number; ]		  OK
-     [ transfer-source ip_addr; ]		  OK
-     [ maintain-ixfr-base yes_or_no; ]		  Obsolete
-     [ max-ixfr-log-size number; ]		  Obsolete (*7)
-     [ coresize size_spec ; ]			  OK
-     [ datasize size_spec ; ]			  OK
-     [ files size_spec ; ]			  OK
-     [ stacksize size_spec ; ]			  OK
-     [ cleaning-interval number; ]		  OK
-     [ heartbeat-interval number; ]		  OK
-     [ interface-interval number; ]		  OK
-     [ statistics-interval number; ]		  Not Implemented
-     [ topology { address_match_list }; ]	  Not Implemented
-     [ sortlist { address_match_list }; ]	  OK
-     [ rrset-order { order_spec ; \
-     [ order_spec ; ... ] }; ]			  Not Implemented
-     };
-
-(*1) Obsolete due to architectural differences.
-(*2) Default set to yes in BIND 8, no in BIND 9.
-(*3) Needs an IP address for "yes".
-(*4) Doesn't work if no forwarder specified; Gives an error of "no
-     matching 'forwarders' statement" in that case.
-(*5) See [ forward ] clause
-(*6) Default set to one-answer in BIND 8 and many-answers in BIND 9.
-(*7) No need for this option as BIND 9 trims the size of its
-     log file automatically.
-(*8) Implemented in BIND 9.3.4
-
-
-IIIb.	Statements in BIND 9
-        --------------------
-
-The Controls Statement
-----------------------
-  Syntax
-     controls {
-       [ inet ip_addr
-         port ip_port
-         allow { address_match_list; }; ]	OK
-       [ unix path_name
-         perm number
-         owner number
-         group number; ]			Not Implemented
-     };
-
-  Note: "unix" is the default for ndc(1M) and all of the arguments
-  are compiled in.
-
-  "inet" is the only option for rndc and nothing is compiled in.
-
-  Logging syntax has changed significantly. See section IIIc for a
-  list of named.conf options.
-
-
-The Zone Statement
-------------------
-  The syntax for the zone statement in the BIND 8 named.conf man page
-  is mostly supported for BIND 9 except for the following:
-
-  [ pubkey number number number string; ]	Obsolete
-
-
-The ACL Statement
------------------
-  Syntax
-     acl name {
-       address_match_list
-     };
-
-  Works unchanged in BIND 9.
-
-
-The Key Statement
------------------
-  Syntax
-     key key_id {
-       algorithm algorithm_id;
-       secret secret_string;
-     };
-
-  Works unchanged in BIND 9.
-
-
-The Trusted-Keys Statement
---------------------------
-  Syntax
-     trusted-keys {
-       [ domain_name flags protocol algorithm key; ]
-     };
-
-  Works unchanged, however the code to use this
-  statement has been turned off in BIND 9.2.4.
-
-
-The Server Statement
---------------------
-  Syntax
-     server ip_addr {
-       [ bogus yes_or_no; ]
-       [ transfers number; ]
-       [ transfer-format ( one-answer | many-answers ); ]
-       [ keys { key_id [ key_id ... ] }; ]
-       [ edns yes_or_no; ]
-     };
-
-  "support-ixfr" is obsolete, however all of the above options work
-  unchanged in BIND 9. Note the default for transfer-format has changed.
-
-
-The Include Statement
----------------------
-  Syntax
-     include path_name;
-
-  Works unchanged in BIND 9.
-
-
-
-
-IIIc.	Summary of the named.conf Options
-	---------------------------------
-
-A detailed named.conf man page was not included with BIND 9 originally.
-Following is a summary of the named.conf options that are
-supported in BIND 9.3.6
-
-acl string { address_match_element; ... };
-
-key domain_name {
-     algorithm string;
-     secret string;
-};
-
-masters string [ port integer ] {
-     ( masters | ipv4_address [port integer] |
-     ipv6_address [port integer] ) [ key string ]; ...
-};
-
-server ( ipv4_address | ipv6_address ) {
-     bogus boolean;
-     edns boolean;
-     provide-ixfr boolean;
-     request-ixfr boolean;
-     keys server_key;
-     transfers integer;
-     transfer-format ( many-answers | one-answer );
-     transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     support-ixfr boolean; // obsolete
-};
-
-trusted-keys {
-     domain_name flags protocol algorithm key; ...
-};
-
-controls {
-     inet ( ipv4_address | ipv6_address | * )
-          [ port ( integer | * ) ]
-          allow { address_match_element; ... }
-          [ keys { string; ... } ];
-     unix unsupported; // not implemented
-};
-
-logging {
-     channel string {
-          file log_file;
-          syslog optional_facility;
-          null;
-          stderr;
-          severity log_severity;
-          print-time boolean;
-          print-severity boolean;
-          print-category boolean;
-     };
-     category string { string; ... };
-};
-
-options {
-     avoid-v4-udp-ports { port; ... };
-     avoid-v6-udp-ports { port; ... };
-     blackhole { address_match_element; ... };
-     coresize size;
-     datasize size;
-     directory quoted_string;
-     cache-file quoted_string; // test option
-     dump-file quoted_string;
-     files size;
-     heartbeat-interval integer;
-     host-statistics boolean; // not implemented
-     host-statistics-max number; // not implemented
-     hostname ( quoted_string | none );
-     interface-interval integer;
-     listen-on [ port integer ] { address_match_element; ... };
-     listen-on-v6 [ port integer ] { address_match_element; ... };
-     match-mapped-addresses boolean;
-     memstatistics-file quoted_string;
-     pid-file ( quoted_string | none );
-     port integer;
-     querylog boolean;
-     recursing-file quoted_string;
-     reserved-sockets integer;
-     random-device quoted_string;
-     recursive-clients integer;
-     serial-query-rate integer;
-     server-id ( quoted_string | none );
-     stacksize size;
-     statistics-file quoted_string;
-     statistics-interval integer; // not yet implemented
-     tcp-clients integer;
-     tcp-listen-queue integer;
-     tkey-dhkey quoted_string integer;
-     tkey-gssapi-credential quoted_string;
-     tkey-domain quoted_string;
-     transfers-per-ns integer;
-     transfers-in integer;
-     transfers-out integer;
-     use-ixfr boolean;
-     version ( quoted_string | none );
-     allow-recursion { address_match_element; ... };
-     sortlist { address_match_element; ... };
-     topology { address_match_element; ... }; // not implemented
-     auth-nxdomain boolean; // default changed
-     minimal-responses boolean;
-     recursion boolean;
-     rrset-order {
-          [ class string ] [ type string ]
-          [ name quoted_string ] string string; ...
-     };
-     provide-ixfr boolean;
-     request-ixfr boolean;
-     rfc2308-type1 boolean; // not yet implemented
-     additional-from-auth boolean;
-     additional-from-cache boolean;
-     query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ];
-     query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ];
-     cleaning-interval integer;
-     min-roots integer; // not implemented
-     lame-ttl integer;
-     max-ncache-ttl integer;
-     max-cache-ttl integer;
-     transfer-format ( many-answers | one-answer );
-     max-cache-size size_no_default;
-     check-names ( master | slave | response )
-          ( fail | warn | ignore );
-     cache-file quoted_string;
-     suppress-initial-notify boolean; // not yet implemented
-     preferred-glue string;
-     dual-stack-servers [ port integer ] {
-          ( quoted_string [port integer] |
-          ipv4_address [port integer] |
-          ipv6_address [port integer] ); ...
-     }
-     edns-udp-size integer;
-     root-delegation-only [ exclude { quoted_string; ... } ];
-     disable-algorithms string { string; ... };
-     dnssec-enable boolean;
-     dnssec-lookaside string trust-anchor string;
-     dnssec-must-be-secure string boolean;
-     dialup dialuptype;
-     ixfr-from-differences ixfrdiff;
-     allow-query { address_match_element; ... };
-     allow-transfer { address_match_element; ... };
-     allow-update-forwarding { address_match_element; ... };
-     notify notifytype;
-     notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
-     notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
-     also-notify [ port integer ] { ( ipv4_address | ipv6_address )
-          [ port integer ]; ... };
-     allow-notify { address_match_element; ... };
-     forward ( first | only );
-     forwarders [ port integer ] {
-          ( ipv4_address | ipv6_address ) [ port integer ]; ...
-     };
-     max-journal-size size_no_default;
-     max-transfer-time-in integer;
-     max-transfer-time-out integer;
-     max-transfer-idle-in integer;
-     max-transfer-idle-out integer;
-     max-retry-time integer;
-     min-retry-time integer;
-     max-refresh-time integer;
-     min-refresh-time integer;
-     multi-master boolean;
-     sig-validity-interval integer;
-     transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     use-alt-transfer-source boolean;
-     zone-statistics boolean;
-     key-directory quoted_string;
-     allow-v6-synthesis { address_match_element; ... }; // obsolete
-     deallocate-on-exit boolean; // obsolete
-     fake-iquery boolean; // obsolete
-     fetch-glue boolean; // obsolete
-     has-old-clients boolean; // obsolete
-     maintain-ixfr-base boolean; // obsolete
-     max-ixfr-log-size size; // obsolete
-     multiple-cnames boolean; // obsolete
-     named-xfer quoted_string; // obsolete
-     serial-queries integer; // obsolete
-     treat-cr-as-space boolean; // obsolete
-     use-id-pool boolean; // obsolete
-};
-
-view string optional_class {
-     match-clients { address_match_element; ... };
-     match-destinations { address_match_element; ... };
-     match-recursive-only boolean;
-     key string {
-          algorithm string;
-          secret string;
-     };
-     zone string optional_class {
-          ...
-     };
-     server ( ipv4_address | ipv6_address ) {
-          ...
-     };
-     trusted-keys {
-          string integer integer integer quoted_string; ...
-     };
-     allow-recursion { address_match_element; ... };
-     sortlist { address_match_element; ... };
-     topology { address_match_element; ... }; // not implemented
-     auth-nxdomain boolean; // default changed
-     minimal-responses boolean;
-     recursion boolean;
-     rrset-order {
-          [ class string ] [ type string ]
-          [ name quoted_string ] string string; ...
-     };
-     provide-ixfr boolean;
-     request-ixfr boolean;
-     rfc2308-type1 boolean; // not yet implemented
-     additional-from-auth boolean;
-     additional-from-cache boolean;
-     query-source [ address ( ipv4_address | * ) ] [ port ( integer | * ) ];
-     query-source-v6 [ address ( ipv6_address | * ) ] [ port ( integer | * ) ];
-     cleaning-interval integer;
-     min-roots integer; // not implemented
-     lame-ttl integer;
-     max-ncache-ttl integer;
-     max-cache-ttl integer;
-     transfer-format ( many-answers | one-answer );
-     max-cache-size size_no_default;
-     check-names ( master | slave | response )
-          ( fail | warn | ignore );
-     cache-file quoted_string;
-     suppress-initial-notify boolean; // not yet implemented
-     preferred-glue string;
-     dual-stack-servers [ port integer ] {
-          ( quoted_string [port integer] |
-          ipv4_address [port integer] |
-          ipv6_address [port integer] ); ...
-     };
-     edns-udp-size integer;
-     root-delegation-only [ exclude { quoted_string; ... } ];
-     disable-algorithms string { string; ... };
-     dnssec-enable boolean;
-     dnssec-lookaside string trust-anchor string;
-     dnssec-must-be-secure string boolean;
-     dialup dialuptype;
-     ixfr-from-differences ixfrdiff;
-     allow-query { address_match_element; ... };
-     allow-transfer { address_match_element; ... };
-     allow-update-forwarding { address_match_element; ... };
-     notify notifytype;
-     notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
-     notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
-     also-notify [ port integer ] { ( ipv4_address | ipv6_address )
-          [ port integer ]; ... };
-     allow-notify { address_match_element; ... };
-     forward ( first | only );
-     forwarders [ port integer ] {
-          ( ipv4_address | ipv6_address ) [ port integer ]; ...
-     };
-     max-journal-size size_no_default;
-     max-transfer-time-in integer;
-     max-transfer-time-out integer;
-     max-transfer-idle-in integer;
-     max-transfer-idle-out integer;
-     max-retry-time integer;
-     min-retry-time integer;
-     max-refresh-time integer;
-     min-refresh-time integer;
-     multi-master boolean;
-     sig-validity-interval integer;
-     transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     use-alt-transfer-source boolean;
-     zone-statistics boolean;
-     key-directory quoted_string;
-     allow-v6-synthesis { address_match_element; ... }; // obsolete
-     fetch-glue boolean; // obsolete
-     maintain-ixfr-base boolean; // obsolete
-     max-ixfr-log-size size; // obsolete
-};
-
-zone string optional_class {
-     type ( master | slave | stub | hint |
-          forward | delegation-only );
-     file quoted_string;
-     masters [ port integer ] {
-          ( masters |
-          ipv4_address [port integer] |
-          ipv6_address [ port integer ] ) [ key string ]; ...
-     };
-     database string;
-     delegation-only boolean;
-     check-names ( fail | warn | ignore );
-     dialup dialuptype;
-     ixfr-from-differences boolean;
-     allow-query { address_match_element; ... };
-     allow-transfer { address_match_element; ... };
-     allow-update { address_match_element; ... };
-     allow-update-forwarding { address_match_element; ... };
-     update-policy {
-          ( grant | deny ) string
-          ( name | subdomain | wildcard | self ) string
-          rrtypelist; ...
-     };
-     notify notifytype;
-     notify-source ( ipv4_address | * ) [ port ( integer | * ) ];
-     notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ];
-     also-notify [ port integer ] { ( ipv4_address | ipv6_address )
-          [ port integer ]; ... };
-     allow-notify { address_match_element; ... };
-     forward ( first | only );
-     forwarders [ port integer ] {
-          ( ipv4_address | ipv6_address ) [ port integer ]; ...
-     };
-     max-journal-size size_no_default;
-     max-transfer-time-in integer;
-     max-transfer-time-out integer;
-     max-transfer-idle-in integer;
-     max-transfer-idle-out integer;
-     max-retry-time integer;
-     min-retry-time integer;
-     max-refresh-time integer;
-     min-refresh-time integer;
-     multi-master boolean;
-     sig-validity-interval integer;
-     transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source ( ipv4_address | * )
-          [ port ( integer | * ) ];
-     alt-transfer-source-v6 ( ipv6_address | * )
-          [ port ( integer | * ) ];
-     use-alt-transfer-source boolean;
-     zone-statistics boolean;
-     key-directory quoted_string;
-     ixfr-base quoted_string; // obsolete
-     ixfr-tmp-file quoted_string; // obsolete
-     maintain-ixfr-base boolean; // obsolete
-     max-ixfr-log-size size; // obsolete
-     pubkey integer integer integer quoted_string; // obsolete
-};