named.conf revision a5df621763fa230b63cd6db657358fbcb4bb1993
/*
*/
/*
*/
# So are shell-style comments
options {
directory "."; // use current directory
named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
dump-file "named_dump.db"; // _PATH_DUMPFILE
statistics-file "named.stats"; // _PATH_STATS
memstatistics-file "named.memstats"; // _PATH_MEMSTATS
rfc2308-type1 no;
tkey-domain "foo.com";
tkey-dhkey "xyz" 666 ;
check-names master fail;
check-names slave warn;
check-names response ignore;
host-statistics no;
deallocate-on-exit no; // Painstakingly deallocate all
// objects when exiting instead of
// letting the OS clean up for us.
// Useful a memory leak is suspected.
// Final statistics are written to the
// memstatistics-file.
datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;
multiple-cnames no; // if yes, then a name my have more
// than one CNAME RR. This use
// is non-standard and is not
// recommended, but it is available
// because previous releases supported
// it and it was used by large sites
// for load balancing.
allow-query { any; };
allow-transfer { any; };
transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be
// set > than MAX_XFERS_RUNNING (20)
transfers-per-ns 2; // DEFAULT_XFERS_PER_NS
transfers-out 0; // not implemented
max-transfer-time-in 120; // MAX_XFER_TIME; the default number
// of minutes an inbound zone transfer
// may run. May be set on a per-zone
// basis.
max-transfer-time-out 10; // MAX_XFER_TIME; the default number
max-transfer-idle-in 100; // MAX_XFER_TIME; the default number
max-transfer-idle-out 11; // MAX_XFER_TIME; the default number
/*
* The "transfer-format" option specifies the way outbound zone
* transfers (i.e. from us to them) are formatted. Two values are
* allowed:
*
* one-answer Each RR gets its own DNS message.
* This format is not very efficient,
* but is widely understood. All
* versions of BIND prior to 8.1 generate
* this format for outbound zone
* and require it on inbound transfers.
*
* many-answers As many RRs as will fit are put into
* each DNS message. This format is
* the most efficient, but is only known
* to work with BIND 8. Patches to
* BIND 4.9.5 named-xfer that enable it
* available.
*
* If you are going to be doing zone transfers to older servers, you
*/
/*
* forwarders. "first" gives the normal BIND
* forwarding behavior, i.e. ask the forwarders first, and if that
*/
forwarders { }; // default is no forwarders
/*
*/
/*
1.2.3.4;
5.6.7.8;
};
*/
/*
*/
topology {
!1.2.3/24; // don't like 1.2.3.0 netmask
// 255.255.255.0 at all
{ 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0
// and 3.0.0.0 netmask 255.0.0.0
// equally well, but less than 10/8
};
listen-on port 53 { any; }; // listen for queries on port 53 on
// any interface on the system
// (i.e. all interfaces). The
// "port 53" is optional; if you
/*
* complicated example:
*/
listen-on { 5.6.7.8; }; // listen on port 53 on interface
// 5.6.7.8
listen-on port 1234 { // listen on port 1234 on any
!1.2.3.4; // interface on network 1.2.3
1.2.3/24; // netmask 255.255.255.0, except for
}; // interface 1.2.3.4.
/*
* Interval Timers
*/
cleaning-interval 60; // clean the cache of expired RRs
interface-interval 60; // scan for new or deleted interfaces
statistics-interval 60; // log statistics every
/*
* IXFR options
*/
maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
max-ixfr-log-size 20; // Not implemented, maximum size the
// IXFR transaction log file to grow
};
/*
* Control listeners, for "ndc". Every nameserver needs at least one.
*/
controls {
inet * port 52 allow { any; }; // a bad idea
};
zone "master.demo.zone" {
type master; // what used to be called "primary"
file "master.demo.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
// notify yes; // send NOTIFY messages for this
// zone? The global option is used
// if "notify" is not specified
// here.
also-notify { }; // don't notify any nameservers other
// zone
};
masters {
5.6.7.8;
};
transfer-source 10.0.0.53; // fixes multihoming problems
// than those on the NS list for this
// zone
forward only;
forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
};
view "test-view" {
zone "view-zone.com" {
type master;
file "view-zone-master";
};
};
zone "stub.demo.zone" {
type stub; // stub zones are like slave zones,
// except that only the NS records
// are transferred.
file "stub.demo.zone";
masters {
1.2.3.4; // where to zone transfer from
5.6.7.8;
};
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
pubkey 257 255 1 "a useless key";
pubkey 257 255 1 "another useless key";
};
zone "." {
type hint; // used to be specified w/ "cache"
file "cache.db";
// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
trusted-keys {
"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
// by can_query are OK
zone "non-default-acl.demo.zone" {
type master;
file "foo";
allow-query { can_query; };
allow-transfer { can_axfr; };
allow-update {
1.2.3.4;
5.6.7.8;
};
pubkey 666 665 664 "key of the beast";
};
key sample_key { // for TSIG; supported by parser
algorithm hmac-md5; // but not yet implemented in the
secret "your secret here"; // rest of the server
};
key key2 {
algorithm hmac-md5;
secret "ereh terces rouy";
};
acl key_acl { key sample_key; }; // a request signed with sample_key
server 1.2.3.4 {
// server (see the description of
transfers 0; // not implemented
};
logging {
/*
*/
};
/*
* the channel. In order of decreasing severity, the levels are:
*
* critical a fatal error
* error
* warning
* notice a normal, but significant event
* info an informational message
* debug 1 the least detailed debugging info
* ...
* debug 99 the most detailed debugging info
*/
/*
* Here are the built-in channels:
*
* channel default_syslog {
* syslog daemon;
* severity info;
* };
*
* channel default_debug {
* file "named.run"; // note: stderr is used instead
* // of "named.run" if the server
* // is started with the "-f"
* // option.
* severity dynamic; // this means log debugging
* // at whatever debugging level
* // the server is at, and don't
* // debugging.
* };
*
* };
*
* channel default_stderr { // writes to stderr
* // there's currently no way
* // of saying "stderr" in the
* // configuration language.
* };
*
*/
/*
* don't want. Right now the categories are
*
* default the catch-all. many things still
* aren't classified into categories, and
* don't specify any channels for a
* category, the default category is used
* instead.
* config high-level configuration file
* processing
* parser low-level configuration file processing
* queries what used to be called "query logging"
* lame-servers messages like "Lame server on ..."
* statistics
* panic if the server has to shut itself
* down due to an internal problem, it
* logs the problem here (as well as
* "Malformed response ..."
* "wrong ans. name ..."
* "unrelated additional info ..."
* "invalid RR type ..."
* "bad referral ..."
*/
default_syslog; // as you want
};
channel moderate_debug {
file "foo"; // foo
severity debug 3; // level 3 debugging to file
print-time yes; // timestamp log entries
print-category yes; // print category name
print-severity yes; // print severity level
/*
* Note that debugging must have been turned on either
* on the command line or with a signal to get debugging
* output (non-debugging output will still be written to
* this channel).
*/
};
/*
*/
};
/*
*/
};
/*
* default category will be used. It is
*
* category default { default_syslog; default_debug; };
*/
/*
*
*/
/*
*
* category eventlib { default_debug; };
*
* category packet { default_debug; };
*/
};