Bv9ARM.ch06.html revision 035992291cb70ec3be4046fcea921b4a6acb1c77
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - Copyright (C) 2000-2003 Internet Software Consortium.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - Permission to use, copy, modify, and distribute this software for any
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - purpose with or without fee is hereby granted, provided that the above
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - copyright notice and this permission notice appear in all copies.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c9a95767fbf0f5fb0976a06b97a256033925e433rbb - PERFORMANCE OF THIS SOFTWARE.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<!-- $Id: Bv9ARM.ch06.html,v 1.132 2006/03/09 05:04:38 marka Exp $ -->
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<tr><th colspan="3" align="center">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</th></tr>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<a name="Bv9ARM.ch06"></a>Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</h2></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555141">Comment Syntax</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555685"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555875"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556235"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556318"><span><strong class="command">include</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556342"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556363"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556454"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556648"><span><strong class="command">logging</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557998"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558072"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
916b63787f738c06929cd34764c27d8ba0e4bc32brianp<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558136"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558248"><span><strong class="command">masters</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558263"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566750"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566800"><span><strong class="command">trusted-keys</strong></span> Statement Definition
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566880"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2568250"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2570443">Zone File</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572396">Discussion of MX Records</a></span></dt>
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572948">Inverse Mapping in IPv4</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573143">Other Zone File Directives</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573468"><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span class="acronym">BIND</span> 9 configuration is broadly similar
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to <span class="acronym">BIND</span> 8; however, there are a few new
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker of configuration, such as views. <span class="acronym">BIND</span>
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker 8 configuration files should work with few alterations in <span class="acronym">BIND</span>
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker 9, although more complex configurations should be reviewed to check
c9a95767fbf0f5fb0976a06b97a256033925e433rbb if they can be more efficiently implemented using the new features
916b63787f738c06929cd34764c27d8ba0e4bc32brianp <span class="acronym">BIND</span> 4 configuration files can be
916b63787f738c06929cd34764c27d8ba0e4bc32brianp converted to the new format
916b63787f738c06929cd34764c27d8ba0e4bc32brianp using the shell script
916b63787f738c06929cd34764c27d8ba0e4bc32brianp <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
916b63787f738c06929cd34764c27d8ba0e4bc32brianp<div class="titlepage"><div><div><h2 class="title" style="clear: both">
916b63787f738c06929cd34764c27d8ba0e4bc32brianp<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
916b63787f738c06929cd34764c27d8ba0e4bc32brianp Following is a list of elements used throughout the <span class="acronym">BIND</span> configuration
916b63787f738c06929cd34764c27d8ba0e4bc32brianp file documentation:
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The name of an <code class="varname">address_match_list</code> as
c9a95767fbf0f5fb0976a06b97a256033925e433rbb defined by the <span><strong class="command">acl</strong></span> statement.
916b63787f738c06929cd34764c27d8ba0e4bc32brianp A list of one or more
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker or <code class="varname">acl_name</code> elements, see
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb A named list of one or more <code class="varname">ip_addr</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb with optional <code class="varname">key_id</code> and / or
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker A <code class="varname">masters_list</code> may include other
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker A quoted string which will be used as
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker a DNS name, for example "<code class="literal">my.test.domain</code>".
c9a95767fbf0f5fb0976a06b97a256033925e433rbb One to four integers valued 0 through
c9a95767fbf0f5fb0976a06b97a256033925e433rbb 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb An IPv4 address with exactly four elements
c9a95767fbf0f5fb0976a06b97a256033925e433rbb in <code class="varname">dotted_decimal</code> notation.
b727c065d2dbfd93c9757644ac03f6ed56108158brianp An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb IPv6 scoped addresses that have ambiguity on their scope
c9a95767fbf0f5fb0976a06b97a256033925e433rbb zones must be
c9a95767fbf0f5fb0976a06b97a256033925e433rbb disambiguated by an appropriate zone ID with the percent
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames (`%') as delimiter.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz It is strongly recommended to use string zone names rather
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz numeric identifiers, in order to be robust against system
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz configuration changes.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz However, since there is no standard mapping for such names
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz identifier values, currently only interface names as link
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz are supported, assuming one-to-one mapping between
c9a95767fbf0f5fb0976a06b97a256033925e433rbb interfaces and links.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker link attached to the interface <span><strong class="command">ne0</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker Note that on most systems link-local addresses always have
c9a95767fbf0f5fb0976a06b97a256033925e433rbb ambiguity, and need to be disambiguated.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton through 65535, with values
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton below 1024 typically restricted to use by processes running
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton In some cases an asterisk (`*') character can be used as a
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton placeholder to
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton select a random high-numbered port.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton An IP network specified as an <code class="varname">ip_addr</code>,
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton followed by a slash (`/') and then the number of bits in the
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton Trailing zeros in a <code class="varname">ip_addr</code>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton may omitted.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton For example, <span><strong class="command">127/8</strong></span> is the
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton network <span><strong class="command">127.0.0.0</strong></span> with
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton A <code class="varname">domain_name</code> representing
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton the name of a shared key, to be used for transaction
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton A list of one or more
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton separated by semicolons and ending with a semicolon.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton A non-negative 32 bit integer
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton (i.e., a number between 0 and 4294967295, inclusive).
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp Its acceptable value might further
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp be limited by the context in which it is used.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz A quoted string which will be used as
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz A number, the word <strong class="userinput"><code>unlimited</code></strong>,
a1033a770bfee276def7d4cb9759856f69293e48trawick or the word <strong class="userinput"><code>default</code></strong>.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz the limit that was in force when the server was started.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker A <code class="varname">number</code> can optionally be
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker followed by a scaling factor:
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz for kilobytes,
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz for megabytes, and
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton which scale by 1024, 1024*1024, and 1024*1024*1024
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton respectively.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton The value must be representable as a 64-bit unsigned integer
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton (0 to 18446744073709551615, inclusive).
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton Using <code class="varname">unlimited</code> is the best
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton to safely set a really large number.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton and <strong class="userinput"><code>0</code></strong>.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton One of <strong class="userinput"><code>yes</code></strong>,
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp <strong class="userinput"><code>passive</code></strong>.
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp are restricted to slave and stub zones.
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton [<span class="optional"> address_match_list_element; ... </span>]
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton key key_id | acl_name | { address_match_list } )
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<a name="id2554966"></a>Definition and Usage</h4></div></div></div>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton Address match lists are primarily used to determine access
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp control for various server operations. They are also used in
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton statements. The elements
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton which constitute an address match list can be any of the
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton a key ID, as defined by the <span><strong class="command">key</strong></span>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<li>the name of an address match list defined with
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton the <span><strong class="command">acl</strong></span> statement
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton<li>a nested address match list enclosed in braces</li>
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton Elements can be negated with a leading exclamation mark (`!'),
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz and the match list names "any", "none", "localhost", and
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp "localnets"
66d9683592d2d60e5c87a37f194fc708a6b2dd71jorton are predefined. More information on those names can be found in
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp the description of the acl statement.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The addition of the key clause made the name of this syntactic
c9a95767fbf0f5fb0976a06b97a256033925e433rbb element something of a misnomer, since security keys can be used
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to validate access without regard to a host or network address.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz Nonetheless,
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz the term "address match list" is still used throughout the
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz documentation.
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames When a given IP address or prefix is compared to an address
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames match list, the list is traversed in order until an element
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp The interpretation of a match depends on whether the list is being
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker for access control, defining listen-on ports, or in a sortlist,
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames and whether the element was negated.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker When used as an access control list, a non-negated match
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames allows access and a negated match denies access. If
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames there is no match, access is denied. The clauses
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">allow-notify</strong></span>,
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">allow-query</strong></span>,
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">allow-query-cache</strong></span>,
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp <span><strong class="command">allow-transfer</strong></span>,
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">allow-update</strong></span>,
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">allow-update-forwarding</strong></span>, and
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames <span><strong class="command">blackhole</strong></span> all use address match
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames lists. Similarly, the listen-on option will cause the
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames server to not accept queries on any of the machine's
4111de96e9f75c58e77c2bdda23be83b8ebf81ccgregames addresses which do not match the list.
2cfb54e2cdbdec738ffbffafe07c351433b346a8brianp Because of the first-match aspect of the algorithm, an element
2cfb54e2cdbdec738ffbffafe07c351433b346a8brianp that defines a subset of another element in the list should come
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz before the broader element, regardless of whether either is
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz negated. For
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp example, in
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp completely useless because the algorithm will match any lookup for
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz that problem by having 1.2.3.13 blocked by the negation but all
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz other 1.2.3.* hosts fall through.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz<div class="titlepage"><div><div><h3 class="title">
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz<a name="id2555141"></a>Comment Syntax</h3></div></div></div>
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz The <span class="acronym">BIND</span> 9 comment syntax allows for
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz comments to appear
2cfb54e2cdbdec738ffbffafe07c351433b346a8brianp anywhere that white space may appear in a <span class="acronym">BIND</span> configuration
2cfb54e2cdbdec738ffbffafe07c351433b346a8brianp file. To appeal to programmers of all kinds, they can be written
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting">/* This is a <span class="acronym">BIND</span> comment as in C */</pre>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting">// This is a <span class="acronym">BIND</span> comment as in C++</pre>
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<pre class="programlisting"># This is a <span class="acronym">BIND</span> comment as in common UNIX shells and perl</pre>
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<a name="id2555186"></a>Definition and Usage</h4></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Comments may appear anywhere that whitespace may appear in
864c5615d55b8ebbde24e72043f6325741335a74fielding a <span class="acronym">BIND</span> configuration file.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker C-style comments start with the two characters /* (slash,
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker star) and end with */ (star, slash). Because they are completely
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker delimited with these characters, they can be used to comment only
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker a portion of a line or to span multiple lines.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker C-style comments cannot be nested. For example, the following
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker is not valid because the entire comment ends with the first */:
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<pre class="programlisting">/* This is the start of a comment.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker This is still part of the comment.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker/* This is an incorrect attempt at nesting a comment. */
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker This is no longer in any comment. */
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker C++-style comments start with the two characters // (slash,
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker slash) and continue to the end of the physical line. They cannot
c9a95767fbf0f5fb0976a06b97a256033925e433rbb be continued across multiple physical lines; to have one logical
c9a95767fbf0f5fb0976a06b97a256033925e433rbb comment span multiple lines, each line must use the // pair.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker For example:
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp<pre class="programlisting">// This is the start of a comment. The next line
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding// is a new comment, even though it is logically
2cfb54e2cdbdec738ffbffafe07c351433b346a8brianp// part of the previous comment.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding Shell-style (or perl-style, if you prefer) comments start
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding with the character <code class="literal">#</code> (number sign)
4c9d27bfdfea41b388dc705f7cc2b49318ab5344jim and continue to the end of the
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz physical line, as in C++ comments.
f1e73dbab9ba73d83c9ac8a13ab6150653bb71a9brianp For example:
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding<pre class="programlisting"># This is the start of a comment. The next line
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding# is a new comment, even though it is logically
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding# part of the previous comment.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding You cannot use the semicolon (`;') character
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding to start a comment such as you would in a zone file. The
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding semicolon indicates the end of a configuration
8f9fc79dcbac925ced92d538dec34a4991330215gregames<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8f9fc79dcbac925ced92d538dec34a4991330215gregames<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp A <span class="acronym">BIND</span> 9 configuration consists of
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz statements and comments.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz Statements end with a semicolon. Statements and comments are the
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker only elements that can appear without enclosing braces. Many
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding statements contain a block of sub-statements, which are also
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding terminated with a semicolon.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding The following statements are supported:
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker <p><span><strong class="command">acl</strong></span></p>
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding defines a named IP address
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding matching list, for access control and other uses.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding <p><span><strong class="command">controls</strong></span></p>
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding declares control channels to be used
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding by the <span><strong class="command">rndc</strong></span> utility.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding <p><span><strong class="command">include</strong></span></p>
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding includes a file.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding <p><span><strong class="command">key</strong></span></p>
be6908cb50f36850b1f5622a2a8dd084d12942f1brianp specifies key information for use in
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding authentication and authorization using TSIG.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker <p><span><strong class="command">logging</strong></span></p>
4c9d27bfdfea41b388dc705f7cc2b49318ab5344jim specifies what the server logs, and where
4c9d27bfdfea41b388dc705f7cc2b49318ab5344jim the log messages are sent.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding <p><span><strong class="command">lwres</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb configures <span><strong class="command">named</strong></span> to
ce10538fc37f0b260cea0eeebe574a4f69830283brianp also act as a light weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">masters</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb defines a named masters list for
c9a95767fbf0f5fb0976a06b97a256033925e433rbb inclusion in stub and slave zone masters clauses.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz <p><span><strong class="command">options</strong></span></p>
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz controls global server configuration
ebec6af98a321584756292ec2cac3995b3d3fe31trawick options and sets defaults for other statements.
13964ad0654086fb013c019226e69f577653bd0agregames <p><span><strong class="command">server</strong></span></p>
13964ad0654086fb013c019226e69f577653bd0agregames sets certain configuration options on
13964ad0654086fb013c019226e69f577653bd0agregames a per-server basis.
45613d36b9466a48def0498cffa07f48980720f8jerenkrantz <p><span><strong class="command">trusted-keys</strong></span></p>
e26eb33b7b56b5d9ed53bd600f5685e2230d3fb7gregames defines trusted DNSSEC keys.
ce10538fc37f0b260cea0eeebe574a4f69830283brianp <p><span><strong class="command">view</strong></span></p>
ce10538fc37f0b260cea0eeebe574a4f69830283brianp defines a view.
ce10538fc37f0b260cea0eeebe574a4f69830283brianp <p><span><strong class="command">zone</strong></span></p>
ce10538fc37f0b260cea0eeebe574a4f69830283brianp defines a zone.
ce10538fc37f0b260cea0eeebe574a4f69830283brianp The <span><strong class="command">logging</strong></span> and
ce10538fc37f0b260cea0eeebe574a4f69830283brianp <span><strong class="command">options</strong></span> statements may only occur once
ce10538fc37f0b260cea0eeebe574a4f69830283brianp configuration.
ce10538fc37f0b260cea0eeebe574a4f69830283brianp<a name="id2555685"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
ce10538fc37f0b260cea0eeebe574a4f69830283brianp<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
ce10538fc37f0b260cea0eeebe574a4f69830283brianp address_match_list
ce10538fc37f0b260cea0eeebe574a4f69830283brianp<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
ce10538fc37f0b260cea0eeebe574a4f69830283brianp The <span><strong class="command">acl</strong></span> statement assigns a symbolic
ce10538fc37f0b260cea0eeebe574a4f69830283brianp name to an address match list. It gets its name from a primary
ecd39b39633d7e1635e6782b2f5aba3fcc709f9dtrawick use of address match lists: Access Control Lists (ACLs).
ecd39b39633d7e1635e6782b2f5aba3fcc709f9dtrawick Note that an address match list's name must be defined
ce10538fc37f0b260cea0eeebe574a4f69830283brianp with <span><strong class="command">acl</strong></span> before it can be used
ce10538fc37f0b260cea0eeebe574a4f69830283brianp elsewhere; no
ce10538fc37f0b260cea0eeebe574a4f69830283brianp forward references are allowed.
ecd39b39633d7e1635e6782b2f5aba3fcc709f9dtrawick The following ACLs are built-in:
862562bece2467ae2e729a270279e07522c654a9rederpj <p><span><strong class="command">any</strong></span></p>
0048f5ed06c6e0da386771205f8dc6300940c771brianp Matches all hosts.
ce10538fc37f0b260cea0eeebe574a4f69830283brianp <p><span><strong class="command">none</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Matches no hosts.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">localhost</strong></span></p>
ce10538fc37f0b260cea0eeebe574a4f69830283brianp Matches the IPv4 and IPv6 addresses of all network
ce10538fc37f0b260cea0eeebe574a4f69830283brianp interfaces on the system.
0048f5ed06c6e0da386771205f8dc6300940c771brianp <p><span><strong class="command">localnets</strong></span></p>
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp Matches any host on an IPv4 or IPv6 network
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp for which the system has an interface.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp Some systems do not provide a way to determine the prefix
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp local IPv6 addresses.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp In such a case, <span><strong class="command">localnets</strong></span>
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp only matches the local
c9a95767fbf0f5fb0976a06b97a256033925e433rbb IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
6fd5761878f22fb9a2de0835807a29784bf367abtrawick<a name="id2555875"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting"><span><strong class="command">controls</strong></span> {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
c9a95767fbf0f5fb0976a06b97a256033925e433rbb keys { <em class="replaceable"><code>key_list</code></em> }; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ inet ...; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ unix ...; ]
7a19abb2304b1e7261b7b37cf0cad44f3755cb2cbrianp<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">controls</strong></span> statement declares control
c9a95767fbf0f5fb0976a06b97a256033925e433rbb channels to be used by system administrators to control the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb operation of the name server. These control channels are
e05e66c8dc0bf26184b8545ff67d68e96af401eajerenkrantz used by the <span><strong class="command">rndc</strong></span> utility to send
ebe7da316894e2b93b4a905fccd2496d0ed1bc78rbb commands to and retrieve non-DNS results from a name server.
e57e920838f31508f1418aa4c25ce55b345b2cebrbb An <span><strong class="command">inet</strong></span> control channel is a TCP socket
e57e920838f31508f1418aa4c25ce55b345b2cebrbb listening at the specified <span><strong class="command">ip_port</strong></span> on the
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
c9a95767fbf0f5fb0976a06b97a256033925e433rbb address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> is
c9a95767fbf0f5fb0976a06b97a256033925e433rbb interpreted as the IPv4 wildcard address; connections will be
c9a95767fbf0f5fb0976a06b97a256033925e433rbb accepted on any of the system's IPv4 addresses.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb To listen on the IPv6 wildcard address,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb If you will only use <span><strong class="command">rndc</strong></span> on the local host,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb using the loopback address (<code class="literal">127.0.0.1</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb or <code class="literal">::1</code>) is recommended for maximum security.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp If no port is specified, port 953 is used.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding The ability to issue commands over the control channel is
2d399cd7535887fceaa9f8f116eb98ce68ddd602trawick restricted by the <span><strong class="command">allow</strong></span> and
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker <span><strong class="command">keys</strong></span> clauses.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding Connections to the control channel are permitted based on the
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick <span><strong class="command">address_match_list</strong></span>. This is for simple
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding IP address based filtering only; any <span><strong class="command">key_id</strong></span>
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp elements of the <span><strong class="command">address_match_list</strong></span>
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding are ignored.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp An <span><strong class="command">unix</strong></span> control channel is a UNIX domain
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding socket listening at the specified path in the file system.
ae2f0a4a94a833fd44cb6b5c1f520cbc76ff72fefielding Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
e6cc28a5eb3371ba0c38e941855e71ff0054f50erbb <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Note on some platforms (SunOS and Solaris) the permissions
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp (<span><strong class="command">perm</strong></span>) are applied to the parent directory
c9a95767fbf0f5fb0976a06b97a256033925e433rbb as the permissions on the socket itself are ignored.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The primary authorization mechanism of the command
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick channel is the <span><strong class="command">key_list</strong></span>, which
c9a95767fbf0f5fb0976a06b97a256033925e433rbb contains a list of <span><strong class="command">key_id</strong></span>s.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb is authorized to execute commands over the control channel.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
c9a95767fbf0f5fb0976a06b97a256033925e433rbb for information about configuring keys in <span><strong class="command">rndc</strong></span>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb If no <span><strong class="command">controls</strong></span> statement is present,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span> will set up a default
c9a95767fbf0f5fb0976a06b97a256033925e433rbb control channel listening on the loopback address 127.0.0.1
c9a95767fbf0f5fb0976a06b97a256033925e433rbb and its IPv6 counterpart ::1.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb In this case, and also when the <span><strong class="command">controls</strong></span> statement
2d399cd7535887fceaa9f8f116eb98ce68ddd602trawick is present but does not have a <span><strong class="command">keys</strong></span> clause,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span> will attempt to load the command channel key
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb was specified as when <span class="acronym">BIND</span> was built).
c9a95767fbf0f5fb0976a06b97a256033925e433rbb To create a <code class="filename">rndc.key</code> file, run
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick <strong class="userinput"><code>rndc-confgen -a</code></strong>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <code class="filename">rndc.key</code> feature was created to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb ease the transition of systems from <span class="acronym">BIND</span> 8,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb which did not have digital signatures on its command channel
c9a95767fbf0f5fb0976a06b97a256033925e433rbb messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
50e60f30bdc074fbc887f0b98f4d570457ac97c9brianp It makes it possible to use an existing <span class="acronym">BIND</span> 8
c9a95767fbf0f5fb0976a06b97a256033925e433rbb configuration file in <span class="acronym">BIND</span> 9 unchanged,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb and still have <span><strong class="command">rndc</strong></span> work the same way
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
c9a95767fbf0f5fb0976a06b97a256033925e433rbb installed.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Since the <code class="filename">rndc.key</code> feature
c9a95767fbf0f5fb0976a06b97a256033925e433rbb is only intended to allow the backward-compatible usage of
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span class="acronym">BIND</span> 8 configuration files, this
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker feature does not
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker have a high degree of configurability. You cannot easily change
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker the key name or the size of the secret, so you should make a
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="filename">rndc.conf</code> with your own key if you
c9a95767fbf0f5fb0976a06b97a256033925e433rbb wish to change
c9a95767fbf0f5fb0976a06b97a256033925e433rbb those things. The <code class="filename">rndc.key</code> file
c9a95767fbf0f5fb0976a06b97a256033925e433rbb also has its
c9a95767fbf0f5fb0976a06b97a256033925e433rbb permissions set such that only the owner of the file (the user that
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span> is running as) can access it.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb desire greater flexibility in allowing other users to access
2d399cd7535887fceaa9f8f116eb98ce68ddd602trawick <span><strong class="command">rndc</strong></span> commands then you need to create
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="filename">rndc.conf</code> and make it group
c9a95767fbf0f5fb0976a06b97a256033925e433rbb readable by a group
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker that contains the users who should have access.
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick To disable the command channel, use an empty
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">controls</strong></span> statement:
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">controls { };</strong></span>.
6646a289c2d4778c8cd43d62b5a1cc966a356f85jerenkrantz<div class="titlepage"><div><div><h3 class="title">
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick<a name="id2556235"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
6646a289c2d4778c8cd43d62b5a1cc966a356f85jerenkrantz<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
6646a289c2d4778c8cd43d62b5a1cc966a356f85jerenkrantz<div class="titlepage"><div><div><h3 class="title">
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<a name="id2556318"></a><span><strong class="command">include</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">include</strong></span> statement inserts the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb specified file at the point where the <span><strong class="command">include</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb statement is encountered. The <span><strong class="command">include</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb statement facilitates the administration of configuration
c9a95767fbf0f5fb0976a06b97a256033925e433rbb by permitting the reading or writing of some things but not
c9a95767fbf0f5fb0976a06b97a256033925e433rbb others. For example, the statement could include private keys
c9a95767fbf0f5fb0976a06b97a256033925e433rbb that are readable only by the name server.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<a name="id2556342"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
1397600ab25e11b203e7ced39e509e24b6ff4e68trawick algorithm <em class="replaceable"><code>string</code></em>;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb secret <em class="replaceable"><code>string</code></em>;
95d6bb73dd7df5cffa270c77910715a1ddb663dbbrianp<a name="id2556363"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">key</strong></span> statement defines a shared
c9a95767fbf0f5fb0976a06b97a256033925e433rbb secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
c9a95767fbf0f5fb0976a06b97a256033925e433rbb or the command channel
c9a95767fbf0f5fb0976a06b97a256033925e433rbb (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Usage”</a>).
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">key</strong></span> statement can occur at the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb of the configuration file or inside a <span><strong class="command">view</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb statement. Keys defined in top-level <span><strong class="command">key</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb statements can be used in all views. Keys intended for use in
c9a95767fbf0f5fb0976a06b97a256033925e433rbb a <span><strong class="command">controls</strong></span> statement
c9a95767fbf0f5fb0976a06b97a256033925e433rbb (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Usage”</a>)
c9a95767fbf0f5fb0976a06b97a256033925e433rbb must be defined at the top level.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <em class="replaceable"><code>key_id</code></em>, also known as the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb key name, is a domain name uniquely identifying the key. It can
c9a95767fbf0f5fb0976a06b97a256033925e433rbb be used in a <span><strong class="command">server</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb statement to cause requests sent to that
c9a95767fbf0f5fb0976a06b97a256033925e433rbb server to be signed with this key, or in address match lists to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb verify that incoming requests have been signed with a key
c9a95767fbf0f5fb0976a06b97a256033925e433rbb matching this name, algorithm, and secret.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <em class="replaceable"><code>algorithm_id</code></em> is a string
c9a95767fbf0f5fb0976a06b97a256033925e433rbb that specifies a security/authentication algorithm. Named
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb and <code class="literal">hmac-sha512</code> TSIG authentication.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Truncated hashes are supported by appending the minimum
c9a95767fbf0f5fb0976a06b97a256033925e433rbb number of required bits preceeded by a dash, e.g.
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley <em class="replaceable"><code>secret_string</code></em> is the secret
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to be used by the algorithm, and is treated as a base-64
c9a95767fbf0f5fb0976a06b97a256033925e433rbb encoded string.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<a name="id2556454"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting"><span><strong class="command">logging</strong></span> {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
835836eaf9e2a23192a262307b08f626e50e2180trawick [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
835836eaf9e2a23192a262307b08f626e50e2180trawick | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
835836eaf9e2a23192a262307b08f626e50e2180trawick | <span><strong class="command">stderr</strong></span>
835836eaf9e2a23192a262307b08f626e50e2180trawick | <span><strong class="command">null</strong></span> );
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c9a95767fbf0f5fb0976a06b97a256033925e433rbb [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<a name="id2556648"></a><span><strong class="command">logging</strong></span> Statement Definition and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">logging</strong></span> statement configures a
c9a95767fbf0f5fb0976a06b97a256033925e433rbb variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
c9a95767fbf0f5fb0976a06b97a256033925e433rbb associates output methods, format options and severity levels with
0a2d57d962bef3a8898723925b3fb02d2e836994dougm a name that can then be used with the <span><strong class="command">category</strong></span> phrase
0a2d57d962bef3a8898723925b3fb02d2e836994dougm to select how various classes of messages are logged.
0a2d57d962bef3a8898723925b3fb02d2e836994dougm Only one <span><strong class="command">logging</strong></span> statement is used to
0a2d57d962bef3a8898723925b3fb02d2e836994dougm as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
5eee53948c686a75275faee523d885fd4c93af5fwrowe the logging configuration will be:
5eee53948c686a75275faee523d885fd4c93af5fwrowe category default { default_syslog; default_debug; };
c9a95767fbf0f5fb0976a06b97a256033925e433rbb category unmatched { null; };
0a2d57d962bef3a8898723925b3fb02d2e836994dougm In <span class="acronym">BIND</span> 9, the logging configuration
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker is only established when
0a2d57d962bef3a8898723925b3fb02d2e836994dougm the entire configuration file has been parsed. In <span class="acronym">BIND</span> 8, it was
0a2d57d962bef3a8898723925b3fb02d2e836994dougm established as soon as the <span><strong class="command">logging</strong></span>
0a2d57d962bef3a8898723925b3fb02d2e836994dougm was parsed. When the server is starting up, all logging messages
c9a95767fbf0f5fb0976a06b97a256033925e433rbb regarding syntax errors in the configuration file go to the default
c9a95767fbf0f5fb0976a06b97a256033925e433rbb channels, or to standard error if the "<code class="option">-g</code>" option
c9a95767fbf0f5fb0976a06b97a256033925e433rbb was specified.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker<a name="id2556700"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb you can make as many of them as you want.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker Every channel definition must include a destination clause that
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker says whether messages selected for the channel go to a file, to a
5d069993d3174df5898911fe465cb2b78bad759ctrawick particular syslog facility, to the standard error stream, or are
5d069993d3174df5898911fe465cb2b78bad759ctrawick discarded. It can optionally also limit the message severity level
5d069993d3174df5898911fe465cb2b78bad759ctrawick that will be accepted by the channel (the default is
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">info</strong></span>), and whether to include a
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span>-generated time stamp, the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb category name
c9a95767fbf0f5fb0976a06b97a256033925e433rbb and/or severity level (the default is not to include any).
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker The <span><strong class="command">null</strong></span> destination clause
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker causes all messages sent to the channel to be discarded;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb in that case, other options for the channel are meaningless.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">file</strong></span> destination clause directs
c9a95767fbf0f5fb0976a06b97a256033925e433rbb the channel
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to a disk file. It can include limitations
2d399cd7535887fceaa9f8f116eb98ce68ddd602trawick both on how large the file is allowed to become, and how many
c9a95767fbf0f5fb0976a06b97a256033925e433rbb of the file will be saved each time the file is opened.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb If you use the <span><strong class="command">versions</strong></span> log file
c9a95767fbf0f5fb0976a06b97a256033925e433rbb option, then
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span> will retain that many backup
c9a95767fbf0f5fb0976a06b97a256033925e433rbb versions of the file by
c9a95767fbf0f5fb0976a06b97a256033925e433rbb renaming them when opening. For example, if you choose to keep 3
c9a95767fbf0f5fb0976a06b97a256033925e433rbb old versions
c9a95767fbf0f5fb0976a06b97a256033925e433rbb of the file <code class="filename">lamers.log</code> then just
2d399cd7535887fceaa9f8f116eb98ce68ddd602trawick before it is opened
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker <code class="filename">lamers.log.1</code> is renamed to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
c9a95767fbf0f5fb0976a06b97a256033925e433rbb You can say <span><strong class="command">versions unlimited</strong></span> to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb the number of versions.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb If a <span><strong class="command">size</strong></span> option is associated with
c9a95767fbf0f5fb0976a06b97a256033925e433rbb the log file,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb then renaming is only done when the file being opened exceeds the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb indicated size. No backup versions are kept by default; any
c9a95767fbf0f5fb0976a06b97a256033925e433rbb log file is simply appended.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The <span><strong class="command">size</strong></span> option for files is used
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to limit log
c9a95767fbf0f5fb0976a06b97a256033925e433rbb growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
c9a95767fbf0f5fb0976a06b97a256033925e433rbb stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
93d7153aa172665f55b04463b831ad556269c3efbrianp associated with it. If backup versions are kept, the files are
93d7153aa172665f55b04463b831ad556269c3efbrianp described above and a new one begun. If there is no
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">versions</strong></span> option, no more data will
c9a95767fbf0f5fb0976a06b97a256033925e433rbb be written to the log
c9a95767fbf0f5fb0976a06b97a256033925e433rbb until some out-of-band mechanism removes or truncates the log to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb less than the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb maximum size. The default behavior is not to limit the size of
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein Example usage of the <span><strong class="command">size</strong></span> and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">versions</strong></span> options:
c9a95767fbf0f5fb0976a06b97a256033925e433rbb file "example.log" versions 3 size 20m;
93d7153aa172665f55b04463b831ad556269c3efbrianp print-time yes;
e654452796751e21828a4078767e075eccf3b232stoddard print-category yes;
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein The <span><strong class="command">syslog</strong></span> destination clause
93d7153aa172665f55b04463b831ad556269c3efbrianp directs the
e654452796751e21828a4078767e075eccf3b232stoddard channel to the system log. Its argument is a
e654452796751e21828a4078767e075eccf3b232stoddard syslog facility as described in the <span><strong class="command">syslog</strong></span> man
93d7153aa172665f55b04463b831ad556269c3efbrianp page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
93d7153aa172665f55b04463b831ad556269c3efbrianp <span><strong class="command">local7</strong></span>, however not all facilities
d74c5cf0721f4a9f4fe25b8f4a84ec4c951e36bftrawick are supported on
e654452796751e21828a4078767e075eccf3b232stoddard all operating systems.
93d7153aa172665f55b04463b831ad556269c3efbrianp How <span><strong class="command">syslog</strong></span> will handle messages
93d7153aa172665f55b04463b831ad556269c3efbrianp this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
93d7153aa172665f55b04463b831ad556269c3efbrianp page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
93d7153aa172665f55b04463b831ad556269c3efbrianp only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
93d7153aa172665f55b04463b831ad556269c3efbrianp then this clause is silently ignored.
93d7153aa172665f55b04463b831ad556269c3efbrianp The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
93d7153aa172665f55b04463b831ad556269c3efbrianp "priorities", except that they can also be used if you are writing
93d7153aa172665f55b04463b831ad556269c3efbrianp straight to a file rather than using <span><strong class="command">syslog</strong></span>.
91ec00684796e5bf39808b1415c0daefacb72025stoddard Messages which are not at least of the severity level given will
93d7153aa172665f55b04463b831ad556269c3efbrianp not be selected for the channel; messages of higher severity
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein will be accepted.
93d7153aa172665f55b04463b831ad556269c3efbrianp If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
bd120542ebe7e09cdbada5daf4924f4690e5ece3trawick will also determine what eventually passes through. For example,
bd120542ebe7e09cdbada5daf4924f4690e5ece3trawick defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
bd120542ebe7e09cdbada5daf4924f4690e5ece3trawick only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
93d7153aa172665f55b04463b831ad556269c3efbrianp cause messages of severity <span><strong class="command">info</strong></span> and
4a9b8df1c530b27ace58ee113cb7f27503b9696ftrawick <span><strong class="command">notice</strong></span> to
93d7153aa172665f55b04463b831ad556269c3efbrianp be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
93d7153aa172665f55b04463b831ad556269c3efbrianp messages of only <span><strong class="command">warning</strong></span> or higher,
e654452796751e21828a4078767e075eccf3b232stoddard then <span><strong class="command">syslogd</strong></span> would
93d7153aa172665f55b04463b831ad556269c3efbrianp print all messages it received from the channel.
93d7153aa172665f55b04463b831ad556269c3efbrianp The <span><strong class="command">stderr</strong></span> destination clause
e654452796751e21828a4078767e075eccf3b232stoddard directs the
93d7153aa172665f55b04463b831ad556269c3efbrianp channel to the server's standard error stream. This is intended
c9a95767fbf0f5fb0976a06b97a256033925e433rbb use when the server is running as a foreground process, for
93d7153aa172665f55b04463b831ad556269c3efbrianp when debugging a configuration.
93d7153aa172665f55b04463b831ad556269c3efbrianp The server can supply extensive debugging information when
e654452796751e21828a4078767e075eccf3b232stoddard it is in debugging mode. If the server's global debug level is
93d7153aa172665f55b04463b831ad556269c3efbrianp than zero, then debugging mode will be active. The global debug
93d7153aa172665f55b04463b831ad556269c3efbrianp level is set either by starting the <span><strong class="command">named</strong></span> server
c9a95767fbf0f5fb0976a06b97a256033925e433rbb with the <code class="option">-d</code> flag followed by a positive integer,
93d7153aa172665f55b04463b831ad556269c3efbrianp or by running <span><strong class="command">rndc trace</strong></span>.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The global debug level
c9a95767fbf0f5fb0976a06b97a256033925e433rbb can be set to zero, and debugging mode turned off, by running <span><strong class="command">ndc
93d7153aa172665f55b04463b831ad556269c3efbrianpnotrace</strong></span>. All debugging messages in the server have a debug
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein level, and higher debug levels give more detailed output. Channels
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein that specify a specific debug severity, for example:
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein<pre class="programlisting">channel specific_debug_level {
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein file "foo";
3ccd08b29a1c0e523ebb66e5f24e048e3a364384gstein severity debug 3;
93d7153aa172665f55b04463b831ad556269c3efbrianp will get debugging output of level 3 or less any time the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb server is in debugging mode, regardless of the global debugging
c9a95767fbf0f5fb0976a06b97a256033925e433rbb level. Channels with <span><strong class="command">dynamic</strong></span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb severity use the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb server's global debug level to determine what messages to print.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker If <span><strong class="command">print-time</strong></span> has been turned on,
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker the date and time will be logged. <span><strong class="command">print-time</strong></span> may
c9a95767fbf0f5fb0976a06b97a256033925e433rbb be specified for a <span><strong class="command">syslog</strong></span> channel,
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley but is usually
c9a95767fbf0f5fb0976a06b97a256033925e433rbb pointless since <span><strong class="command">syslog</strong></span> also prints
c9a95767fbf0f5fb0976a06b97a256033925e433rbb the date and
c9a95767fbf0f5fb0976a06b97a256033925e433rbb time. If <span><strong class="command">print-category</strong></span> is
c9a95767fbf0f5fb0976a06b97a256033925e433rbb requested, then the
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
c9a95767fbf0f5fb0976a06b97a256033925e433rbb be used in any combination, and will always be printed in the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb order: time, category, severity. Here is an example where all
c9a95767fbf0f5fb0976a06b97a256033925e433rbb three <span><strong class="command">print-</strong></span> options
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb There are four predefined channels that are used for
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">named</strong></span>'s default logging as follows.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb How they are
c9a95767fbf0f5fb0976a06b97a256033925e433rbb used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker syslog daemon; // send to syslog's daemon
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // facility
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley severity info; // only send priority info
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // and higher
2fc50921b88defeb7127985dfe4b4130175e069ejwoolleychannel default_debug {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // the working directory
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // Note: stderr is used instead
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // if the server is started
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // with the '-f' option.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb severity dynamic; // log at the server's
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // current debug level
c9a95767fbf0f5fb0976a06b97a256033925e433rbbchannel default_stderr {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb stderr; // writes to stderr
c9a95767fbf0f5fb0976a06b97a256033925e433rbb severity info; // only send priority info
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // and higher
c9a95767fbf0f5fb0976a06b97a256033925e433rbbchannel null {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb null; // toss anything sent to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb // this channel
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker The <span><strong class="command">default_debug</strong></span> channel has the
27faa3af8a50c1dc2dc6cb3049722378f85e5517rbb property that it only produces output when the server's debug
8a6fcdd0b059b6f3a76e6932317ec73ca4cdbd60ake nonzero. It normally writes to a file <code class="filename">named.run</code>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb in the server's working directory.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb For security reasons, when the "<code class="option">-u</code>"
c9a95767fbf0f5fb0976a06b97a256033925e433rbb command line option is used, the <code class="filename">named.run</code> file
c9a95767fbf0f5fb0976a06b97a256033925e433rbb is created only after <span><strong class="command">named</strong></span> has
c9a95767fbf0f5fb0976a06b97a256033925e433rbb changed to the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley starting up and still running as root is discarded. If you need
c9a95767fbf0f5fb0976a06b97a256033925e433rbb to capture this output, you must run the server with the "<code class="option">-g</code>"
c9a95767fbf0f5fb0976a06b97a256033925e433rbb option and redirect standard error to a file.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Once a channel is defined, it cannot be redefined. Thus you
c9a95767fbf0f5fb0976a06b97a256033925e433rbb cannot alter the built-in channels directly, but you can modify
27faa3af8a50c1dc2dc6cb3049722378f85e5517rbb the default logging by pointing categories at channels you have
fd492f9543f14fb5bae78e04b135c3448eb9cc56rbb<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker There are many categories, so you can send the logs you want
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker to see wherever you want, without seeing logs you don't want. If
c9a95767fbf0f5fb0976a06b97a256033925e433rbb you don't specify a list of channels for a category, then log
c9a95767fbf0f5fb0976a06b97a256033925e433rbb in that category will be sent to the <span><strong class="command">default</strong></span> category
c9a95767fbf0f5fb0976a06b97a256033925e433rbb instead. If you don't specify a default category, the following
27faa3af8a50c1dc2dc6cb3049722378f85e5517rbb "default default" is used:
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting">category default { default_syslog; default_debug; };
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker As an example, let's say you want to log security events to
27faa3af8a50c1dc2dc6cb3049722378f85e5517rbb a file, but you also want keep the default logging behavior. You'd
2fc50921b88defeb7127985dfe4b4130175e069ejwoolley specify the following:
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<pre class="programlisting">channel my_security_channel {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb file "my_security_file";
c9a95767fbf0f5fb0976a06b97a256033925e433rbb severity info;
c9a95767fbf0f5fb0976a06b97a256033925e433rbbcategory security {
c9a95767fbf0f5fb0976a06b97a256033925e433rbb my_security_channel;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb default_syslog;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb default_debug;
c9a95767fbf0f5fb0976a06b97a256033925e433rbb To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
0e9dfc95e96dbe9b33265c8f6c752eca55bc5bc0trawick<pre class="programlisting">category xfer-out { null; };
c9a95767fbf0f5fb0976a06b97a256033925e433rbbcategory notify { null; };
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Following are the available categories and brief descriptions
c9a95767fbf0f5fb0976a06b97a256033925e433rbb of the types of log information they contain. More
c9a95767fbf0f5fb0976a06b97a256033925e433rbb categories may be added in future <span class="acronym">BIND</span> releases.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb</colgroup>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">default</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The default category defines the logging
c9a95767fbf0f5fb0976a06b97a256033925e433rbb options for those categories where no specific
c9a95767fbf0f5fb0976a06b97a256033925e433rbb configuration has been
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">general</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The catch-all. Many things still aren't
c9a95767fbf0f5fb0976a06b97a256033925e433rbb classified into categories, and they all end up here.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">database</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb Messages relating to the databases used
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb internally by the name server to store zone and cache
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb <p><span><strong class="command">security</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb Approval and denial of requests.
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb <p><span><strong class="command">config</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb Configuration file parsing and processing.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">resolver</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb DNS resolution, such as the recursive
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb lookups performed on behalf of clients by a caching name
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">xfer-in</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb Zone transfers the server is receiving.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker <p><span><strong class="command">xfer-out</strong></span></p>
6270ac7f45156afd9d798dc28f1c6e1d09e040c1rbb Zone transfers the server is sending.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">notify</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The NOTIFY protocol.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">client</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Processing of client requests.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">unmatched</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Messages that named was unable to determine the
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker class of or for which there was no matching <span><strong class="command">view</strong></span>.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker This category is best sent to a file or stderr, by
c9a95767fbf0f5fb0976a06b97a256033925e433rbb default it is sent to
c9a95767fbf0f5fb0976a06b97a256033925e433rbb the <span><strong class="command">null</strong></span> channel.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">network</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Network operations.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">update</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Dynamic updates.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <p><span><strong class="command">update-security</strong></span></p>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb Approval and denial of update requests.
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb <p><span><strong class="command">queries</strong></span></p>
c0a4d97b84cf7182ed26bcbea856017ed75303afbrianp Specify where queries should be logged to.
c0a4d97b84cf7182ed26bcbea856017ed75303afbrianp At startup, specifing the category <span><strong class="command">queries</strong></span> will also
c0a4d97b84cf7182ed26bcbea856017ed75303afbrianp enable query logging unless <span><strong class="command">querylog</strong></span> option has been
c9a95767fbf0f5fb0976a06b97a256033925e433rbb The query log entry reports the client's IP address and
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker port number. The
c9a95767fbf0f5fb0976a06b97a256033925e433rbb query name, class and type. It also reports whether the
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker Recursion Desired
c9a95767fbf0f5fb0976a06b97a256033925e433rbb flag was set (+ if set, - if not set), EDNS was in use
35a1df8fc13f8a37a4e0964ac81efc3680562e4dstriker (E) or if the
c9a95767fbf0f5fb0976a06b97a256033925e433rbb query was signed (S).
<a name="id2557998"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
<a name="id2558072"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>. There may be be multiple
<a name="id2558136"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
<a name="id2558248"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2558263"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
[<span class="optional"> use-additional-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
In <span class="acronym">BIND</span> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>
<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US"
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <span class="acronym">BIND</span> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <span class="acronym">BIND</span> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
stacked then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
a random unprivileged port will be used, <span><strong class="command">avoid-v4-udp-ports</strong></span>
quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(<a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>)
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
with the line <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>, where the
<dt><span class="term"><span><strong class="command">use-additional-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="id2566750"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2566800"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2566880"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com zone
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com zone
zone "example.com" {
file "example-external.db";
<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2568250"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM, NET, ORG).
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <span class="acronym">BIND</span> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2573165"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2573294"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2573432"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2573468"></a><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
The <span><strong class="command">$GENERATE</strong></span> directive is a <span class="acronym">BIND</span> extension
<td width="40%" align="left" valign="top">Chapter�5.�The <span class="acronym">BIND</span> 9 Lightweight Resolver�</td>