Bv9ARM.ch06.html revision 035992291cb70ec3be4046fcea921b4a6acb1c77
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - Copyright (C) 2000-2003 Internet Software Consortium.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - Permission to use, copy, modify, and distribute this software for any
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - purpose with or without fee is hereby granted, provided that the above
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - copyright notice and this permission notice appear in all copies.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk - PERFORMANCE OF THIS SOFTWARE.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<!-- $Id: Bv9ARM.ch06.html,v 1.132 2006/03/09 05:04:38 marka Exp $ -->
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<title>Chapter�6.�BIND 9 Configuration Reference</title>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<tr><th colspan="3" align="center">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</th></tr>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h2 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="Bv9ARM.ch06"></a>Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</h2></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555141">Comment Syntax</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555685"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555875"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556235"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556318"><span><strong class="command">include</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556342"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556363"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556454"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2556648"><span><strong class="command">logging</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557998"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558072"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558136"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558248"><span><strong class="command">masters</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2558263"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566750"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566800"><span><strong class="command">trusted-keys</strong></span> Statement Definition
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566880"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2568250"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2570443">Zone File</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572396">Discussion of MX Records</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572948">Inverse Mapping in IPv4</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573143">Other Zone File Directives</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573468"><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span class="acronym">BIND</span> 9 configuration is broadly similar
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to <span class="acronym">BIND</span> 8; however, there are a few new
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk of configuration, such as views. <span class="acronym">BIND</span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk 8 configuration files should work with few alterations in <span class="acronym">BIND</span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk 9, although more complex configurations should be reviewed to check
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk if they can be more efficiently implemented using the new features
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span class="acronym">BIND</span> 4 configuration files can be
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk converted to the new format
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk using the shell script
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Following is a list of elements used throughout the <span class="acronym">BIND</span> configuration
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk file documentation:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The name of an <code class="varname">address_match_list</code> as
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defined by the <span><strong class="command">acl</strong></span> statement.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A list of one or more
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk or <code class="varname">acl_name</code> elements, see
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A named list of one or more <code class="varname">ip_addr</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk with optional <code class="varname">key_id</code> and / or
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A <code class="varname">masters_list</code> may include other
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A quoted string which will be used as
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a DNS name, for example "<code class="literal">my.test.domain</code>".
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk One to four integers valued 0 through
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An IPv4 address with exactly four elements
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk in <code class="varname">dotted_decimal</code> notation.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk IPv6 scoped addresses that have ambiguity on their scope
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk zones must be
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk disambiguated by an appropriate zone ID with the percent
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (`%') as delimiter.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk It is strongly recommended to use string zone names rather
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk numeric identifiers, in order to be robust against system
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk configuration changes.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk However, since there is no standard mapping for such names
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk identifier values, currently only interface names as link
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk are supported, assuming one-to-one mapping between
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk interfaces and links.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk link attached to the interface <span><strong class="command">ne0</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Note that on most systems link-local addresses always have
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk ambiguity, and need to be disambiguated.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="varname">number</code> is limited to 0
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk through 65535, with values
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk below 1024 typically restricted to use by processes running
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk In some cases an asterisk (`*') character can be used as a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk placeholder to
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk select a random high-numbered port.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An IP network specified as an <code class="varname">ip_addr</code>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk followed by a slash (`/') and then the number of bits in the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Trailing zeros in a <code class="varname">ip_addr</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk may omitted.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk For example, <span><strong class="command">127/8</strong></span> is the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk network <span><strong class="command">127.0.0.0</strong></span> with
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A <code class="varname">domain_name</code> representing
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk the name of a shared key, to be used for transaction
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A list of one or more
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk separated by semicolons and ending with a semicolon.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A non-negative 32 bit integer
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (i.e., a number between 0 and 4294967295, inclusive).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Its acceptable value might further
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk be limited by the context in which it is used.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A quoted string which will be used as
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A number, the word <strong class="userinput"><code>unlimited</code></strong>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk or the word <strong class="userinput"><code>default</code></strong>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the limit that was in force when the server was started.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A <code class="varname">number</code> can optionally be
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk followed by a scaling factor:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk for kilobytes,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk for megabytes, and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk which scale by 1024, 1024*1024, and 1024*1024*1024
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk respectively.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The value must be representable as a 64-bit unsigned integer
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (0 to 18446744073709551615, inclusive).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Using <code class="varname">unlimited</code> is the best
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to safely set a really large number.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and <strong class="userinput"><code>0</code></strong>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk One of <strong class="userinput"><code>yes</code></strong>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>passive</code></strong>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk are restricted to slave and stub zones.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h4 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2554938"></a>Syntax</h4></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [<span class="optional"> address_match_list_element; ... </span>]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk key key_id | acl_name | { address_match_list } )
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h4 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2554966"></a>Definition and Usage</h4></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Address match lists are primarily used to determine access
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk control for various server operations. They are also used in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statements. The elements
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk which constitute an address match list can be any of the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a key ID, as defined by the <span><strong class="command">key</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<li>the name of an address match list defined with
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the <span><strong class="command">acl</strong></span> statement
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<li>a nested address match list enclosed in braces</li>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Elements can be negated with a leading exclamation mark (`!'),
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and the match list names "any", "none", "localhost", and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk are predefined. More information on those names can be found in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the description of the acl statement.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The addition of the key clause made the name of this syntactic
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk element something of a misnomer, since security keys can be used
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to validate access without regard to a host or network address.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Nonetheless,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the term "address match list" is still used throughout the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk documentation.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk When a given IP address or prefix is compared to an address
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk match list, the list is traversed in order until an element
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk The interpretation of a match depends on whether the list is being
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk for access control, defining listen-on ports, or in a sortlist,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and whether the element was negated.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk When used as an access control list, a non-negated match
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk allows access and a negated match denies access. If
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk there is no match, access is denied. The clauses
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-notify</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-query</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-query-cache</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-transfer</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-update</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">allow-update-forwarding</strong></span>, and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">blackhole</strong></span> all use address match
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk lists. Similarly, the listen-on option will cause the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk server to not accept queries on any of the machine's
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk addresses which do not match the list.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Because of the first-match aspect of the algorithm, an element
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that defines a subset of another element in the list should come
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk before the broader element, regardless of whether either is
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk negated. For
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk completely useless because the algorithm will match any lookup for
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that problem by having 1.2.3.13 blocked by the negation but all
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk other 1.2.3.* hosts fall through.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2555141"></a>Comment Syntax</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span class="acronym">BIND</span> 9 comment syntax allows for
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk comments to appear
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk anywhere that white space may appear in a <span class="acronym">BIND</span> configuration
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk file. To appeal to programmers of all kinds, they can be written
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h4 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2555156"></a>Syntax</h4></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">/* This is a <span class="acronym">BIND</span> comment as in C */</pre>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">// This is a <span class="acronym">BIND</span> comment as in C++</pre>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"># This is a <span class="acronym">BIND</span> comment as in common UNIX shells and perl</pre>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h4 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2555186"></a>Definition and Usage</h4></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Comments may appear anywhere that whitespace may appear in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a <span class="acronym">BIND</span> configuration file.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk C-style comments start with the two characters /* (slash,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk star) and end with */ (star, slash). Because they are completely
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk delimited with these characters, they can be used to comment only
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a portion of a line or to span multiple lines.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk C-style comments cannot be nested. For example, the following
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk is not valid because the entire comment ends with the first */:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">/* This is the start of a comment.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk This is still part of the comment.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk/* This is an incorrect attempt at nesting a comment. */
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk This is no longer in any comment. */
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk C++-style comments start with the two characters // (slash,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk slash) and continue to the end of the physical line. They cannot
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk be continued across multiple physical lines; to have one logical
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk comment span multiple lines, each line must use the // pair.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk For example:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">// This is the start of a comment. The next line
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk// is a new comment, even though it is logically
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk// part of the previous comment.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Shell-style (or perl-style, if you prefer) comments start
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk with the character <code class="literal">#</code> (number sign)
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and continue to the end of the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk physical line, as in C++ comments.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk For example:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"># This is the start of a comment. The next line
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk# is a new comment, even though it is logically
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk# part of the previous comment.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk You cannot use the semicolon (`;') character
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to start a comment such as you would in a zone file. The
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk semicolon indicates the end of a configuration
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk A <span class="acronym">BIND</span> 9 configuration consists of
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statements and comments.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Statements end with a semicolon. Statements and comments are the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk only elements that can appear without enclosing braces. Many
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statements contain a block of sub-statements, which are also
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk terminated with a semicolon.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The following statements are supported:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">acl</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defines a named IP address
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk matching list, for access control and other uses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">controls</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk declares control channels to be used
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk by the <span><strong class="command">rndc</strong></span> utility.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">include</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk includes a file.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">key</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk specifies key information for use in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk authentication and authorization using TSIG.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">logging</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk specifies what the server logs, and where
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the log messages are sent.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">lwres</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk configures <span><strong class="command">named</strong></span> to
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk also act as a light weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">masters</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defines a named masters list for
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk inclusion in stub and slave zone masters clauses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">options</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk controls global server configuration
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk options and sets defaults for other statements.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">server</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk sets certain configuration options on
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a per-server basis.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">trusted-keys</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defines trusted DNSSEC keys.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">view</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defines a view.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">zone</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk defines a zone.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">logging</strong></span> and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">options</strong></span> statements may only occur once
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk configuration.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2555685"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk address_match_list
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">acl</strong></span> statement assigns a symbolic
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk name to an address match list. It gets its name from a primary
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk use of address match lists: Access Control Lists (ACLs).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Note that an address match list's name must be defined
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk with <span><strong class="command">acl</strong></span> before it can be used
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk elsewhere; no
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk forward references are allowed.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The following ACLs are built-in:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">any</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Matches all hosts.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">none</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Matches no hosts.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">localhost</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Matches the IPv4 and IPv6 addresses of all network
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk interfaces on the system.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <p><span><strong class="command">localnets</strong></span></p>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Matches any host on an IPv4 or IPv6 network
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk for which the system has an interface.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Some systems do not provide a way to determine the prefix
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk local IPv6 addresses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk In such a case, <span><strong class="command">localnets</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk only matches the local
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2555875"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"><span><strong class="command">controls</strong></span> {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk keys { <em class="replaceable"><code>key_list</code></em> }; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ inet ...; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ unix ...; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">controls</strong></span> statement declares control
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk channels to be used by system administrators to control the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk operation of the name server. These control channels are
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk used by the <span><strong class="command">rndc</strong></span> utility to send
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk commands to and retrieve non-DNS results from a name server.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An <span><strong class="command">inet</strong></span> control channel is a TCP socket
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk listening at the specified <span><strong class="command">ip_port</strong></span> on the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> is
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk interpreted as the IPv4 wildcard address; connections will be
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk accepted on any of the system's IPv4 addresses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk To listen on the IPv6 wildcard address,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk If you will only use <span><strong class="command">rndc</strong></span> on the local host,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk using the loopback address (<code class="literal">127.0.0.1</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk or <code class="literal">::1</code>) is recommended for maximum security.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk If no port is specified, port 953 is used.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk The ability to issue commands over the control channel is
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk restricted by the <span><strong class="command">allow</strong></span> and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">keys</strong></span> clauses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Connections to the control channel are permitted based on the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">address_match_list</strong></span>. This is for simple
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk IP address based filtering only; any <span><strong class="command">key_id</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk elements of the <span><strong class="command">address_match_list</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk are ignored.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk An <span><strong class="command">unix</strong></span> control channel is a UNIX domain
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk socket listening at the specified path in the file system.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Note on some platforms (SunOS and Solaris) the permissions
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (<span><strong class="command">perm</strong></span>) are applied to the parent directory
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk as the permissions on the socket itself are ignored.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The primary authorization mechanism of the command
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk channel is the <span><strong class="command">key_list</strong></span>, which
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk contains a list of <span><strong class="command">key_id</strong></span>s.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk is authorized to execute commands over the control channel.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk for information about configuring keys in <span><strong class="command">rndc</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk If no <span><strong class="command">controls</strong></span> statement is present,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">named</strong></span> will set up a default
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk control channel listening on the loopback address 127.0.0.1
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and its IPv6 counterpart ::1.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk In this case, and also when the <span><strong class="command">controls</strong></span> statement
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk is present but does not have a <span><strong class="command">keys</strong></span> clause,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">named</strong></span> will attempt to load the command channel key
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk from the file <code class="filename">rndc.key</code> in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk was specified as when <span class="acronym">BIND</span> was built).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk To create a <code class="filename">rndc.key</code> file, run
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <strong class="userinput"><code>rndc-confgen -a</code></strong>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <code class="filename">rndc.key</code> feature was created to
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk ease the transition of systems from <span class="acronym">BIND</span> 8,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk which did not have digital signatures on its command channel
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk It makes it possible to use an existing <span class="acronym">BIND</span> 8
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk configuration file in <span class="acronym">BIND</span> 9 unchanged,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and still have <span><strong class="command">rndc</strong></span> work the same way
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Since the <code class="filename">rndc.key</code> feature
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk is only intended to allow the backward-compatible usage of
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span class="acronym">BIND</span> 8 configuration files, this
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk feature does not
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk have a high degree of configurability. You cannot easily change
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the key name or the size of the secret, so you should make a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="filename">rndc.conf</code> with your own key if you
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk wish to change
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk those things. The <code class="filename">rndc.key</code> file
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk also has its
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk permissions set such that only the owner of the file (the user that
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">named</strong></span> is running as) can access it.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk desire greater flexibility in allowing other users to access
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">rndc</strong></span> commands then you need to create
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="filename">rndc.conf</code> and make it group
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk readable by a group
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that contains the users who should have access.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk To disable the command channel, use an empty
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">controls</strong></span> statement:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">controls { };</strong></span>.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556235"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556318"></a><span><strong class="command">include</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">include</strong></span> statement inserts the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk specified file at the point where the <span><strong class="command">include</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statement is encountered. The <span><strong class="command">include</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statement facilitates the administration of configuration
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk by permitting the reading or writing of some things but not
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk others. For example, the statement could include private keys
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that are readable only by the name server.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556342"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk algorithm <em class="replaceable"><code>string</code></em>;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk secret <em class="replaceable"><code>string</code></em>;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556363"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">key</strong></span> statement defines a shared
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk or the command channel
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Usage”</a>).
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">key</strong></span> statement can occur at the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk of the configuration file or inside a <span><strong class="command">view</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statement. Keys defined in top-level <span><strong class="command">key</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statements can be used in all views. Keys intended for use in
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a <span><strong class="command">controls</strong></span> statement
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Usage”</a>)
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk must be defined at the top level.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <em class="replaceable"><code>key_id</code></em>, also known as the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk key name, is a domain name uniquely identifying the key. It can
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk be used in a <span><strong class="command">server</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk statement to cause requests sent to that
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk server to be signed with this key, or in address match lists to
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk verify that incoming requests have been signed with a key
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk matching this name, algorithm, and secret.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <em class="replaceable"><code>algorithm_id</code></em> is a string
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that specifies a security/authentication algorithm. Named
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and <code class="literal">hmac-sha512</code> TSIG authentication.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Truncated hashes are supported by appending the minimum
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk number of required bits preceeded by a dash, e.g.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <em class="replaceable"><code>secret_string</code></em> is the secret
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to be used by the algorithm, and is treated as a base-64
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk encoded string.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556454"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<pre class="programlisting"><span><strong class="command">logging</strong></span> {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk | <span><strong class="command">stderr</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk | <span><strong class="command">null</strong></span> );
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h3 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556648"></a><span><strong class="command">logging</strong></span> Statement Definition and
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk The <span><strong class="command">logging</strong></span> statement configures a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk associates output methods, format options and severity levels with
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk a name that can then be used with the <span><strong class="command">category</strong></span> phrase
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk to select how various classes of messages are logged.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Only one <span><strong class="command">logging</strong></span> statement is used to
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the logging configuration will be:
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk category default { default_syslog; default_debug; };
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk category unmatched { null; };
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk In <span class="acronym">BIND</span> 9, the logging configuration
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk is only established when
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk the entire configuration file has been parsed. In <span class="acronym">BIND</span> 8, it was
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk established as soon as the <span><strong class="command">logging</strong></span>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk was parsed. When the server is starting up, all logging messages
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk regarding syntax errors in the configuration file go to the default
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk channels, or to standard error if the "<code class="option">-g</code>" option
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk was specified.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<div class="titlepage"><div><div><h4 class="title">
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk<a name="id2556700"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk you can make as many of them as you want.
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk Every channel definition must include a destination clause that
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk says whether messages selected for the channel go to a file, to a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk particular syslog facility, to the standard error stream, or are
dff2cc5646d4437ab9e0cb1dcb59da65462a5938jeff.schenk discarded. It can optionally also limit the message severity level
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk that will be accepted by the channel (the default is
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">info</strong></span>), and whether to include a
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk <span><strong class="command">named</strong></span>-generated time stamp, the
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk category name
5b64d5d44892834ba97f003080f3467299b7c5c5jeff.schenk and/or severity level (the default is not to include any).
growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
file "example.log" versions 3 size 20m;
page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
// of "named.run"
new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
<a name="id2557998"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
<a name="id2558072"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>. There may be be multiple
<a name="id2558136"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
<a name="id2558248"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2558263"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
[<span class="optional"> use-additional-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
In <span class="acronym">BIND</span> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>
<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US"
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <span class="acronym">BIND</span> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <span class="acronym">BIND</span> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
stacked then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
a random unprivileged port will be used, <span><strong class="command">avoid-v4-udp-ports</strong></span>
quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(<a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>)
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
with the line <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>, where the
<dt><span class="term"><span><strong class="command">use-additional-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="id2566750"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2566800"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2566880"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com zone
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com zone
zone "example.com" {
file "example-external.db";
<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2568250"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM, NET, ORG).
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <span class="acronym">BIND</span> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2573165"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2573294"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2573432"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2573468"></a><span class="acronym">BIND</span> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
The <span><strong class="command">$GENERATE</strong></span> directive is a <span class="acronym">BIND</span> extension
<td width="40%" align="left" valign="top">Chapter�5.�The <span class="acronym">BIND</span> 9 Lightweight Resolver�</td>