Bv9ARM.ch06.html revision 44d0f0256fbdce130a18655023c3b06bacacbd61
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Copyright (C) 2000-2003 Internet Software Consortium.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - Permission to use, copy, modify, and/or distribute this software for any
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - purpose with or without fee is hereby granted, provided that the above
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - copyright notice and this permission notice appear in all copies.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw - PERFORMANCE OF THIS SOFTWARE.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<!-- $Id: Bv9ARM.ch06.html,v 1.253 2010/02/04 01:14:16 tbox Exp $ -->
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f96bd5c800e73e351b0b6e4bd7f00b578dad29bbAlan Wright<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
12b65585e720714b31036daaa2b30eb76014048eGordon Ross<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573945">Comment Syntax</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574531"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575148"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575165"><span><strong class="command">include</strong></span> Statement Definition and
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575189"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575212"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575303"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575429"><span><strong class="command">logging</strong></span> Statement Definition and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577496"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577570"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577702"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577746"><span><strong class="command">masters</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577761"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588203"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588411"><span><strong class="command">trusted-keys</strong></span> Statement Definition
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588458"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588952"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590525"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593193">Zone File</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595424">Discussion of MX Records</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596039">Inverse Mapping in IPv4</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596166">Other Zone File Directives</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596439"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
3db3f65c6274eb042354801a308c8e9bc4994553amw<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
3db3f65c6274eb042354801a308c8e9bc4994553amw <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
3db3f65c6274eb042354801a308c8e9bc4994553amw to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
3db3f65c6274eb042354801a308c8e9bc4994553amw of configuration, such as views. <acronym class="acronym">BIND</acronym>
3db3f65c6274eb042354801a308c8e9bc4994553amw 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
3db3f65c6274eb042354801a308c8e9bc4994553amw 9, although more complex configurations should be reviewed to check
3db3f65c6274eb042354801a308c8e9bc4994553amw if they can be more efficiently implemented using the new features
3db3f65c6274eb042354801a308c8e9bc4994553amw <acronym class="acronym">BIND</acronym> 4 configuration files can be
3db3f65c6274eb042354801a308c8e9bc4994553amw converted to the new format
3db3f65c6274eb042354801a308c8e9bc4994553amw using the shell script
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
3db3f65c6274eb042354801a308c8e9bc4994553amw<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
3db3f65c6274eb042354801a308c8e9bc4994553amw file documentation:
3db3f65c6274eb042354801a308c8e9bc4994553amw</colgroup>
3db3f65c6274eb042354801a308c8e9bc4994553amw The name of an <code class="varname">address_match_list</code> as
3db3f65c6274eb042354801a308c8e9bc4994553amw defined by the <span><strong class="command">acl</strong></span> statement.
3db3f65c6274eb042354801a308c8e9bc4994553amw A list of one or more
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
3db3f65c6274eb042354801a308c8e9bc4994553amw A named list of one or more <code class="varname">ip_addr</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw with optional <code class="varname">key_id</code> and/or
3db3f65c6274eb042354801a308c8e9bc4994553amw A <code class="varname">masters_list</code> may include other
3db3f65c6274eb042354801a308c8e9bc4994553amw A quoted string which will be used as
3db3f65c6274eb042354801a308c8e9bc4994553amw a DNS name, for example "<code class="literal">my.test.domain</code>".
3db3f65c6274eb042354801a308c8e9bc4994553amw A list of one or more <code class="varname">domain_name</code>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross One to four integers valued 0 through
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw An IPv4 address with exactly four elements
3db3f65c6274eb042354801a308c8e9bc4994553amw in <code class="varname">dotted_decimal</code> notation.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw IPv6 scoped addresses that have ambiguity on their
3db3f65c6274eb042354801a308c8e9bc4994553amw scope zones must be disambiguated by an appropriate
3db3f65c6274eb042354801a308c8e9bc4994553amw zone ID with the percent character (`%') as
3db3f65c6274eb042354801a308c8e9bc4994553amw delimiter. It is strongly recommended to use
3db3f65c6274eb042354801a308c8e9bc4994553amw string zone names rather than numeric identifiers,
3db3f65c6274eb042354801a308c8e9bc4994553amw in order to be robust against system configuration
3db3f65c6274eb042354801a308c8e9bc4994553amw changes. However, since there is no standard
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw mapping for such names and identifier values,
3db3f65c6274eb042354801a308c8e9bc4994553amw currently only interface names as link identifiers
3db3f65c6274eb042354801a308c8e9bc4994553amw are supported, assuming one-to-one mapping between
3db3f65c6274eb042354801a308c8e9bc4994553amw interfaces and links. For example, a link-local
3db3f65c6274eb042354801a308c8e9bc4994553amw address <span><strong class="command">fe80::1</strong></span> on the link
3db3f65c6274eb042354801a308c8e9bc4994553amw attached to the interface <span><strong class="command">ne0</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw Note that on most systems link-local addresses
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw always have the ambiguity, and need to be
3db3f65c6274eb042354801a308c8e9bc4994553amw disambiguated.
3db3f65c6274eb042354801a308c8e9bc4994553amw An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego An IP port <code class="varname">number</code>.
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego The <code class="varname">number</code> is limited to 0
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego through 65535, with values
3db3f65c6274eb042354801a308c8e9bc4994553amw below 1024 typically restricted to use by processes running
3db3f65c6274eb042354801a308c8e9bc4994553amw In some cases, an asterisk (`*') character can be used as a
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw placeholder to
3db3f65c6274eb042354801a308c8e9bc4994553amw select a random high-numbered port.
3db3f65c6274eb042354801a308c8e9bc4994553amw An IP network specified as an <code class="varname">ip_addr</code>,
3db3f65c6274eb042354801a308c8e9bc4994553amw followed by a slash (`/') and then the number of bits in the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Trailing zeros in a <code class="varname">ip_addr</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw may omitted.
3db3f65c6274eb042354801a308c8e9bc4994553amw For example, <span><strong class="command">127/8</strong></span> is the
3db3f65c6274eb042354801a308c8e9bc4994553amw network <span><strong class="command">127.0.0.0</strong></span> with
3db3f65c6274eb042354801a308c8e9bc4994553amw netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw When specifying a prefix involving a IPv6 scoped address
3db3f65c6274eb042354801a308c8e9bc4994553amw the scope may be omitted. In that case the prefix will
12b65585e720714b31036daaa2b30eb76014048eGordon Ross match packets from any scope.
3db3f65c6274eb042354801a308c8e9bc4994553amw the name of a shared key, to be used for transaction
3db3f65c6274eb042354801a308c8e9bc4994553amw A list of one or more
3db3f65c6274eb042354801a308c8e9bc4994553amw separated by semicolons and ending with a semicolon.
3db3f65c6274eb042354801a308c8e9bc4994553amw A non-negative 32-bit integer
3db3f65c6274eb042354801a308c8e9bc4994553amw (i.e., a number between 0 and 4294967295, inclusive).
3db3f65c6274eb042354801a308c8e9bc4994553amw Its acceptable value might further
3db3f65c6274eb042354801a308c8e9bc4994553amw be limited by the context in which it is used.
3db3f65c6274eb042354801a308c8e9bc4994553amw A quoted string which will be used as
3db3f65c6274eb042354801a308c8e9bc4994553amw a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
3db3f65c6274eb042354801a308c8e9bc4994553amw A list of an <code class="varname">ip_port</code> or a port
3db3f65c6274eb042354801a308c8e9bc4994553amw A port range is specified in the form of
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>range</code></strong> followed by
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="varname">port_high</code>, which represents
3db3f65c6274eb042354801a308c8e9bc4994553amw port numbers from <code class="varname">port_low</code> through
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <code class="varname">port_low</code> must not be larger than
3db3f65c6274eb042354801a308c8e9bc4994553amw For example,
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>range 1024 65535</code></strong> represents
3db3f65c6274eb042354801a308c8e9bc4994553amw ports from 1024 through 65535.
3db3f65c6274eb042354801a308c8e9bc4994553amw In either case an asterisk (`*') character is not
3db3f65c6274eb042354801a308c8e9bc4994553amw allowed as a valid <code class="varname">ip_port</code>.
3db3f65c6274eb042354801a308c8e9bc4994553amw A number, the word <strong class="userinput"><code>unlimited</code></strong>,
3db3f65c6274eb042354801a308c8e9bc4994553amw or the word <strong class="userinput"><code>default</code></strong>.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
3db3f65c6274eb042354801a308c8e9bc4994553amw use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
3db3f65c6274eb042354801a308c8e9bc4994553amw the limit that was in force when the server was started.
3db3f65c6274eb042354801a308c8e9bc4994553amw followed by a scaling factor:
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
3db3f65c6274eb042354801a308c8e9bc4994553amw for kilobytes,
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
3db3f65c6274eb042354801a308c8e9bc4994553amw for megabytes, and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw which scale by 1024, 1024*1024, and 1024*1024*1024
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw respectively.
3db3f65c6274eb042354801a308c8e9bc4994553amw The value must be representable as a 64-bit unsigned integer
3db3f65c6274eb042354801a308c8e9bc4994553amw (0 to 18446744073709551615, inclusive).
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Using <code class="varname">unlimited</code> is the best
3db3f65c6274eb042354801a308c8e9bc4994553amw to safely set a really large number.
3db3f65c6274eb042354801a308c8e9bc4994553amw Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
3db3f65c6274eb042354801a308c8e9bc4994553amw The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
3db3f65c6274eb042354801a308c8e9bc4994553amw also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
3db3f65c6274eb042354801a308c8e9bc4994553amw One of <strong class="userinput"><code>yes</code></strong>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>passive</code></strong>.
3db3f65c6274eb042354801a308c8e9bc4994553amw When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
3db3f65c6274eb042354801a308c8e9bc4994553amw are restricted to slave and stub zones.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
3db3f65c6274eb042354801a308c8e9bc4994553amw [<span class="optional"> address_match_list_element; ... </span>]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
3db3f65c6274eb042354801a308c8e9bc4994553amw key key_id | acl_name | { address_match_list } )
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2573671"></a>Definition and Usage</h4></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw Address match lists are primarily used to determine access
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw control for various server operations. They are also used in
3db3f65c6274eb042354801a308c8e9bc4994553amw the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw statements. The elements which constitute an address match
3db3f65c6274eb042354801a308c8e9bc4994553amw list can be any of the following:
3db3f65c6274eb042354801a308c8e9bc4994553amw a key ID, as defined by the <span><strong class="command">key</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw<li>the name of an address match list defined with
3db3f65c6274eb042354801a308c8e9bc4994553amw the <span><strong class="command">acl</strong></span> statement
3db3f65c6274eb042354801a308c8e9bc4994553amw Elements can be negated with a leading exclamation mark (`!'),
3db3f65c6274eb042354801a308c8e9bc4994553amw and the match list names "any", "none", "localhost", and
3db3f65c6274eb042354801a308c8e9bc4994553amw "localnets" are predefined. More information on those names
3db3f65c6274eb042354801a308c8e9bc4994553amw can be found in the description of the acl statement.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The addition of the key clause made the name of this syntactic
3db3f65c6274eb042354801a308c8e9bc4994553amw element something of a misnomer, since security keys can be used
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw to validate access without regard to a host or network address.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Nonetheless, the term "address match list" is still used
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross throughout the documentation.
3db3f65c6274eb042354801a308c8e9bc4994553amw When a given IP address or prefix is compared to an address
3db3f65c6274eb042354801a308c8e9bc4994553amw match list, the comparison takes place in approximately O(1)
3db3f65c6274eb042354801a308c8e9bc4994553amw time. However, key comparisons require that the list of keys
3db3f65c6274eb042354801a308c8e9bc4994553amw be traversed until a matching key is found, and therefore may
3db3f65c6274eb042354801a308c8e9bc4994553amw be somewhat slower.
3db3f65c6274eb042354801a308c8e9bc4994553amw The interpretation of a match depends on whether the list is being
12b65585e720714b31036daaa2b30eb76014048eGordon Ross used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
12b65585e720714b31036daaa2b30eb76014048eGordon Ross <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
3db3f65c6274eb042354801a308c8e9bc4994553amw When used as an access control list, a non-negated match
3db3f65c6274eb042354801a308c8e9bc4994553amw allows access and a negated match denies access. If
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw there is no match, access is denied. The clauses
12b65585e720714b31036daaa2b30eb76014048eGordon Ross <span><strong class="command">allow-notify</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-recursion</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-recursion-on</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-query</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-query-on</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-query-cache</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-query-cache-on</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-transfer</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">allow-update</strong></span>,
12b65585e720714b31036daaa2b30eb76014048eGordon Ross <span><strong class="command">allow-update-forwarding</strong></span>, and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">blackhole</strong></span> all use address match
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw server to refuse queries on any of the machine's
12b65585e720714b31036daaa2b30eb76014048eGordon Ross addresses which do not match the list.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Order of insertion is significant. If more than one element
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw in an ACL is found to match a given IP address or prefix,
3db3f65c6274eb042354801a308c8e9bc4994553amw preference will be given to the one that came
3db3f65c6274eb042354801a308c8e9bc4994553amw <span class="emphasis"><em>first</em></span> in the ACL definition.
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross Because of this first-match behavior, an element that
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross defines a subset of another element in the list should
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross come before the broader element, regardless of whether
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross either is negated. For example, in
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw the 1.2.3.13 element is completely useless because the
3db3f65c6274eb042354801a308c8e9bc4994553amw algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3db3f65c6274eb042354801a308c8e9bc4994553amw element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
3db3f65c6274eb042354801a308c8e9bc4994553amw that problem by having 1.2.3.13 blocked by the negation, but
3db3f65c6274eb042354801a308c8e9bc4994553amw all other 1.2.3.* hosts fall through.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2573945"></a>Comment Syntax</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego comments to appear
3db3f65c6274eb042354801a308c8e9bc4994553amw anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego file. To appeal to programmers of all kinds, they can be written
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross# and perl</pre>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<a name="id2573990"></a>Definition and Usage</h4></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw Comments may appear anywhere that whitespace may appear in
3db3f65c6274eb042354801a308c8e9bc4994553amw a <acronym class="acronym">BIND</acronym> configuration file.
3db3f65c6274eb042354801a308c8e9bc4994553amw C-style comments start with the two characters /* (slash,
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego star) and end with */ (star, slash). Because they are completely
3db3f65c6274eb042354801a308c8e9bc4994553amw delimited with these characters, they can be used to comment only
2c2961f8403049d948b9f3e6c35d6488b6b7e1aajose borrego a portion of a line or to span multiple lines.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw C-style comments cannot be nested. For example, the following
3db3f65c6274eb042354801a308c8e9bc4994553amw is not valid because the entire comment ends with the first */:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<pre class="programlisting">/* This is the start of a comment.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw This is still part of the comment.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw/* This is an incorrect attempt at nesting a comment. */
3db3f65c6274eb042354801a308c8e9bc4994553amw This is no longer in any comment. */
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw C++-style comments start with the two characters // (slash,
3db3f65c6274eb042354801a308c8e9bc4994553amw slash) and continue to the end of the physical line. They cannot
3db3f65c6274eb042354801a308c8e9bc4994553amw be continued across multiple physical lines; to have one logical
3db3f65c6274eb042354801a308c8e9bc4994553amw comment span multiple lines, each line must use the // pair.
3db3f65c6274eb042354801a308c8e9bc4994553amw For example:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<pre class="programlisting">// This is the start of a comment. The next line
3db3f65c6274eb042354801a308c8e9bc4994553amw// is a new comment, even though it is logically
3db3f65c6274eb042354801a308c8e9bc4994553amw// part of the previous comment.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Shell-style (or perl-style, if you prefer) comments start
3db3f65c6274eb042354801a308c8e9bc4994553amw with the character <code class="literal">#</code> (number sign)
3db3f65c6274eb042354801a308c8e9bc4994553amw and continue to the end of the
3db3f65c6274eb042354801a308c8e9bc4994553amw physical line, as in C++ comments.
3db3f65c6274eb042354801a308c8e9bc4994553amw For example:
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting"># This is the start of a comment. The next line
3db3f65c6274eb042354801a308c8e9bc4994553amw# is a new comment, even though it is logically
3db3f65c6274eb042354801a308c8e9bc4994553amw# part of the previous comment.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
3db3f65c6274eb042354801a308c8e9bc4994553amw You cannot use the semicolon (`;') character
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw to start a comment such as you would in a zone file. The
3db3f65c6274eb042354801a308c8e9bc4994553amw semicolon indicates the end of a configuration
3db3f65c6274eb042354801a308c8e9bc4994553amw statement.
3db3f65c6274eb042354801a308c8e9bc4994553amw<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw A <acronym class="acronym">BIND</acronym> 9 configuration consists of
3db3f65c6274eb042354801a308c8e9bc4994553amw statements and comments.
3db3f65c6274eb042354801a308c8e9bc4994553amw Statements end with a semicolon. Statements and comments are the
3db3f65c6274eb042354801a308c8e9bc4994553amw only elements that can appear without enclosing braces. Many
3db3f65c6274eb042354801a308c8e9bc4994553amw statements contain a block of sub-statements, which are also
3db3f65c6274eb042354801a308c8e9bc4994553amw terminated with a semicolon.
3db3f65c6274eb042354801a308c8e9bc4994553amw The following statements are supported:
3db3f65c6274eb042354801a308c8e9bc4994553amw</colgroup>
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">acl</strong></span></p>
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai defines a named IP address
3db3f65c6274eb042354801a308c8e9bc4994553amw matching list, for access control and other uses.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <p><span><strong class="command">controls</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw declares control channels to be used
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw by the <span><strong class="command">rndc</strong></span> utility.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">include</strong></span></p>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw includes a file.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">key</strong></span></p>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw specifies key information for use in
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw authentication and authorization using TSIG.
12b65585e720714b31036daaa2b30eb76014048eGordon Ross <p><span><strong class="command">logging</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw specifies what the server logs, and where
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw the log messages are sent.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">lwres</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw configures <span><strong class="command">named</strong></span> to
3db3f65c6274eb042354801a308c8e9bc4994553amw also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">masters</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw defines a named masters list for
3db3f65c6274eb042354801a308c8e9bc4994553amw inclusion in stub and slave zone masters clauses.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">options</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw controls global server configuration
3db3f65c6274eb042354801a308c8e9bc4994553amw options and sets defaults for other statements.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">server</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw sets certain configuration options on
3db3f65c6274eb042354801a308c8e9bc4994553amw a per-server basis.
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <p><span><strong class="command">statistics-channels</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw declares communication channels to get access to
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <span><strong class="command">named</strong></span> statistics.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">trusted-keys</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross defines trusted DNSSEC keys.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">managed-keys</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross lists DNSSEC keys to be kept up to date
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross using RFC 5011 trust anchor maintenance.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">view</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross defines a view.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">zone</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross defines a zone.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross The <span><strong class="command">logging</strong></span> and
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <span><strong class="command">options</strong></span> statements may only occur once
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross configuration.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross<div class="titlepage"><div><div><h3 class="title">
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross<a name="id2574531"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross address_match_list
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross<div class="titlepage"><div><div><h3 class="title">
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross The <span><strong class="command">acl</strong></span> statement assigns a symbolic
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross name to an address match list. It gets its name from a primary
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross use of address match lists: Access Control Lists (ACLs).
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Note that an address match list's name must be defined
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross with <span><strong class="command">acl</strong></span> before it can be used
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross elsewhere; no forward references are allowed.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross The following ACLs are built-in:
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">any</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Matches all hosts.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">none</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Matches no hosts.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">localhost</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Matches the IPv4 and IPv6 addresses of all network
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross interfaces on the system.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross <p><span><strong class="command">localnets</strong></span></p>
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Matches any host on an IPv4 or IPv6 network
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross for which the system has an interface.
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross Some systems do not provide a way to determine the prefix
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross local IPv6 addresses.
3db3f65c6274eb042354801a308c8e9bc4994553amw In such a case, <span><strong class="command">localnets</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw only matches the local
3db3f65c6274eb042354801a308c8e9bc4994553amw IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2574789"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting"><span><strong class="command">controls</strong></span> {
3db3f65c6274eb042354801a308c8e9bc4994553amw [ inet ( ip_addr | * ) [ port ip_port ]
3db3f65c6274eb042354801a308c8e9bc4994553amw allow { <em class="replaceable"><code> address_match_list </code></em> }
3db3f65c6274eb042354801a308c8e9bc4994553amw keys { <em class="replaceable"><code>key_list</code></em> }; ]
3db3f65c6274eb042354801a308c8e9bc4994553amw [ inet ...; ]
3db3f65c6274eb042354801a308c8e9bc4994553amw [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross keys { <em class="replaceable"><code>key_list</code></em> }; ]
3db3f65c6274eb042354801a308c8e9bc4994553amw [ unix ...; ]
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">controls</strong></span> statement declares control
3db3f65c6274eb042354801a308c8e9bc4994553amw channels to be used by system administrators to control the
3db3f65c6274eb042354801a308c8e9bc4994553amw operation of the name server. These control channels are
3db3f65c6274eb042354801a308c8e9bc4994553amw used by the <span><strong class="command">rndc</strong></span> utility to send
3db3f65c6274eb042354801a308c8e9bc4994553amw commands to and retrieve non-DNS results from a name server.
3db3f65c6274eb042354801a308c8e9bc4994553amw An <span><strong class="command">inet</strong></span> control channel is a TCP socket
3db3f65c6274eb042354801a308c8e9bc4994553amw listening at the specified <span><strong class="command">ip_port</strong></span> on the
3db3f65c6274eb042354801a308c8e9bc4994553amw specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
3db3f65c6274eb042354801a308c8e9bc4994553amw address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
3db3f65c6274eb042354801a308c8e9bc4994553amw interpreted as the IPv4 wildcard address; connections will be
3db3f65c6274eb042354801a308c8e9bc4994553amw accepted on any of the system's IPv4 addresses.
3db3f65c6274eb042354801a308c8e9bc4994553amw To listen on the IPv6 wildcard address,
3db3f65c6274eb042354801a308c8e9bc4994553amw use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
3db3f65c6274eb042354801a308c8e9bc4994553amw If you will only use <span><strong class="command">rndc</strong></span> on the local host,
3db3f65c6274eb042354801a308c8e9bc4994553amw using the loopback address (<code class="literal">127.0.0.1</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw or <code class="literal">::1</code>) is recommended for maximum security.
3db3f65c6274eb042354801a308c8e9bc4994553amw If no port is specified, port 953 is used. The asterisk
3db3f65c6274eb042354801a308c8e9bc4994553amw "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw The ability to issue commands over the control channel is
3db3f65c6274eb042354801a308c8e9bc4994553amw restricted by the <span><strong class="command">allow</strong></span> and
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">keys</strong></span> clauses.
3db3f65c6274eb042354801a308c8e9bc4994553amw Connections to the control channel are permitted based on the
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">address_match_list</strong></span>. This is for simple
3db3f65c6274eb042354801a308c8e9bc4994553amw IP address based filtering only; any <span><strong class="command">key_id</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw elements of the <span><strong class="command">address_match_list</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw are ignored.
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw socket listening at the specified path in the file system.
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Note on some platforms (SunOS and Solaris) the permissions
3db3f65c6274eb042354801a308c8e9bc4994553amw (<span><strong class="command">perm</strong></span>) are applied to the parent directory
3db3f65c6274eb042354801a308c8e9bc4994553amw as the permissions on the socket itself are ignored.
3db3f65c6274eb042354801a308c8e9bc4994553amw The primary authorization mechanism of the command
3db3f65c6274eb042354801a308c8e9bc4994553amw channel is the <span><strong class="command">key_list</strong></span>, which
3db3f65c6274eb042354801a308c8e9bc4994553amw contains a list of <span><strong class="command">key_id</strong></span>s.
3db3f65c6274eb042354801a308c8e9bc4994553amw Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw is authorized to execute commands over the control channel.
3db3f65c6274eb042354801a308c8e9bc4994553amw See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
3db3f65c6274eb042354801a308c8e9bc4994553amw for information about configuring keys in <span><strong class="command">rndc</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw If no <span><strong class="command">controls</strong></span> statement is present,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">named</strong></span> will set up a default
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw control channel listening on the loopback address 127.0.0.1
3db3f65c6274eb042354801a308c8e9bc4994553amw and its IPv6 counterpart ::1.
3db3f65c6274eb042354801a308c8e9bc4994553amw In this case, and also when the <span><strong class="command">controls</strong></span> statement
3db3f65c6274eb042354801a308c8e9bc4994553amw is present but does not have a <span><strong class="command">keys</strong></span> clause,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">named</strong></span> will attempt to load the command channel key
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw was specified as when <acronym class="acronym">BIND</acronym> was built).
3db3f65c6274eb042354801a308c8e9bc4994553amw To create a <code class="filename">rndc.key</code> file, run
3db3f65c6274eb042354801a308c8e9bc4994553amw <strong class="userinput"><code>rndc-confgen -a</code></strong>.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <code class="filename">rndc.key</code> feature was created to
3db3f65c6274eb042354801a308c8e9bc4994553amw ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
3db3f65c6274eb042354801a308c8e9bc4994553amw which did not have digital signatures on its command channel
3db3f65c6274eb042354801a308c8e9bc4994553amw messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
3db3f65c6274eb042354801a308c8e9bc4994553amw configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
3db3f65c6274eb042354801a308c8e9bc4994553amw and still have <span><strong class="command">rndc</strong></span> work the same way
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
3db3f65c6274eb042354801a308c8e9bc4994553amw command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
3db3f65c6274eb042354801a308c8e9bc4994553amw installed.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Since the <code class="filename">rndc.key</code> feature
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw is only intended to allow the backward-compatible usage of
3db3f65c6274eb042354801a308c8e9bc4994553amw <acronym class="acronym">BIND</acronym> 8 configuration files, this
3db3f65c6274eb042354801a308c8e9bc4994553amw feature does not
3db3f65c6274eb042354801a308c8e9bc4994553amw have a high degree of configurability. You cannot easily change
3db3f65c6274eb042354801a308c8e9bc4994553amw the key name or the size of the secret, so you should make a
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="filename">rndc.conf</code> with your own key if you
3db3f65c6274eb042354801a308c8e9bc4994553amw wish to change
3db3f65c6274eb042354801a308c8e9bc4994553amw those things. The <code class="filename">rndc.key</code> file
3db3f65c6274eb042354801a308c8e9bc4994553amw also has its
3db3f65c6274eb042354801a308c8e9bc4994553amw permissions set such that only the owner of the file (the user that
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">named</strong></span> is running as) can access it.
3db3f65c6274eb042354801a308c8e9bc4994553amw desire greater flexibility in allowing other users to access
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">rndc</strong></span> commands, then you need to create
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="filename">rndc.conf</code> file and make it group
3db3f65c6274eb042354801a308c8e9bc4994553amw readable by a group
3db3f65c6274eb042354801a308c8e9bc4994553amw that contains the users who should have access.
3db3f65c6274eb042354801a308c8e9bc4994553amw To disable the command channel, use an empty
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">controls</strong></span> statement:
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">controls { };</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2575148"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2575165"></a><span><strong class="command">include</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">include</strong></span> statement inserts the
3db3f65c6274eb042354801a308c8e9bc4994553amw specified file at the point where the <span><strong class="command">include</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw statement is encountered. The <span><strong class="command">include</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw statement facilitates the administration of configuration
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw by permitting the reading or writing of some things but not
3db3f65c6274eb042354801a308c8e9bc4994553amw others. For example, the statement could include private keys
3db3f65c6274eb042354801a308c8e9bc4994553amw that are readable only by the name server.
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown<a name="id2575189"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
3db3f65c6274eb042354801a308c8e9bc4994553amw algorithm <em class="replaceable"><code>string</code></em>;
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw secret <em class="replaceable"><code>string</code></em>;
12b65585e720714b31036daaa2b30eb76014048eGordon Ross<a name="id2575212"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">key</strong></span> statement defines a shared
3db3f65c6274eb042354801a308c8e9bc4994553amw secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
3db3f65c6274eb042354801a308c8e9bc4994553amw or the command channel
3db3f65c6274eb042354801a308c8e9bc4994553amw (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw Usage”</a>).
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">key</strong></span> statement can occur at the
3db3f65c6274eb042354801a308c8e9bc4994553amw of the configuration file or inside a <span><strong class="command">view</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw statement. Keys defined in top-level <span><strong class="command">key</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw statements can be used in all views. Keys intended for use in
3db3f65c6274eb042354801a308c8e9bc4994553amw a <span><strong class="command">controls</strong></span> statement
3db3f65c6274eb042354801a308c8e9bc4994553amw (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw Usage”</a>)
3db3f65c6274eb042354801a308c8e9bc4994553amw must be defined at the top level.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <em class="replaceable"><code>key_id</code></em>, also known as the
3db3f65c6274eb042354801a308c8e9bc4994553amw key name, is a domain name uniquely identifying the key. It can
3db3f65c6274eb042354801a308c8e9bc4994553amw be used in a <span><strong class="command">server</strong></span>
3db3f65c6274eb042354801a308c8e9bc4994553amw statement to cause requests sent to that
3db3f65c6274eb042354801a308c8e9bc4994553amw server to be signed with this key, or in address match lists to
3db3f65c6274eb042354801a308c8e9bc4994553amw verify that incoming requests have been signed with a key
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown matching this name, algorithm, and secret.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <em class="replaceable"><code>algorithm_id</code></em> is a string
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown that specifies a security/authentication algorithm. Named
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw and <code class="literal">hmac-sha512</code> TSIG authentication.
12b65585e720714b31036daaa2b30eb76014048eGordon Ross Truncated hashes are supported by appending the minimum
3db3f65c6274eb042354801a308c8e9bc4994553amw number of required bits preceded by a dash, e.g.
3db3f65c6274eb042354801a308c8e9bc4994553amw <em class="replaceable"><code>secret_string</code></em> is the secret
3db3f65c6274eb042354801a308c8e9bc4994553amw to be used by the algorithm, and is treated as a base-64
3db3f65c6274eb042354801a308c8e9bc4994553amw encoded string.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2575303"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting"><span><strong class="command">logging</strong></span> {
3db3f65c6274eb042354801a308c8e9bc4994553amw [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
3db3f65c6274eb042354801a308c8e9bc4994553amw ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
3db3f65c6274eb042354801a308c8e9bc4994553amw [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
3db3f65c6274eb042354801a308c8e9bc4994553amw [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
3db3f65c6274eb042354801a308c8e9bc4994553amw | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown | <span><strong class="command">null</strong></span> );
3db3f65c6274eb042354801a308c8e9bc4994553amw [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
3db3f65c6274eb042354801a308c8e9bc4994553amw [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2575429"></a><span><strong class="command">logging</strong></span> Statement Definition and
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">logging</strong></span> statement configures a
3db3f65c6274eb042354801a308c8e9bc4994553amw variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
3db3f65c6274eb042354801a308c8e9bc4994553amw associates output methods, format options and severity levels with
3db3f65c6274eb042354801a308c8e9bc4994553amw a name that can then be used with the <span><strong class="command">category</strong></span> phrase
a90cf9f29973990687fa61de9f1f6ea22e924e40Gordon Ross to select how various classes of messages are logged.
3db3f65c6274eb042354801a308c8e9bc4994553amw Only one <span><strong class="command">logging</strong></span> statement is used to
3db3f65c6274eb042354801a308c8e9bc4994553amw as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
3db3f65c6274eb042354801a308c8e9bc4994553amw the logging configuration will be:
3db3f65c6274eb042354801a308c8e9bc4994553amw category default { default_syslog; default_debug; };
3db3f65c6274eb042354801a308c8e9bc4994553amw category unmatched { null; };
3db3f65c6274eb042354801a308c8e9bc4994553amw In <acronym class="acronym">BIND</acronym> 9, the logging configuration
3db3f65c6274eb042354801a308c8e9bc4994553amw is only established when
3db3f65c6274eb042354801a308c8e9bc4994553amw the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
3db3f65c6274eb042354801a308c8e9bc4994553amw established as soon as the <span><strong class="command">logging</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw was parsed. When the server is starting up, all logging messages
3db3f65c6274eb042354801a308c8e9bc4994553amw regarding syntax errors in the configuration file go to the default
3db3f65c6274eb042354801a308c8e9bc4994553amw channels, or to standard error if the "<code class="option">-g</code>" option
3db3f65c6274eb042354801a308c8e9bc4994553amw was specified.
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="id2575481"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
3db3f65c6274eb042354801a308c8e9bc4994553amw All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
3db3f65c6274eb042354801a308c8e9bc4994553amw you can make as many of them as you want.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Every channel definition must include a destination clause that
3db3f65c6274eb042354801a308c8e9bc4994553amw says whether messages selected for the channel go to a file, to a
3db3f65c6274eb042354801a308c8e9bc4994553amw particular syslog facility, to the standard error stream, or are
3db3f65c6274eb042354801a308c8e9bc4994553amw discarded. It can optionally also limit the message severity level
3db3f65c6274eb042354801a308c8e9bc4994553amw that will be accepted by the channel (the default is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">info</strong></span>), and whether to include a
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">named</strong></span>-generated time stamp, the
3db3f65c6274eb042354801a308c8e9bc4994553amw category name
3db3f65c6274eb042354801a308c8e9bc4994553amw and/or severity level (the default is not to include any).
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">null</strong></span> destination clause
3db3f65c6274eb042354801a308c8e9bc4994553amw causes all messages sent to the channel to be discarded;
3db3f65c6274eb042354801a308c8e9bc4994553amw in that case, other options for the channel are meaningless.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">file</strong></span> destination clause directs
3db3f65c6274eb042354801a308c8e9bc4994553amw the channel
3db3f65c6274eb042354801a308c8e9bc4994553amw to a disk file. It can include limitations
3db3f65c6274eb042354801a308c8e9bc4994553amw both on how large the file is allowed to become, and how many
3db3f65c6274eb042354801a308c8e9bc4994553amw of the file will be saved each time the file is opened.
3db3f65c6274eb042354801a308c8e9bc4994553amw If you use the <span><strong class="command">versions</strong></span> log file
3db3f65c6274eb042354801a308c8e9bc4994553amw option, then
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">named</strong></span> will retain that many backup
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw versions of the file by
3db3f65c6274eb042354801a308c8e9bc4994553amw renaming them when opening. For example, if you choose to keep
3db3f65c6274eb042354801a308c8e9bc4994553amw three old versions
3db3f65c6274eb042354801a308c8e9bc4994553amw of the file <code class="filename">lamers.log</code>, then just
3db3f65c6274eb042354801a308c8e9bc4994553amw before it is opened
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="filename">lamers.log.1</code> is renamed to
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
3db3f65c6274eb042354801a308c8e9bc4994553amw to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw You can say <span><strong class="command">versions unlimited</strong></span> to
3db3f65c6274eb042354801a308c8e9bc4994553amw the number of versions.
3db3f65c6274eb042354801a308c8e9bc4994553amw If a <span><strong class="command">size</strong></span> option is associated with
3db3f65c6274eb042354801a308c8e9bc4994553amw the log file,
3db3f65c6274eb042354801a308c8e9bc4994553amw then renaming is only done when the file being opened exceeds the
3db3f65c6274eb042354801a308c8e9bc4994553amw indicated size. No backup versions are kept by default; any
3db3f65c6274eb042354801a308c8e9bc4994553amw log file is simply appended.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The <span><strong class="command">size</strong></span> option for files is used
3db3f65c6274eb042354801a308c8e9bc4994553amw to limit log
3db3f65c6274eb042354801a308c8e9bc4994553amw growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
3db3f65c6274eb042354801a308c8e9bc4994553amw stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
3db3f65c6274eb042354801a308c8e9bc4994553amw associated with it. If backup versions are kept, the files are
3db3f65c6274eb042354801a308c8e9bc4994553amw described above and a new one begun. If there is no
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">versions</strong></span> option, no more data will
3db3f65c6274eb042354801a308c8e9bc4994553amw be written to the log
3db3f65c6274eb042354801a308c8e9bc4994553amw until some out-of-band mechanism removes or truncates the log to
3db3f65c6274eb042354801a308c8e9bc4994553amw less than the
3db3f65c6274eb042354801a308c8e9bc4994553amw maximum size. The default behavior is not to limit the size of
3db3f65c6274eb042354801a308c8e9bc4994553amw Example usage of the <span><strong class="command">size</strong></span> and
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">versions</strong></span> options:
3db3f65c6274eb042354801a308c8e9bc4994553amw file "example.log" versions 3 size 20m;
3db3f65c6274eb042354801a308c8e9bc4994553amw print-time yes;
3db3f65c6274eb042354801a308c8e9bc4994553amw print-category yes;
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">syslog</strong></span> destination clause
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw directs the
3db3f65c6274eb042354801a308c8e9bc4994553amw channel to the system log. Its argument is a
3db3f65c6274eb042354801a308c8e9bc4994553amw syslog facility as described in the <span><strong class="command">syslog</strong></span> man
3db3f65c6274eb042354801a308c8e9bc4994553amw page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">local7</strong></span>, however not all facilities
3db3f65c6274eb042354801a308c8e9bc4994553amw are supported on
3db3f65c6274eb042354801a308c8e9bc4994553amw all operating systems.
3db3f65c6274eb042354801a308c8e9bc4994553amw How <span><strong class="command">syslog</strong></span> will handle messages
3db3f65c6274eb042354801a308c8e9bc4994553amw this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
3db3f65c6274eb042354801a308c8e9bc4994553amw page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
3db3f65c6274eb042354801a308c8e9bc4994553amw only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
3db3f65c6274eb042354801a308c8e9bc4994553amw then this clause is silently ignored.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
3db3f65c6274eb042354801a308c8e9bc4994553amw "priorities", except that they can also be used if you are writing
3db3f65c6274eb042354801a308c8e9bc4994553amw straight to a file rather than using <span><strong class="command">syslog</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw Messages which are not at least of the severity level given will
3db3f65c6274eb042354801a308c8e9bc4994553amw not be selected for the channel; messages of higher severity
3db3f65c6274eb042354801a308c8e9bc4994553amw will be accepted.
3db3f65c6274eb042354801a308c8e9bc4994553amw If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
3db3f65c6274eb042354801a308c8e9bc4994553amw will also determine what eventually passes through. For example,
3db3f65c6274eb042354801a308c8e9bc4994553amw defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
3db3f65c6274eb042354801a308c8e9bc4994553amw cause messages of severity <span><strong class="command">info</strong></span> and
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
3db3f65c6274eb042354801a308c8e9bc4994553amw messages of only <span><strong class="command">warning</strong></span> or higher,
3db3f65c6274eb042354801a308c8e9bc4994553amw then <span><strong class="command">syslogd</strong></span> would
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw print all messages it received from the channel.
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">stderr</strong></span> destination clause
3db3f65c6274eb042354801a308c8e9bc4994553amw directs the
3db3f65c6274eb042354801a308c8e9bc4994553amw channel to the server's standard error stream. This is intended
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw use when the server is running as a foreground process, for
3db3f65c6274eb042354801a308c8e9bc4994553amw when debugging a configuration.
3db3f65c6274eb042354801a308c8e9bc4994553amw The server can supply extensive debugging information when
3db3f65c6274eb042354801a308c8e9bc4994553amw it is in debugging mode. If the server's global debug level is
3db3f65c6274eb042354801a308c8e9bc4994553amw than zero, then debugging mode will be active. The global debug
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw level is set either by starting the <span><strong class="command">named</strong></span> server
3db3f65c6274eb042354801a308c8e9bc4994553amw with the <code class="option">-d</code> flag followed by a positive integer,
3db3f65c6274eb042354801a308c8e9bc4994553amw or by running <span><strong class="command">rndc trace</strong></span>.
3db3f65c6274eb042354801a308c8e9bc4994553amw The global debug level
3db3f65c6274eb042354801a308c8e9bc4994553amw can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
3db3f65c6274eb042354801a308c8e9bc4994553amwnotrace</strong></span>. All debugging messages in the server have a debug
3db3f65c6274eb042354801a308c8e9bc4994553amw level, and higher debug levels give more detailed output. Channels
3db3f65c6274eb042354801a308c8e9bc4994553amw that specify a specific debug severity, for example:
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting">channel specific_debug_level {
3db3f65c6274eb042354801a308c8e9bc4994553amw file "foo";
3db3f65c6274eb042354801a308c8e9bc4994553amw severity debug 3;
3db3f65c6274eb042354801a308c8e9bc4994553amw will get debugging output of level 3 or less any time the
3db3f65c6274eb042354801a308c8e9bc4994553amw server is in debugging mode, regardless of the global debugging
3db3f65c6274eb042354801a308c8e9bc4994553amw level. Channels with <span><strong class="command">dynamic</strong></span>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw severity use the
3db3f65c6274eb042354801a308c8e9bc4994553amw server's global debug level to determine what messages to print.
3db3f65c6274eb042354801a308c8e9bc4994553amw If <span><strong class="command">print-time</strong></span> has been turned on,
3db3f65c6274eb042354801a308c8e9bc4994553amw the date and time will be logged. <span><strong class="command">print-time</strong></span> may
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw be specified for a <span><strong class="command">syslog</strong></span> channel,
3db3f65c6274eb042354801a308c8e9bc4994553amw but is usually
3db3f65c6274eb042354801a308c8e9bc4994553amw pointless since <span><strong class="command">syslog</strong></span> also logs
3db3f65c6274eb042354801a308c8e9bc4994553amw the date and
3db3f65c6274eb042354801a308c8e9bc4994553amw time. If <span><strong class="command">print-category</strong></span> is
3db3f65c6274eb042354801a308c8e9bc4994553amw requested, then the
3db3f65c6274eb042354801a308c8e9bc4994553amw category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
3db3f65c6274eb042354801a308c8e9bc4994553amw on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
3db3f65c6274eb042354801a308c8e9bc4994553amw be used in any combination, and will always be printed in the
3db3f65c6274eb042354801a308c8e9bc4994553amw order: time, category, severity. Here is an example where all
3db3f65c6274eb042354801a308c8e9bc4994553amw three <span><strong class="command">print-</strong></span> options
3db3f65c6274eb042354801a308c8e9bc4994553amw <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw There are four predefined channels that are used for
3db3f65c6274eb042354801a308c8e9bc4994553amw <span><strong class="command">named</strong></span>'s default logging as follows.
3db3f65c6274eb042354801a308c8e9bc4994553amw How they are
3db3f65c6274eb042354801a308c8e9bc4994553amw used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
3db3f65c6274eb042354801a308c8e9bc4994553amw // send to syslog's daemon facility
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw syslog daemon;
3db3f65c6274eb042354801a308c8e9bc4994553amw // only send priority info and higher
3db3f65c6274eb042354801a308c8e9bc4994553amw severity info;
3db3f65c6274eb042354801a308c8e9bc4994553amwchannel default_debug {
3db3f65c6274eb042354801a308c8e9bc4994553amw // write to named.run in the working directory
3db3f65c6274eb042354801a308c8e9bc4994553amw // Note: stderr is used instead of "named.run" if
3db3f65c6274eb042354801a308c8e9bc4994553amw // the server is started with the '-f' option.
3db3f65c6274eb042354801a308c8e9bc4994553amw // log at the server's current debug level
3db3f65c6274eb042354801a308c8e9bc4994553amw severity dynamic;
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brownchannel default_stderr {
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown // writes to stderr
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown // only send priority info and higher
3db3f65c6274eb042354801a308c8e9bc4994553amw severity info;
3db3f65c6274eb042354801a308c8e9bc4994553amwchannel null {
3db3f65c6274eb042354801a308c8e9bc4994553amw // toss anything sent to this channel
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States</pre>
3db3f65c6274eb042354801a308c8e9bc4994553amw The <span><strong class="command">default_debug</strong></span> channel has the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw property that it only produces output when the server's debug
3db3f65c6274eb042354801a308c8e9bc4994553amw nonzero. It normally writes to a file called <code class="filename">named.run</code>
3db3f65c6274eb042354801a308c8e9bc4994553amw in the server's working directory.
3db3f65c6274eb042354801a308c8e9bc4994553amw For security reasons, when the "<code class="option">-u</code>"
3db3f65c6274eb042354801a308c8e9bc4994553amw command line option is used, the <code class="filename">named.run</code> file
3db3f65c6274eb042354801a308c8e9bc4994553amw is created only after <span><strong class="command">named</strong></span> has
3db3f65c6274eb042354801a308c8e9bc4994553amw changed to the
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw starting up and still running as root is discarded. If you need
3db3f65c6274eb042354801a308c8e9bc4994553amw to capture this output, you must run the server with the "<code class="option">-g</code>"
3db3f65c6274eb042354801a308c8e9bc4994553amw option and redirect standard error to a file.
3db3f65c6274eb042354801a308c8e9bc4994553amw Once a channel is defined, it cannot be redefined. Thus you
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States cannot alter the built-in channels directly, but you can modify
3db3f65c6274eb042354801a308c8e9bc4994553amw the default logging by pointing categories at channels you have
3db3f65c6274eb042354801a308c8e9bc4994553amw<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States There are many categories, so you can send the logs you want
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai to see wherever you want, without seeing logs you don't want. If
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai you don't specify a list of channels for a category, then log
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw in that category will be sent to the <span><strong class="command">default</strong></span> category
3db3f65c6274eb042354801a308c8e9bc4994553amw instead. If you don't specify a default category, the following
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown "default default" is used:
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting">category default { default_syslog; default_debug; };
3db3f65c6274eb042354801a308c8e9bc4994553amw As an example, let's say you want to log security events to
3db3f65c6274eb042354801a308c8e9bc4994553amw a file, but you also want keep the default logging behavior. You'd
3db3f65c6274eb042354801a308c8e9bc4994553amw specify the following:
3db3f65c6274eb042354801a308c8e9bc4994553amw<pre class="programlisting">channel my_security_channel {
3db3f65c6274eb042354801a308c8e9bc4994553amw file "my_security_file";
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw severity info;
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United Statescategory security {
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw my_security_channel;
3db3f65c6274eb042354801a308c8e9bc4994553amw default_syslog;
3db3f65c6274eb042354801a308c8e9bc4994553amw default_debug;
3db3f65c6274eb042354801a308c8e9bc4994553amw To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
3db3f65c6274eb042354801a308c8e9bc4994553amwcategory notify { null; };
3db3f65c6274eb042354801a308c8e9bc4994553amw Following are the available categories and brief descriptions
3db3f65c6274eb042354801a308c8e9bc4994553amw of the types of log information they contain. More
bbf6f00c25b6a2bed23c35eac6d62998ecdb338cJordan Brown categories may be added in future <acronym class="acronym">BIND</acronym> releases.
9fb67ea305c66b6a297583b9b0db6796b0dfe497afshin salek ardakani - Sun Microsystems - Irvine United States<col>
3db3f65c6274eb042354801a308c8e9bc4994553amw</colgroup>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <p><span><strong class="command">default</strong></span></p>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The default category defines the logging
7f3ef643e446c82e27a9386991b140b128baf22cGordon Ross options for those categories where no specific
3db3f65c6274eb042354801a308c8e9bc4994553amw configuration has been
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <p><span><strong class="command">general</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw The catch-all. Many things still aren't
3db3f65c6274eb042354801a308c8e9bc4994553amw classified into categories, and they all end up here.
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw <p><span><strong class="command">database</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw Messages relating to the databases used
3db3f65c6274eb042354801a308c8e9bc4994553amw internally by the name server to store zone and cache
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">security</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw Approval and denial of requests.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">config</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw Configuration file parsing and processing.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">resolver</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw DNS resolution, such as the recursive
3db3f65c6274eb042354801a308c8e9bc4994553amw lookups performed on behalf of clients by a caching name
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">xfer-in</strong></span></p>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw Zone transfers the server is receiving.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">xfer-out</strong></span></p>
3db3f65c6274eb042354801a308c8e9bc4994553amw Zone transfers the server is sending.
7b6a044acdb057a3bcb993c4abd028d0f35595bbjose borrego <p><span><strong class="command">notify</strong></span></p>
da6c28aaf62fa55f0fdb8004aa40f88f23bf53f0amw The NOTIFY protocol.
3db3f65c6274eb042354801a308c8e9bc4994553amw <p><span><strong class="command">client</strong></span></p>
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai Processing of client requests.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai <p><span><strong class="command">unmatched</strong></span></p>
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai Messages that <span><strong class="command">named</strong></span> was unable to determine the
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai class of or for which there was no matching <span><strong class="command">view</strong></span>.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai This category is best sent to a file or stderr, by
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai default it is sent to
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai the <span><strong class="command">null</strong></span> channel.
e3f2c991a8548408db0a2787bd8b43d5124821d3Keyur Desai <p><span><strong class="command">network</strong></span></p>
<a name="id2576977"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
resolution for AAAA records of www.example.com completed
likely com and example.com.
<a name="id2577496"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
<a name="id2577570"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
<a name="id2577702"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
<a name="id2577746"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2577761"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
<em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
[<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
<span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2588203"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2588411"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2588458"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2588952"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2590525"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2596257"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2596273"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2596333"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2596403"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2596439"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2600917"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>