Bv9ARM.ch06.html revision 892503bd484c106493e3c8053155b364a522ec03
decf1efd1558ed0d2562e2f4f2dd741dcc0c392crbb - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
90a8cab05f4d949dd1317df7e19a2f787c46a5f6rbb - Copyright (C) 2000-2003 Internet Software Consortium.
90a8cab05f4d949dd1317df7e19a2f787c46a5f6rbb - Permission to use, copy, modify, and/or distribute this software for any
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - purpose with or without fee is hereby granted, provided that the above
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - copyright notice and this permission notice appear in all copies.
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
6c3ee5153fd311a5fc6dd718dcc704487ac7d2a3rbb - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da3e32612f06d3082e41ba709919c996c89b8c06rederpj - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da3e32612f06d3082e41ba709919c996c89b8c06rederpj - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
da3e32612f06d3082e41ba709919c996c89b8c06rederpj - PERFORMANCE OF THIS SOFTWARE.
da3e32612f06d3082e41ba709919c996c89b8c06rederpj<!-- $Id$ -->
da3e32612f06d3082e41ba709919c996c89b8c06rederpj<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0d9c389e9c63d02edb068917d49af2fa8012af91marc<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0d9c389e9c63d02edb068917d49af2fa8012af91marc<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0d9c389e9c63d02edb068917d49af2fa8012af91marc<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0d9c389e9c63d02edb068917d49af2fa8012af91marc<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
ae416a3cdff7a12665838a2184183299dcee6ec9bjh<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
ae416a3cdff7a12665838a2184183299dcee6ec9bjh<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6d8d0dd6604f823aadbe3a18c3cff4eca584bda8trawick<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
99cec2acb38d6a2fb2d4a9d437db7b50ef5b208awrowe<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
4d83a32b74579903e90aa1cb8574b5b97404d0c4trawick<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
51469a0d2057aa24107b6f5a04e145824e10da1fdirkx<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
51469a0d2057aa24107b6f5a04e145824e10da1fdirkx<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
51469a0d2057aa24107b6f5a04e145824e10da1fdirkx<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
51469a0d2057aa24107b6f5a04e145824e10da1fdirkx<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573317">Comment Syntax</a></span></dt>
6d8d0dd6604f823aadbe3a18c3cff4eca584bda8trawick<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
6d8d0dd6604f823aadbe3a18c3cff4eca584bda8trawick<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573909"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
73cd9876e07c696a3e3563277a1d4e3173861af6stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
73cd9876e07c696a3e3563277a1d4e3173861af6stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574220"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
73cd9876e07c696a3e3563277a1d4e3173861af6stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
15ecbdb46249bbd3ac51fdacaff3b3ac4d179ffarbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574580"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
f0484231f96a9d95f5044c1c8cb33b322d6f9bcbdougm<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574597"><span><strong class="command">include</strong></span> Statement Definition and
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574689"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574712"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574803"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574929"><span><strong class="command">logging</strong></span> Statement Definition and
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577060"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
2281907b9a2a509aa0eabdc0b1d21424018dbbdfrbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577212"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
2ca377182c951f9895cd5e7a350b442a39c8eb23rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577276"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
2ca377182c951f9895cd5e7a350b442a39c8eb23rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577325"><span><strong class="command">masters</strong></span> Statement Definition and
1217c8c05f7e3ac0cac8c8dc0c6e7979326c977arbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577347"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
1217c8c05f7e3ac0cac8c8dc0c6e7979326c977arbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
1217c8c05f7e3ac0cac8c8dc0c6e7979326c977arbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
b6873e2c00ff7b0af18d837ef4c3cd58cf6b54c5rbb<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
893328ef6ff86d0ca27774778d84410353789fb0fielding<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
893328ef6ff86d0ca27774778d84410353789fb0fielding<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591642"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
893328ef6ff86d0ca27774778d84410353789fb0fielding<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
274de94b0b59f4ee126dca1726624980828d0cd0stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591923"><span><strong class="command">trusted-keys</strong></span> Statement Definition
274de94b0b59f4ee126dca1726624980828d0cd0stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591970"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
274de94b0b59f4ee126dca1726624980828d0cd0stoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
85d733e70c94a57c9ff893ed05d8b9cfcd0f083fstoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
85d733e70c94a57c9ff893ed05d8b9cfcd0f083fstoddard<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592411"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
962f339c5f0f61adde79936f610fb05ce0854d6echuck<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
3f0dd56fa6b79fe389f20738369b290e2f3e9201trawick<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594496"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
3f0dd56fa6b79fe389f20738369b290e2f3e9201trawick<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2598107">Zone File</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600338">Discussion of MX Records</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600953">Inverse Mapping in IPv4</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601080">Other Zone File Directives</a></span></dt>
70b83609159f247f5920421a890dc27a0718d63adreid<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601285"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
a1033a770bfee276def7d4cb9759856f69293e48trawick<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
a1033a770bfee276def7d4cb9759856f69293e48trawick<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
a1033a770bfee276def7d4cb9759856f69293e48trawick<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
adb8ad10ffc20ed06ec6cfab6cd7933ab429ea7dtrawick <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
adb8ad10ffc20ed06ec6cfab6cd7933ab429ea7dtrawick to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
b45c1c292ff1fa635004ae81fa691f8cb3cdda85rbb of configuration, such as views. <acronym class="acronym">BIND</acronym>
b45c1c292ff1fa635004ae81fa691f8cb3cdda85rbb 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
b45c1c292ff1fa635004ae81fa691f8cb3cdda85rbb 9, although more complex configurations should be reviewed to check
b45c1c292ff1fa635004ae81fa691f8cb3cdda85rbb if they can be more efficiently implemented using the new features
86f191e8221867df8c9cd22271e7d54204f39186rbb <acronym class="acronym">BIND</acronym> 4 configuration files can be
86f191e8221867df8c9cd22271e7d54204f39186rbb converted to the new format
86f191e8221867df8c9cd22271e7d54204f39186rbb using the shell script
86f191e8221867df8c9cd22271e7d54204f39186rbb <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
962f339c5f0f61adde79936f610fb05ce0854d6echuck<div class="titlepage"><div><div><h2 class="title" style="clear: both">
962f339c5f0f61adde79936f610fb05ce0854d6echuck<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
157e6980a24a44e4719173b1c555133caecbc172stoddard Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
157e6980a24a44e4719173b1c555133caecbc172stoddard file documentation:
ed105ee460bbaf479f0aa0f59d3951da85066e27stoddard The name of an <code class="varname">address_match_list</code> as
ed105ee460bbaf479f0aa0f59d3951da85066e27stoddard defined by the <span><strong class="command">acl</strong></span> statement.
c7fe488773cf6f50a1b2d9211c2f30a2ace8b67ccoar A list of one or more
27338fc39af80f2f0e4a8dbdc90c8a8179a5b2e4rbb <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
27338fc39af80f2f0e4a8dbdc90c8a8179a5b2e4rbb <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
f1fa5e69040a3a72054d185f6087a7d1592b83e8rbb A named list of one or more <code class="varname">ip_addr</code>
30e3e9b782c701f885583b7d13d8e46c37d7e1ddtrawick with optional <code class="varname">key_id</code> and/or
30e3e9b782c701f885583b7d13d8e46c37d7e1ddtrawick A <code class="varname">masters_list</code> may include other
865980dc9aeb61741e586502440f0c0fea4835c6trawick A quoted string which will be used as
865980dc9aeb61741e586502440f0c0fea4835c6trawick a DNS name, for example "<code class="literal">my.test.domain</code>".
b42a7e46e4f80282bd27e96d43c9510b14ccb9aarbb A list of one or more <code class="varname">domain_name</code>
a6d4b3f8d54aaf14d8ee5dda3a09bf8b6370dfa4wrowe One to four integers valued 0 through
a6d4b3f8d54aaf14d8ee5dda3a09bf8b6370dfa4wrowe 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
c9a95767fbf0f5fb0976a06b97a256033925e433rbb <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
9635d7ffbd8ca441f85051f9a3adba17142d0b20rbb An IPv4 address with exactly four elements
9635d7ffbd8ca441f85051f9a3adba17142d0b20rbb in <code class="varname">dotted_decimal</code> notation.
3233d057ad276d823bded5c24c3fd6729ed1a736rbb An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
9927a2a72d50103f32323b53f5fc4577c1801327rbb IPv6 scoped addresses that have ambiguity on their
9927a2a72d50103f32323b53f5fc4577c1801327rbb scope zones must be disambiguated by an appropriate
9927a2a72d50103f32323b53f5fc4577c1801327rbb zone ID with the percent character (`%') as
9927a2a72d50103f32323b53f5fc4577c1801327rbb delimiter. It is strongly recommended to use
9927a2a72d50103f32323b53f5fc4577c1801327rbb string zone names rather than numeric identifiers,
82d2eed8f2152aff3f7554951c133a9d404ebbc5rbb in order to be robust against system configuration
82d2eed8f2152aff3f7554951c133a9d404ebbc5rbb changes. However, since there is no standard
82d2eed8f2152aff3f7554951c133a9d404ebbc5rbb mapping for such names and identifier values,
2e970b7ec485dde18f8fb3f494f98a3f68749859fanf currently only interface names as link identifiers
2e970b7ec485dde18f8fb3f494f98a3f68749859fanf are supported, assuming one-to-one mapping between
2e970b7ec485dde18f8fb3f494f98a3f68749859fanf interfaces and links. For example, a link-local
a5a7ecb732cfe89bb1f8e3c61b316c2075cefe52rbb address <span><strong class="command">fe80::1</strong></span> on the link
a5a7ecb732cfe89bb1f8e3c61b316c2075cefe52rbb attached to the interface <span><strong class="command">ne0</strong></span>
a5a7ecb732cfe89bb1f8e3c61b316c2075cefe52rbb can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
364701a102725758f2e3a511924381e2faa93e27rbb Note that on most systems link-local addresses
364701a102725758f2e3a511924381e2faa93e27rbb always have the ambiguity, and need to be
364701a102725758f2e3a511924381e2faa93e27rbb disambiguated.
957b9b3f5e47c6cc7c2d8d9e2224c7364e966c70rbb An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
37d15e1062df9dcdd39ebee5bd2fdc75d4a6aa4arbb A <code class="varname">number</code> between 0 and 63, used
37d15e1062df9dcdd39ebee5bd2fdc75d4a6aa4arbb to select a differentiated services code point (DSCP)
e3ec3193b69b45923c14915fa3ee3bc1f0215bafrbb value for use with outgoing traffic on operating systems
e3ec3193b69b45923c14915fa3ee3bc1f0215bafrbb that support DSCP.
8e7c85d6eb9bf628f081763c5bd778b784d5001crbb through 65535, with values
8e7c85d6eb9bf628f081763c5bd778b784d5001crbb below 1024 typically restricted to use by processes running
8e7c85d6eb9bf628f081763c5bd778b784d5001crbb In some cases, an asterisk (`*') character can be used as a
8e7c85d6eb9bf628f081763c5bd778b784d5001crbb placeholder to
97ad13ce0413b573e63512b57c874ebbd41065b2rbb select a random high-numbered port.
c5c3b5e33fca6425dc716e1dc51c10733d9b6bc3rbb An IP network specified as an <code class="varname">ip_addr</code>,
c5c3b5e33fca6425dc716e1dc51c10733d9b6bc3rbb followed by a slash (`/') and then the number of bits in the
be7b08f10dc6b0be088c8b41009d89ea49ad4acarbb Trailing zeros in a <code class="varname">ip_addr</code>
be7b08f10dc6b0be088c8b41009d89ea49ad4acarbb may omitted.
be7b08f10dc6b0be088c8b41009d89ea49ad4acarbb For example, <span><strong class="command">127/8</strong></span> is the
2a0c3663b66c9af764267ac3c4e140e659598474ben network <span><strong class="command">127.0.0.0</strong></span> with
2a0c3663b66c9af764267ac3c4e140e659598474ben netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
2a0c3663b66c9af764267ac3c4e140e659598474ben network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
8a76b3f3c93d39930182afa227d258218f80926brbb When specifying a prefix involving a IPv6 scoped address
8a76b3f3c93d39930182afa227d258218f80926brbb the scope may be omitted. In that case the prefix will
8a76b3f3c93d39930182afa227d258218f80926brbb match packets from any scope.
1a3161b56ebbbd036730d5372d4800cc495db212rbb the name of a shared key, to be used for transaction
1e8d4cfede0bad3a1a33e3b2eef0ba6754746f72rbb A list of one or more
5600cf225f3be88ed9b5385a0737ccde7d0775bbrbb separated by semicolons and ending with a semicolon.
84b76faff9e8fa4b16b587b95d3930e36fe3c405rbb A non-negative 32-bit integer
84b76faff9e8fa4b16b587b95d3930e36fe3c405rbb (i.e., a number between 0 and 4294967295, inclusive).
bcef91d7068817e2e56854f5c5b22b6eb4663a85rbb Its acceptable value might further
bcef91d7068817e2e56854f5c5b22b6eb4663a85rbb be limited by the context in which it is used.
13ee9baf0119bca0739d3f17591f0bf2c64cdcccrbb A quoted string which will be used as
13ee9baf0119bca0739d3f17591f0bf2c64cdcccrbb a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
1a411968bb62cc88c3cbf14a53caf6587c224259fanf A list of an <code class="varname">ip_port</code> or a port
10a2de5cee9ae5abe675ea200fbe635a54556c8ffanf A port range is specified in the form of
10a2de5cee9ae5abe675ea200fbe635a54556c8ffanf <strong class="userinput"><code>range</code></strong> followed by
60777c94cb33363389d4848524c0809c235ba5e5rbb <code class="varname">port_high</code>, which represents
6f06d481dafc90f1b553f1d2828bcea50a039854fielding port numbers from <code class="varname">port_low</code> through
b5140df3124b186e4a977812fd9828d1e295c080wrowe <code class="varname">port_low</code> must not be larger than
b5140df3124b186e4a977812fd9828d1e295c080wrowe For example,
b5140df3124b186e4a977812fd9828d1e295c080wrowe <strong class="userinput"><code>range 1024 65535</code></strong> represents
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe ports from 1024 through 65535.
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe In either case an asterisk (`*') character is not
c9dafaafc2650994e47f88f5239f643c97ec4cb3wrowe allowed as a valid <code class="varname">ip_port</code>.
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb A 64-bit unsigned integer, or the keywords
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb <strong class="userinput"><code>unlimited</code></strong> or
d28c69d8e5f2e88e653d61436bb6fa6302a212b4rbb <strong class="userinput"><code>default</code></strong>.
b974a8fc59a9d6193305dcd8690992a411d88232rbb Integers may take values
b974a8fc59a9d6193305dcd8690992a411d88232rbb 0 <= value <= 18446744073709551615, though
b974a8fc59a9d6193305dcd8690992a411d88232rbb certain parameters
b974a8fc59a9d6193305dcd8690992a411d88232rbb (such as <span><strong class="command">max-journal-size</strong></span>) may
fa996ff928f6170678c8789c8073c368f56d770arbb use a more limited range within these extremes.
fa996ff928f6170678c8789c8073c368f56d770arbb In most cases, setting a value to 0 does not
fa996ff928f6170678c8789c8073c368f56d770arbb literally mean zero; it means "undefined" or
fa996ff928f6170678c8789c8073c368f56d770arbb "as big as possible", depending on the context.
fa996ff928f6170678c8789c8073c368f56d770arbb See the expalantions of particular parameters
a1bbc66131c63e718e3f73fc11a348f7552d7947rbb for details on how they interpret its use.
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe Numeric values can optionally be followed by a
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe scaling factor:
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe for kilobytes,
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
b31025f6f2c0392dc76eecca7f27faad0b902be0wrowe for megabytes, and
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben for gigabytes, which scale by 1024, 1024*1024, and
4783bc116b4dc37deadcc0b68ce3d3eeb6a7464aben 1024*1024*1024 respectively.
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbb "as big as possible", and is usually the best
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbb way to safely set a very large number.
fcc25eda7b150e226d3c1cdaea66a943d3fdee4erbb uses the limit that was in force when the server was started.
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
2714d6002fcdf12f5b26cc948c9f2f03ca5e7ee9rbb also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe One of <strong class="userinput"><code>yes</code></strong>,
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe <strong class="userinput"><code>passive</code></strong>.
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
e76797ee89ad6fb15ad97b0f3903ae324ac44949wrowe are restricted to slave and stub zones.
4b13b6bcdcfae61d3c58cc2569757651f28f2bbfrbb<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
34ea1d36f4e1c8d66338e691793017d105cc9c32rbb [<span class="optional"> address_match_list_element; ... </span>]
2c8f06bf370a44a3d0544ed5319355463c417132gregames<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
2c8f06bf370a44a3d0544ed5319355463c417132gregames key key_id | acl_name | { address_match_list } )
db06e09891b001667974483058923b88c3258324rbb<a name="id2573043"></a>Definition and Usage</h4></div></div></div>
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf Address match lists are primarily used to determine access
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf control for various server operations. They are also used in
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
8ba9d5e9aaaa79dba0de13f5c1b6e725d98f1dc2fanf statements. The elements which constitute an address match
26cf4d32b4ff8807a64b0cfa6865a7d6d171c68efanf list can be any of the following:
06c107289de0a0888386e0bc08ef9fc60aacd8bctrawick a key ID, as defined by the <span><strong class="command">key</strong></span>
f4ab6acec7b02518869ca649ce2d3ceeb92d282etrawick<li>the name of an address match list defined with
b0bd38b2226e5cfb86cce6ed1991723f4c9e4f68trawick the <span><strong class="command">acl</strong></span> statement
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim Elements can be negated with a leading exclamation mark (`!'),
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim and the match list names "any", "none", "localhost", and
bf9902ea6090f94c9ee0aaddd80b419a184ffe55jim "localnets" are predefined. More information on those names
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb can be found in the description of the acl statement.
83047afdc49c183cdca6373dba6a0c6afa638f12gstein The addition of the key clause made the name of this syntactic
0b34df54ff22d0ca05eb8e9d7c9610138a878c83rbb element something of a misnomer, since security keys can be used
c8cc46d12794845f39fa154224075a3bbe57a4c8ben to validate access without regard to a host or network address.
c8cc46d12794845f39fa154224075a3bbe57a4c8ben Nonetheless, the term "address match list" is still used
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb throughout the documentation.
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb When a given IP address or prefix is compared to an address
5dea9095cbfab622c65e5f2f806007aaa7d7761arbb match list, the comparison takes place in approximately O(1)
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick time. However, key comparisons require that the list of keys
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick be traversed until a matching key is found, and therefore may
365c33fd9c0fc3ac27c0bd1d360a5a94980c576atrawick be somewhat slower.
0ea568e49752d337d2b513cce07f2a6f4699d6eatrawick The interpretation of a match depends on whether the list is being
b7a0ad483b54711addc5f43f679189619a23c749ben used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
b7a0ad483b54711addc5f43f679189619a23c749ben <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick When used as an access control list, a non-negated match
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick allows access and a negated match denies access. If
1c850e9f96375578e43e5f69ba7499a543b2a7bdtrawick there is no match, access is denied. The clauses
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-notify</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-recursion</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-recursion-on</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-query</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-query-on</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-query-cache</strong></span>,
48a2f5e2c189669b025d462f44fda5d4b45e8d78trawick <span><strong class="command">allow-query-cache-on</strong></span>,
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb <span><strong class="command">allow-transfer</strong></span>,
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb <span><strong class="command">allow-update</strong></span>,
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb <span><strong class="command">allow-update-forwarding</strong></span>, and
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb <span><strong class="command">blackhole</strong></span> all use address match
b22fb75c37b70fbe176afdb8081c3ce2dba86db4rbb lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb server to refuse queries on any of the machine's
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb addresses which do not match the list.
8fccb89ed59d5c80c76a818f7ca02bb0d068d4d3rbb Order of insertion is significant. If more than one element
da07a882b90b44243c9cd88ac09a789999dccc4drbb in an ACL is found to match a given IP address or prefix,
da07a882b90b44243c9cd88ac09a789999dccc4drbb preference will be given to the one that came
da07a882b90b44243c9cd88ac09a789999dccc4drbb <span class="emphasis"><em>first</em></span> in the ACL definition.
da07a882b90b44243c9cd88ac09a789999dccc4drbb Because of this first-match behavior, an element that
da07a882b90b44243c9cd88ac09a789999dccc4drbb defines a subset of another element in the list should
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb come before the broader element, regardless of whether
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb either is negated. For example, in
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb the 1.2.3.13 element is completely useless because the
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
4a5c8a77f48f0cf10bfe70479d0a2e8e7d6cd917rbb element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
5bf029f8452b6aa105cf3d9d9b19221920725428rbb that problem by having 1.2.3.13 blocked by the negation, but
5bf029f8452b6aa105cf3d9d9b19221920725428rbb all other 1.2.3.* hosts fall through.
e03878add0099ba9741efc46d545955a60ea8bdcrbb<a name="id2573317"></a>Comment Syntax</h3></div></div></div>
e03878add0099ba9741efc46d545955a60ea8bdcrbb The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb comments to appear
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
1860b2b5f1de31f8cf9d95f1b394fe98c8dbfab7rbb file. To appeal to programmers of all kinds, they can be written
9ec65cbae2f760e485a1c54df5b19853688d5c91wrowe<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
a8c0c0b8d7dada680bd3f3d70f78ce0656ba5aa6trawick<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
77c656dabf05adcdee0d30b15b4628be738a1913rbb# and perl</pre>
7e73041858979fd162c849cc2e7447beb51eedf8rbb<a name="id2573362"></a>Definition and Usage</h4></div></div></div>
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb Comments may appear anywhere that whitespace may appear in
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb a <acronym class="acronym">BIND</acronym> configuration file.
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb C-style comments start with the two characters /* (slash,
886cd69ebf69e990dbc365be87ff8ea7cd681904rbb star) and end with */ (star, slash). Because they are completely
db9ac238bf63d7df2bebbaff4de1628a32151028trawick delimited with these characters, they can be used to comment only
ce121a776564df6bb75498209094142d92404b8atrawick a portion of a line or to span multiple lines.
e1ade9256c87684358786fcf7eef251bd4c1db10rbb C-style comments cannot be nested. For example, the following
e1ade9256c87684358786fcf7eef251bd4c1db10rbb is not valid because the entire comment ends with the first */:
db9ac238bf63d7df2bebbaff4de1628a32151028trawick<pre class="programlisting">/* This is the start of a comment.
db9ac238bf63d7df2bebbaff4de1628a32151028trawick This is still part of the comment.
db9ac238bf63d7df2bebbaff4de1628a32151028trawick/* This is an incorrect attempt at nesting a comment. */
eae32ab3fb398ca408bc2d45b22adf1b67a75471rbb This is no longer in any comment. */
42ec91fadb5532438ab4c02993b15c18a517967frbb C++-style comments start with the two characters // (slash,
42ec91fadb5532438ab4c02993b15c18a517967frbb slash) and continue to the end of the physical line. They cannot
42ec91fadb5532438ab4c02993b15c18a517967frbb be continued across multiple physical lines; to have one logical
42ec91fadb5532438ab4c02993b15c18a517967frbb comment span multiple lines, each line must use the // pair.
96fc773162e93e5b85686ab152f11baf4498d868rbb For example:
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick<pre class="programlisting">// This is the start of a comment. The next line
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick// is a new comment, even though it is logically
5827adc4c40ff4b10db9b09cea43f4307c8fc319trawick// part of the previous comment.
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe Shell-style (or perl-style, if you prefer) comments start
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe with the character <code class="literal">#</code> (number sign)
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe and continue to the end of the
e7270e4daeb3e62414b361ca2bf0e707d0ae3310wrowe physical line, as in C++ comments.
f6e9f5600e77b78fb013bb543d364135961639d1rbb For example:
f6e9f5600e77b78fb013bb543d364135961639d1rbb<pre class="programlisting"># This is the start of a comment. The next line
f6e9f5600e77b78fb013bb543d364135961639d1rbb# is a new comment, even though it is logically
f6e9f5600e77b78fb013bb543d364135961639d1rbb# part of the previous comment.
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
b580e99ec29c68e3c56b5b1ad8a4ec1e2de865c0trawick You cannot use the semicolon (`;') character
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to start a comment such as you would in a zone file. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding semicolon indicates the end of a configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="titlepage"><div><div><h2 class="title" style="clear: both">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <acronym class="acronym">BIND</acronym> 9 configuration consists of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements and comments.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Statements end with a semicolon. Statements and comments are the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only elements that can appear without enclosing braces. Many
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements contain a block of sub-statements, which are also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding terminated with a semicolon.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following statements are supported:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">acl</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defines a named IP address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matching list, for access control and other uses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">controls</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding declares control channels to be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by the <span><strong class="command">rndc</strong></span> utility.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">include</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding includes a file.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">key</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specifies key information for use in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authentication and authorization using TSIG.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">logging</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specifies what the server logs, and where
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the log messages are sent.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">lwres</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configures <span><strong class="command">named</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">masters</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defines a named masters list for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding inclusion in stub and slave zones'
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">masters</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">also-notify</strong></span> lists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">options</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding controls global server configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding options and sets defaults for other statements.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">server</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sets certain configuration options on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a per-server basis.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">statistics-channels</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding declares communication channels to get access to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> statistics.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">trusted-keys</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defines trusted DNSSEC keys.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">managed-keys</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lists DNSSEC keys to be kept up to date
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using RFC 5011 trust anchor maintenance.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">view</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defines a view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">zone</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defines a zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">logging</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">options</strong></span> statements may only occur once
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2573909"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address_match_list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">acl</strong></span> statement assigns a symbolic
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name to an address match list. It gets its name from a primary
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use of address match lists: Access Control Lists (ACLs).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that an address match list's name must be defined
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with <span><strong class="command">acl</strong></span> before it can be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding elsewhere; no forward references are allowed.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following ACLs are built-in:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">any</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Matches all hosts.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">none</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Matches no hosts.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">localhost</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Matches the IPv4 and IPv6 addresses of all network
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interfaces on the system.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">localnets</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Matches any host on an IPv4 or IPv6 network
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for which the system has an interface.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Some systems do not provide a way to determine the prefix
cfa64348224b66dd1c9979b809406c4d15b1c137fielding local IPv6 addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In such a case, <span><strong class="command">localnets</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only matches the local
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ACLs can also be used for geographic access restrictions.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is done by specifying an ACL element of the form:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>field</code></em> indicates which field
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to search for a match. Available fields are "country",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "region", "city", "continent", "postal" (postal code),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "metro" (metro code), "area" (area code), "tz" (timezone),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "isp", "org", "asnum", "domain" and "netspeed".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>value</code></em> is the value to searched for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding within the database. A string may be quoted if it contains
cfa64348224b66dd1c9979b809406c4d15b1c137fielding spaces or other special characters. If this is a "country"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding search and the string is two characters long, then it must be a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding standard ISO-3166-1 two-letter country code, and if it is three
cfa64348224b66dd1c9979b809406c4d15b1c137fielding characters long then it must be an ISO-3166-1 three-letter
cfa64348224b66dd1c9979b809406c4d15b1c137fielding country code; otherwise it is the full name of the country.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Similarly, if this is a "region" search and the string is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding two characters long, then it must be a standard two-letter state
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or province abbreviation; otherwise it is the full name of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding state or province.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>database</code></em> field indicates which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding GeoIP database to search for a match. In most cases this is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unnecessary, because most search fields can only be found in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a single database. However, searches for country can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answered from the "city", "region", or "country" databases,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and searches for region (i.e., state or province) can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answered from the "city" or "region" databases. For these
cfa64348224b66dd1c9979b809406c4d15b1c137fielding search types, specifying a <em class="replaceable"><code>database</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will force the query to be answered from that database and no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding other. If <em class="replaceable"><code>database</code></em> is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, then these queries will be answered from the "city",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding database if it is installed, or the "region" database if it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding installed, or the "country" database, in that order.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Some example GeoIP ACLs:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip country JAP;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip db country country Canada;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip db region region WA;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip city "San Francisco";
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip region Oklahoma;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip postal 95062;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinggeoip org "Internet Systems Consortium";
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574220"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">controls</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ inet ( ip_addr | * ) [ port ip_port ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allow { <em class="replaceable"><code> address_match_list </code></em> }
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys { <em class="replaceable"><code>key_list</code></em> }; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ inet ...; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys { <em class="replaceable"><code>key_list</code></em> }; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ unix ...; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">controls</strong></span> statement declares control
cfa64348224b66dd1c9979b809406c4d15b1c137fielding channels to be used by system administrators to control the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding operation of the name server. These control channels are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used by the <span><strong class="command">rndc</strong></span> utility to send
cfa64348224b66dd1c9979b809406c4d15b1c137fielding commands to and retrieve non-DNS results from a name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An <span><strong class="command">inet</strong></span> control channel is a TCP socket
cfa64348224b66dd1c9979b809406c4d15b1c137fielding listening at the specified <span><strong class="command">ip_port</strong></span> on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interpreted as the IPv4 wildcard address; connections will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding accepted on any of the system's IPv4 addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To listen on the IPv6 wildcard address,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you will only use <span><strong class="command">rndc</strong></span> on the local host,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using the loopback address (<code class="literal">127.0.0.1</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or <code class="literal">::1</code>) is recommended for maximum security.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no port is specified, port 953 is used. The asterisk
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The ability to issue commands over the control channel is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding restricted by the <span><strong class="command">allow</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">keys</strong></span> clauses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Connections to the control channel are permitted based on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">address_match_list</strong></span>. This is for simple
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IP address based filtering only; any <span><strong class="command">key_id</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding elements of the <span><strong class="command">address_match_list</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding socket listening at the specified path in the file system.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note on some platforms (SunOS and Solaris) the permissions
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (<span><strong class="command">perm</strong></span>) are applied to the parent directory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as the permissions on the socket itself are ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The primary authorization mechanism of the command
cfa64348224b66dd1c9979b809406c4d15b1c137fielding channel is the <span><strong class="command">key_list</strong></span>, which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contains a list of <span><strong class="command">key_id</strong></span>s.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is authorized to execute commands over the control channel.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for information about configuring keys in <span><strong class="command">rndc</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no <span><strong class="command">controls</strong></span> statement is present,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will set up a default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding control channel listening on the loopback address 127.0.0.1
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and its IPv6 counterpart ::1.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In this case, and also when the <span><strong class="command">controls</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is present but does not have a <span><strong class="command">keys</strong></span> clause,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will attempt to load the command channel key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the file <code class="filename">rndc.key</code> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was specified as when <acronym class="acronym">BIND</acronym> was built).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To create a <code class="filename">rndc.key</code> file, run
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>rndc-confgen -a</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <code class="filename">rndc.key</code> feature was created to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which did not have digital signatures on its command channel
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and still have <span><strong class="command">rndc</strong></span> work the same way
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Since the <code class="filename">rndc.key</code> feature
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is only intended to allow the backward-compatible usage of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 8 configuration files, this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding feature does not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have a high degree of configurability. You cannot easily change
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the key name or the size of the secret, so you should make a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">rndc.conf</code> with your own key if you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding wish to change
cfa64348224b66dd1c9979b809406c4d15b1c137fielding those things. The <code class="filename">rndc.key</code> file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also has its
cfa64348224b66dd1c9979b809406c4d15b1c137fielding permissions set such that only the owner of the file (the user that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> is running as) can access it.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding desire greater flexibility in allowing other users to access
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc</strong></span> commands, then you need to create
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">rndc.conf</code> file and make it group
cfa64348224b66dd1c9979b809406c4d15b1c137fielding readable by a group
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that contains the users who should have access.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To disable the command channel, use an empty
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">controls</strong></span> statement:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">controls { };</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574580"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574597"></a><span><strong class="command">include</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">include</strong></span> statement inserts the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified file at the point where the <span><strong class="command">include</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement is encountered. The <span><strong class="command">include</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement facilitates the administration of configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by permitting the reading or writing of some things but not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding others. For example, the statement could include private keys
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that are readable only by the name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574689"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding algorithm <em class="replaceable"><code>string</code></em>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding secret <em class="replaceable"><code>string</code></em>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574712"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">key</strong></span> statement defines a shared
cfa64348224b66dd1c9979b809406c4d15b1c137fielding secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or the command channel
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">key</strong></span> statement can occur at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the configuration file or inside a <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement. Keys defined in top-level <span><strong class="command">key</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements can be used in all views. Keys intended for use in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a <span><strong class="command">controls</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding must be defined at the top level.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>key_id</code></em>, also known as the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key name, is a domain name uniquely identifying the key. It can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be used in a <span><strong class="command">server</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement to cause requests sent to that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server to be signed with this key, or in address match lists to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding verify that incoming requests have been signed with a key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matching this name, algorithm, and secret.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>algorithm_id</code></em> is a string
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that specifies a security/authentication algorithm. Named
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <code class="literal">hmac-sha512</code> TSIG authentication.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Truncated hashes are supported by appending the minimum
cfa64348224b66dd1c9979b809406c4d15b1c137fielding number of required bits preceded by a dash, e.g.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>secret_string</code></em> is the secret
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be used by the algorithm, and is treated as a base-64
cfa64348224b66dd1c9979b809406c4d15b1c137fielding encoded string.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574803"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">logging</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding | <span><strong class="command">stderr</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding | <span><strong class="command">null</strong></span> );
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574929"></a><span><strong class="command">logging</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">logging</strong></span> statement configures a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
cfa64348224b66dd1c9979b809406c4d15b1c137fielding associates output methods, format options and severity levels with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a name that can then be used with the <span><strong class="command">category</strong></span> phrase
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to select how various classes of messages are logged.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only one <span><strong class="command">logging</strong></span> statement is used to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the logging configuration will be:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding category default { default_syslog; default_debug; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding category unmatched { null; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In <acronym class="acronym">BIND</acronym> 9, the logging configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is only established when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
cfa64348224b66dd1c9979b809406c4d15b1c137fielding established as soon as the <span><strong class="command">logging</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was parsed. When the server is starting up, all logging messages
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regarding syntax errors in the configuration file go to the default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding channels, or to standard error if the "<code class="option">-g</code>" option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2574981"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding you can make as many of them as you want.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Every channel definition must include a destination clause that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding says whether messages selected for the channel go to a file, to a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding particular syslog facility, to the standard error stream, or are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding discarded. It can optionally also limit the message severity level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that will be accepted by the channel (the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">info</strong></span>), and whether to include a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>-generated time stamp, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding category name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and/or severity level (the default is not to include any).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">null</strong></span> destination clause
cfa64348224b66dd1c9979b809406c4d15b1c137fielding causes all messages sent to the channel to be discarded;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in that case, other options for the channel are meaningless.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">file</strong></span> destination clause directs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the channel
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to a disk file. It can include limitations
cfa64348224b66dd1c9979b809406c4d15b1c137fielding both on how large the file is allowed to become, and how many
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the file will be saved each time the file is opened.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you use the <span><strong class="command">versions</strong></span> log file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will retain that many backup
cfa64348224b66dd1c9979b809406c4d15b1c137fielding versions of the file by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding renaming them when opening. For example, if you choose to keep
cfa64348224b66dd1c9979b809406c4d15b1c137fielding three old versions
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the file <code class="filename">lamers.log</code>, then just
cfa64348224b66dd1c9979b809406c4d15b1c137fielding before it is opened
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">lamers.log.1</code> is renamed to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding renamed to <code class="filename">lamers.log.0</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding You can say <span><strong class="command">versions unlimited</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the number of versions.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a <span><strong class="command">size</strong></span> option is associated with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the log file,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then renaming is only done when the file being opened exceeds the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding indicated size. No backup versions are kept by default; any
cfa64348224b66dd1c9979b809406c4d15b1c137fielding log file is simply appended.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">size</strong></span> option for files is used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to limit log
cfa64348224b66dd1c9979b809406c4d15b1c137fielding growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding associated with it. If backup versions are kept, the files are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding described above and a new one begun. If there is no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">versions</strong></span> option, no more data will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be written to the log
cfa64348224b66dd1c9979b809406c4d15b1c137fielding until some out-of-band mechanism removes or truncates the log to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding less than the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum size. The default behavior is not to limit the size of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Example usage of the <span><strong class="command">size</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">versions</strong></span> options:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">channel an_example_channel {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file "example.log" versions 3 size 20m;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding print-time yes;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding print-category yes;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">syslog</strong></span> destination clause
cfa64348224b66dd1c9979b809406c4d15b1c137fielding directs the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding channel to the system log. Its argument is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding syslog facility as described in the <span><strong class="command">syslog</strong></span> man
cfa64348224b66dd1c9979b809406c4d15b1c137fielding page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">local7</strong></span>, however not all facilities
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are supported on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all operating systems.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding How <span><strong class="command">syslog</strong></span> will handle messages
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
cfa64348224b66dd1c9979b809406c4d15b1c137fielding page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then this clause is silently ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding On Windows machines syslog messages are directed to the EventViewer.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "priorities", except that they can also be used if you are writing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding straight to a file rather than using <span><strong class="command">syslog</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Messages which are not at least of the severity level given will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not be selected for the channel; messages of higher severity
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be accepted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will also determine what eventually passes through. For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cause messages of severity <span><strong class="command">info</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notice</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages of only <span><strong class="command">warning</strong></span> or higher,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then <span><strong class="command">syslogd</strong></span> would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding print all messages it received from the channel.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">stderr</strong></span> destination clause
cfa64348224b66dd1c9979b809406c4d15b1c137fielding directs the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding channel to the server's standard error stream. This is intended
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use when the server is running as a foreground process, for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when debugging a configuration.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server can supply extensive debugging information when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it is in debugging mode. If the server's global debug level is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than zero, then debugging mode will be active. The global debug
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level is set either by starting the <span><strong class="command">named</strong></span> server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the <code class="option">-d</code> flag followed by a positive integer,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or by running <span><strong class="command">rndc trace</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The global debug level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingnotrace</strong></span>. All debugging messages in the server have a debug
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level, and higher debug levels give more detailed output. Channels
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that specify a specific debug severity, for example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">channel specific_debug_level {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file "foo";
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity debug 3;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will get debugging output of level 3 or less any time the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server is in debugging mode, regardless of the global debugging
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level. Channels with <span><strong class="command">dynamic</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity use the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server's global debug level to determine what messages to print.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">print-time</strong></span> has been turned on,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the date and time will be logged. <span><strong class="command">print-time</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be specified for a <span><strong class="command">syslog</strong></span> channel,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but is usually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding pointless since <span><strong class="command">syslog</strong></span> also logs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the date and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding time. If <span><strong class="command">print-category</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requested, then the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be used in any combination, and will always be printed in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding order: time, category, severity. Here is an example where all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding three <span><strong class="command">print-</strong></span> options
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding There are four predefined channels that are used for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>'s default logging as follows.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding How they are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">channel default_syslog {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // send to syslog's daemon facility
cfa64348224b66dd1c9979b809406c4d15b1c137fielding syslog daemon;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // only send priority info and higher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity info;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingchannel default_debug {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // write to named.run in the working directory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Note: stderr is used instead of "named.run" if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // the server is started with the '-f' option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // log at the server's current debug level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity dynamic;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingchannel default_stderr {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // writes to stderr
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // only send priority info and higher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity info;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingchannel null {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // toss anything sent to this channel
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">default_debug</strong></span> channel has the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding property that it only produces output when the server's debug
cfa64348224b66dd1c9979b809406c4d15b1c137fielding nonzero. It normally writes to a file called <code class="filename">named.run</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the server's working directory.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For security reasons, when the "<code class="option">-u</code>"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding command line option is used, the <code class="filename">named.run</code> file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is created only after <span><strong class="command">named</strong></span> has
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changed to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding starting up and still running as root is discarded. If you need
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to capture this output, you must run the server with the "<code class="option">-g</code>"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option and redirect standard error to a file.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Once a channel is defined, it cannot be redefined. Thus you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cannot alter the built-in channels directly, but you can modify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the default logging by pointing categories at channels you have
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding There are many categories, so you can send the logs you want
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to see wherever you want, without seeing logs you don't want. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding you don't specify a list of channels for a category, then log
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in that category will be sent to the <span><strong class="command">default</strong></span> category
cfa64348224b66dd1c9979b809406c4d15b1c137fielding instead. If you don't specify a default category, the following
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "default default" is used:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">category default { default_syslog; default_debug; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding As an example, let's say you want to log security events to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a file, but you also want keep the default logging behavior. You'd
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specify the following:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">channel my_security_channel {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file "my_security_file";
cfa64348224b66dd1c9979b809406c4d15b1c137fielding severity info;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingcategory security {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding my_security_channel;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default_syslog;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default_debug;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">category xfer-out { null; };
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingcategory notify { null; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Following are the available categories and brief descriptions
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the types of log information they contain. More
cfa64348224b66dd1c9979b809406c4d15b1c137fielding categories may be added in future <acronym class="acronym">BIND</acronym> releases.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">default</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default category defines the logging
cfa64348224b66dd1c9979b809406c4d15b1c137fielding options for those categories where no specific
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration has been
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">general</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The catch-all. Many things still aren't
cfa64348224b66dd1c9979b809406c4d15b1c137fielding classified into categories, and they all end up here.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">database</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Messages relating to the databases used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding internally by the name server to store zone and cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">security</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Approval and denial of requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">config</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Configuration file parsing and processing.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">resolver</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS resolution, such as the recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lookups performed on behalf of clients by a caching name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">xfer-in</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zone transfers the server is receiving.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">xfer-out</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zone transfers the server is sending.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">notify</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The NOTIFY protocol.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">client</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Processing of client requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">unmatched</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Messages that <span><strong class="command">named</strong></span> was unable to determine the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding class of or for which there was no matching <span><strong class="command">view</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This category is best sent to a file or stderr, by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default it is sent to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">null</strong></span> channel.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">network</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Network operations.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">update</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Dynamic updates.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">update-security</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Approval and denial of update requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">queries</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify where queries should be logged to.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding At startup, specifying the category <span><strong class="command">queries</strong></span> will also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding enable query logging unless <span><strong class="command">querylog</strong></span> option has been
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The query log entry reports the client's IP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address and port number, and the query name,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding class and type. Next it reports whether the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Recursion Desired flag was set (+ if set, -
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if not set), if the query was signed (S),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding EDNS was in use (E), if TCP was used (T), if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DO (DNSSEC Ok) was set (D), or if CD (Checking
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Disabled) was set (C). After this the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding destination address the query was sent to is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (The first part of this log message, showing the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding repeated in all subsequent log messages related
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the same query.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">query-errors</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Information about queries that resulted in some
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">dispatch</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Dispatching of incoming packets to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server modules where they are to be processed.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">dnssec</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC and TSIG protocol processing.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">lame-servers</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Lame servers. These are misconfigurations
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in remote servers, discovered by BIND 9 when trying to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query those servers during resolution.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">delegation-only</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Delegation only. Logs queries that have been
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forced to NXDOMAIN as the result of a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding delegation-only zone or a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">delegation-only</strong></span> in a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forward, hint or stub zone declaration.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">edns-disabled</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Log queries that have been forced to use plain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS due to timeouts. This is often due to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the remote servers not being RFC 1034 compliant
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (not always returning FORMERR or similar to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding EDNS queries and other extensions to the DNS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when they are not understood). In other words, this is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding targeted at servers that fail to respond to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS queries that they don't understand.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: the log message can also be due to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding packet loss. Before reporting servers for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding non-RFC 1034 compliance they should be re-tested
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to determine the nature of the non-compliance.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This testing should prevent or reduce the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding number of false-positive reports.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: eventually <span><strong class="command">named</strong></span> will have to stop
cfa64348224b66dd1c9979b809406c4d15b1c137fielding treating such timeouts as due to RFC 1034 non
cfa64348224b66dd1c9979b809406c4d15b1c137fielding compliance and start treating it as plain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding packet loss. Falsely classifying packet
cfa64348224b66dd1c9979b809406c4d15b1c137fielding loss as due to RFC 1034 non compliance impacts
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on DNSSEC validation which requires EDNS for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the DNSSEC records to be returned.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">RPZ</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Information about errors in response policy zone files,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rewritten responses, and at the highest
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">debug</strong></span> levels, mere rewriting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">rate-limit</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The start, periodic, and final notices of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate limiting of a stream of responses are logged at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">info</strong></span> severity in this category.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These messages include a hash value of the domain name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the response and the name itself,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except when there is insufficient memory to record
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the name for the final notice
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The final notice is normally delayed until about one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minute after rate limit stops.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A lack of memory can hurry the final notice,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in which case it starts with an asterisk (*).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Various internal events are logged at debug 1 level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and higher.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Rate limiting of individual requests
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is logged in the <span><strong class="command">query-errors</strong></span> category.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2576609"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">query-errors</strong></span> category is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specifically intended for debugging purposes: To identify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding why and how specific queries result in responses which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding indicate an error.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Messages of this category are therefore only logged
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with <span><strong class="command">debug</strong></span> levels.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding At the debug levels of 1 or higher, each response with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rcode of SERVFAIL is logged as follows:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This means an error resulting in SERVFAIL was
cfa64348224b66dd1c9979b809406c4d15b1c137fielding detected at line 3880 of source file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Log messages of this level will particularly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding help identify the cause of SERVFAIL for an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding At the debug levels of 2 or higher, detailed context
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information of recursive resolutions that resulted in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SERVFAIL is logged.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The log message will look like as follows:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingfetch completed at resolver.c:2970 for www.example.com/A
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingin 30.000183: timed out/success [domain:example.com,
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingbadresp:1,adberr:0,findfail:0,valfail:0]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The first part before the colon shows that a recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolution for AAAA records of www.example.com completed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in 30.000183 seconds and the final result that led to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SERVFAIL was determined at line 2970 of source file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following part shows the detected final result and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding latest result of DNSSEC validation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The latter is always success when no validation attempt
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In this example, this query resulted in SERVFAIL probably
cfa64348224b66dd1c9979b809406c4d15b1c137fielding because all name servers are down or unreachable, leading
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to a timeout in 30 seconds.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC validation was probably not attempted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The last part enclosed in square brackets shows statistics
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information collected for this particular resolution
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <code class="varname">domain</code> field shows the deepest zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that the resolver reached;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it is the zone where the error was finally detected.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The meaning of the other fields is summarized in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding following table.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of referrals the resolver received
cfa64348224b66dd1c9979b809406c4d15b1c137fielding throughout the resolution process.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In the above example this is 2, which are most
cfa64348224b66dd1c9979b809406c4d15b1c137fielding likely com and example.com.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of cycles that the resolver tried
cfa64348224b66dd1c9979b809406c4d15b1c137fielding remote servers at the <code class="varname">domain</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In each cycle the resolver sends one query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (possibly resending it, depending on the response)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to each known name server of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of queries the resolver sent at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of timeouts since the resolver
cfa64348224b66dd1c9979b809406c4d15b1c137fielding received the last response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of lame servers the resolver detected
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A server is detected to be lame either by an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding invalid response or as a result of lookup in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding BIND9's address database (ADB), where lame
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers are cached.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of erroneous results that the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolver encountered in sending queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding One common case is the remote server is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unreachable and the resolver receives an ICMP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unreachable error message.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of unexpected responses (other than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">lame</code>) to queries sent by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolver at the <code class="varname">domain</code> zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Failures in finding remote server addresses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the <code class="varname">domain</code> zone in the ADB.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding One common case of this is that the remote
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server's name does not have any address records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Failures of resolving remote server addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is a total number of failures throughout
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the resolution process.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Failures of DNSSEC validation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Validation failures are counted throughout
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the resolution process (not limited to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <code class="varname">domain</code> zone), but should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only happen in <code class="varname">domain</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding At the debug levels of 3 or higher, the same messages
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as those at the debug 1 level are logged for other errors
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than SERVFAIL.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that negative responses such as NXDOMAIN are not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regarded as errors here.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding At the debug levels of 4 or higher, the same messages
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as those at the debug 2 level are logged for other errors
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than SERVFAIL.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Unlike the above case of level 3, messages are logged for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding negative responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is because any unexpected results can be difficult to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding debug in the recursion case.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2577060"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is the grammar of the <span><strong class="command">lwres</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement in the <code class="filename">named.conf</code> file:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2577212"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">lwres</strong></span> statement configures the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server to also act as a lightweight resolver server. (See
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">lwres</strong></span> statements configuring
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lightweight resolver servers with different properties.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">listen-on</strong></span> statement specifies a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding addresses (and ports) that this instance of a lightweight resolver
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should accept requests on. If no port is specified, port 921 is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If this statement is omitted, requests will be accepted on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">view</strong></span> statement binds this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding instance of a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lightweight resolver daemon to a view in the DNS namespace, so that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding response will be constructed in the same manner as a normal DNS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matching this view. If this statement is omitted, the default view
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used, and if there is no default view, an error is triggered.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">search</strong></span> statement is equivalent to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">search</strong></span> statement in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">/etc/resolv.conf</code>. It provides a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list of domains
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which are appended to relative names in queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">ndots</strong></span> statement is equivalent to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ndots</strong></span> statement in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">/etc/resolv.conf</code>. It indicates the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding number of dots in a relative domain name that should result in an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exact match lookup before search path elements are appended.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2577276"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2577325"></a><span><strong class="command">masters</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">masters</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lists allow for a common set of masters to be easily used by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or <span><strong class="command">also-notify</strong></span> lists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2577347"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is the grammar of the <span><strong class="command">options</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement in the <code class="filename">named.conf</code> file:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">options</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> request-sit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ... }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding{ <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> suffix IPv6-address; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding }; </span>];
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> domain <em class="replaceable"><code>domain</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> responses-per-second [<span class="optional">size <em class="replaceable"><code>number</code></em></span>] [<span class="optional">ratio <em class="replaceable"><code>fixedpoint</code></em></span>] <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding } ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> policy given | disabled | passthru | drop | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">options</strong></span> statement sets up global
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be used by <acronym class="acronym">BIND</acronym>. This statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may appear only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding once in a configuration file. If there is no <span><strong class="command">options</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement, an options block with each option set to its default will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Allows multiple views to share a single cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each view has its own cache database by default, but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if multiple views have the same operational policy
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for name resolution and caching, those views can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding share a single cache to save memory and possibly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding improve resolution efficiency by using this option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">attach-cache</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may also be specified in <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements, in which case it overrides the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding global <span><strong class="command">attach-cache</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>cache_name</code></em> specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the cache to be shared.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the <span><strong class="command">named</strong></span> server configures
cfa64348224b66dd1c9979b809406c4d15b1c137fielding views which are supposed to share a cache, it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding creates a cache with the specified name for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding first view of these sharing views.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The rest of the views will simply refer to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding already created cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding One common configuration to share a cache would be to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allow all views to share a single cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This can be done by specifying
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">attach-cache</strong></span> as a global
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option with an arbitrary name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Another possible operation is to allow a subset of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all views to share a cache while the others to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding retain their own caches.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if there are three views A, B, and C,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and only A and B should share a cache, specify the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">attach-cache</strong></span> option as a view A (or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding B)'s option, referring to the other view name:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // this view has its own cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // this view refers to A's cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding attach-cache "A";
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // this view has its own cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Views that share a cache must have the same policy
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on configurable parameters that may affect caching.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The current implementation requires the following
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configurable options be consistent among these
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-names</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">cleaning-interval</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-accept-expired</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-validation</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-cache-ttl</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-ncache-ttl</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-cache-size</strong></span>, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zero-no-soa-ttl</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that there may be other parameters that may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cause confusion if they are inconsistent for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding different views that share a single cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if these views define different sets of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarders that can return different answers for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding same question, sharing the answer does not make
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sense or could even be harmful.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is administrator's responsibility to ensure
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration differences in different views do
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not cause disruption with a shared cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The working directory of the server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Any non-absolute pathnames in the configuration file will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as relative to this directory. The default location for most
cfa64348224b66dd1c9979b809406c4d15b1c137fielding output files (e.g. <code class="filename">named.run</code>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is this directory.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a directory is not specified, the working directory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defaults to `<code class="filename">.</code>', the directory from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was started. The directory specified should be an absolute
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When performing dynamic update of secure zones, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding directory where the public and private DNSSEC key files
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should be found, if different than the current working
cfa64348224b66dd1c9979b809406c4d15b1c137fielding directory. (Note that this option has no effect on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding paths for files containing non-DNSSEC keys such as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies the directory in which to store the files that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding track managed DNSSEC keys. By default, this is the working
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">named</strong></span> is not configured to use views,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then managed keys for the server will be tracked in a single
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file called <code class="filename">managed-keys.bind</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Otherwise, managed keys will be tracked in separate files,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one file per view; each file name will be the SHA256 hash
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the view name, followed by the extension
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="emphasis"><em>This option is obsolete.</em></span> It
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was used in <acronym class="acronym">BIND</acronym> 8 to specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the pathname to the <span><strong class="command">named-xfer</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding program. In <acronym class="acronym">BIND</acronym> 9, no separate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named-xfer</strong></span> program is needed;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding its functionality is built into the name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The KRB5 keytab file to use for GSS-TSIG updates. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this option is set and tkey-gssapi-credential is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set, then updates will be allowed with any key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matching a principal in the specified keytab.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The security credential with which the server should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authenticate keys requested by the GSS-TSIG protocol.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Currently only Kerberos 5 authentication is available
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and the credential is a Kerberos principal which the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server can acquire through the default system key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file, normally <code class="filename">/etc/krb5.keytab</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The location keytab file can be overridden using the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding tkey-gssapi-keytab option. Normally this principal is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also be set if a specific keytab is not set with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding tkey-gssapi-keytab.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The domain appended to the names of all shared keys
cfa64348224b66dd1c9979b809406c4d15b1c137fielding generated with <span><strong class="command">TKEY</strong></span>. When a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding client requests a <span><strong class="command">TKEY</strong></span> exchange,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it may or may not specify the desired name for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key. If present, the name of the shared key will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be <code class="varname">client specified part</code> +
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">tkey-domain</code>. Otherwise, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name of the shared key will be <code class="varname">random hex
cfa64348224b66dd1c9979b809406c4d15b1c137fielding digits</code> + <code class="varname">tkey-domain</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In most cases, the <span><strong class="command">domainname</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should be the server's domain name, or an otherwise
cfa64348224b66dd1c9979b809406c4d15b1c137fielding non-existent subdomain like
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "_tkey.<code class="varname">domainname</code>". If you are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using GSS-TSIG, this variable must be defined, unless
cfa64348224b66dd1c9979b809406c4d15b1c137fielding you specify a specific keytab using tkey-gssapi-keytab.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The Diffie-Hellman key used by the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to generate shared keys with clients using the Diffie-Hellman
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of <span><strong class="command">TKEY</strong></span>. The server must be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding able to load the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding public and private keys from files in the working directory.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding most cases, the keyname should be the server's host name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is for testing only. Do not use.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server dumps
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the database to when instructed to do so with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc dumpdb</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is <code class="filename">named_dump.db</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server writes memory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding usage statistics to on exit. If not specified,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the default is <code class="filename">named.memstats</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server writes its process ID
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in. If not specified, the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">/var/run/named/named.pid</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The PID file is used by programs that want to send signals to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the running
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use of a PID file — no file will be written and any
cfa64348224b66dd1c9979b809406c4d15b1c137fielding existing one will be removed. Note that <span><strong class="command">none</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is a keyword, not a filename, and therefore is not enclosed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding double quotes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server dumps
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the queries that are currently recursing when instructed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to do so with <span><strong class="command">rndc recursing</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is <code class="filename">named.recursing</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server appends statistics
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is <code class="filename">named.stats</code> in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server's current directory. The format of the file is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of a file to override the built-in trusted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys provided by <span><strong class="command">named</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">dnssec-validation</strong></span> for details.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file the server dumps
cfa64348224b66dd1c9979b809406c4d15b1c137fielding security roots to when instructed to do so with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc secroots</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The pathname of the file into which to write a TSIG
cfa64348224b66dd1c9979b809406c4d15b1c137fielding session key generated by <span><strong class="command">named</strong></span> for use by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default is <code class="filename">/var/run/named/session.key</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding particular the discussion of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-policy</strong></span> statement's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>local</code></strong> option for more
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information about this feature.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The key name to use for the TSIG session key.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is "local-ddns".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The algorithm to use for the TSIG session key.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding hmac-sha384, hmac-sha512 and hmac-md5. If not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, the default is hmac-sha256.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding receiving and sending DNS protocol traffic.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is 53. This option is mainly intended for server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a server using a port other than 53 will not be able to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding communicate with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the global DNS.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The source of entropy to be used by the server. Entropy is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding primarily needed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for DNSSEC operations, such as TKEY transactions and dynamic
cfa64348224b66dd1c9979b809406c4d15b1c137fielding update of signed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones. This options specifies the device (or file) from which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding entropy. If this is a file, operations requiring entropy will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding fail when the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file has been exhausted. If not specified, the default value
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (or equivalent) when present, and none otherwise. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">random-device</strong></span> option takes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding effect during
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the initial configuration load at server startup time and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is ignored on subsequent reloads.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If specified, the listed type (A or AAAA) will be emitted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding before other glue
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the additional section of a query response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is not to prefer any type (NONE).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Turn on enforcement of delegation-only in TLDs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (top level domains) and root zones with an optional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exclude list.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DS queries are expected to be made to and be answered by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding delegation only zones. Such queries and responses are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding treated as an exception to delegation-only processing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and are not converted to NXDOMAIN responses provided
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a CNAME is not discovered at the query name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a delegation only zone server also serves a child
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone it is not always possible to determine whether
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an answer comes from the delegation only zone or the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding child zone. SOA NS and DNSKEY records are apex
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only records and a matching response that contains
cfa64348224b66dd1c9979b809406c4d15b1c137fielding these records or DS is treated as coming from a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding child zone. RRSIG records are also examined to see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if they are signed by a child zone or not. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authority section is also examined to see if there
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is evidence that the answer is from the child zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Answers that are determined to be from a child zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are not converted to NXDOMAIN responses. Despite
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all these checks there is still a possibility of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding false negatives when a child zone is being served.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Similarly false positives can arise from empty nodes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (no records at the name) in the delegation only zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when the query type is not ANY.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note some TLDs are not delegation only (e.g. "DE", "LV",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "US" and "MUSEUM"). This list is not exhaustive.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Disable the specified DNSSEC algorithms at and below the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Multiple <span><strong class="command">disable-algorithms</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements are allowed.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only the best match <span><strong class="command">disable-algorithms</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clause will be used to determine which algorithms are used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If all supported algorithms are disabled, the zones covered
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by the <span><strong class="command">disable-algorithms</strong></span> will be treated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as insecure.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">disable-ds-digests</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Disable the specified DS/DLV digest types at and below the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Multiple <span><strong class="command">disable-ds-digests</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements are allowed.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only the best match <span><strong class="command">disable-ds-digests</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clause will be used to determine which digest types are used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If all supported digest types are disabled, the zones covered
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by the <span><strong class="command">disable-ds-digests</strong></span> will be treated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as insecure.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding validator with an alternate method to validate DNSKEY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records at the top of a zone. When a DNSKEY is at or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding below a domain specified by the deepest
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding validation has left the key untrusted, the trust-anchor
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be appended to the key name and a DLV record will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding looked up to see if it can validate the key. If the DLV
cfa64348224b66dd1c9979b809406c4d15b1c137fielding record validates a DNSKEY (similarly to the way a DS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding record does) the DNSKEY RRset is deemed to be trusted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">dnssec-lookaside</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>auto</code></strong>, then built-in default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values for the DLV domain and trust anchor will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used, along with a built-in key for validation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">dnssec-lookaside</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is not used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default DLV key is stored in the file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will load that key at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="constant">auto</code>. A copy of the file is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding installed along with <acronym class="acronym">BIND</acronym> 9, and is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding current as of the release date. If the DLV key expires, a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding new copy of <code class="filename">bind.keys</code> can be downloaded
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (To prevent problems if <code class="filename">bind.keys</code> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not found, the current key is also compiled in to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>. Relying on this is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recommended, however, as it requires <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be recompiled with a new key when the DLV key expires.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NOTE: <span><strong class="command">named</strong></span> only loads certain specific
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys from <code class="filename">bind.keys</code>: those for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DLV zone and for the DNS root zone. The file cannot be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to store keys for other zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify hierarchies which must be or may not be secure
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then <span><strong class="command">named</strong></span> will only accept answers if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC validation applies allowing for insecure answers to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be accepted. The specified domain must be under a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> statement, or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-lookaside</strong></span> must be active.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This directive instructs <span><strong class="command">named</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding return mapped IPv4 addresses to AAAA queries when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding there are no AAAA records. It is intended to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used in conjunction with a NAT64. Each
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Multiple DNS64 prefixes can be defined.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 64 and 96 as per RFC 6052.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Additionally a reverse IP6.ARPA zone will be created for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the prefix to provide a mapping from the IP6.ARPA names
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the corresponding IN-ADDR.ARPA names using synthesized
cfa64348224b66dd1c9979b809406c4d15b1c137fielding CNAMEs. <span><strong class="command">dns64-server</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dns64-contact</strong></span> can be used to specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the name of the server and contact for the zones. These
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are settable at the view / options level. These are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not settable on a per-prefix basis.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each <span><strong class="command">dns64</strong></span> supports an optional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">clients</strong></span> ACL that determines which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clients are affected by this directive. If not defined,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it defaults to <strong class="userinput"><code>any;</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each <span><strong class="command">dns64</strong></span> supports an optional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">mapped</strong></span> ACL that selects which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 addresses are to be mapped in the corresponding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A RRset. If not defined it defaults to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>any;</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Normally, DNS64 won't apply to a domain name that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding owns one or more AAAA records; these records will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding simply be returned. The optional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">exclude</strong></span> ACL allows specification
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of a list of IPv6 addresses that will be ignored
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if they appear in a domain name's AAAA records, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS64 will be applied to any A records the domain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name owns. If not defined, <span><strong class="command">exclude</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defaults to none.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A optional <span><strong class="command">suffix</strong></span> can also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be defined to set the bits trailing the mapped
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 address bits. By default these bits are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set to <strong class="userinput"><code>::</code></strong>. The bits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matching the prefix and mapped IPv4 address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding must be zero.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">recursive-only</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">yes</strong></span> the DNS64 synthesis will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only happen for recursive queries. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is <span><strong class="command">no</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">break-dnssec</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">yes</strong></span> the DNS64 synthesis will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding happen even if the result, if validated, would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cause a DNSSEC validation failure. If this option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is set to <span><strong class="command">no</strong></span> (the default), the DO
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is set on the incoming query, and there are RRSIGs on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the applicable records, then synthesis will not happen.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding dns64 64:FF9B::/96 {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clients { any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding mapped { !rfc1918; any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If this option is set to its default value of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">maintain</code> in a zone of type
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">master</code> which is DNSSEC-signed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and configured to allow dynamic updates (see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if <span><strong class="command">named</strong></span> has access to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding private signing key(s) for the zone, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will automatically sign all new
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or changed records and maintain signatures for the zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by regenerating RRSIG records whenever they approach
cfa64348224b66dd1c9979b809406c4d15b1c137fielding their expiration date.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the option is changed to <code class="literal">no-resign</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then <span><strong class="command">named</strong></span> will sign all new or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changed records, but scheduled maintenance of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding signatures is disabled.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding With either of these settings, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will reject updates to a DNSSEC-signed zone when the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding signing keys are inactive or unavailable to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>. (A planned third option,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">external</code>, will disable all automatic
cfa64348224b66dd1c9979b809406c4d15b1c137fielding signing and allow DNSSEC data to be submitted into a zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding via dynamic update; this is not yet implemented.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies a maximum permissible TTL value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When loading a zone file using a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="constant">text</code> or <code class="constant">raw</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any record encountered with a TTL higher than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="option">max-zone-ttl</code> will cause the zone to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be rejected.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is useful in DNSSEC-signed zones because when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rolling to a new DNSKEY, the old key needs to remain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding available until RRSIG records have expired from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding caches. The<code class="option">max-zone-ttl</code> option guarantees
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that the largest TTL in the zone will be no higher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the set value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (NOTE: Because <code class="constant">map</code>-format files
cfa64348224b66dd1c9979b809406c4d15b1c137fielding load directly into memory, this option cannot be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used with them.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>full</code></strong>, the server will collect
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statistical data on all zones (unless specifically
cfa64348224b66dd1c9979b809406c4d15b1c137fielding turned off on a per-zone basis by specifying
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zone-statistics terse</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zone-statistics none</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the <span><strong class="command">zone</strong></span> statement).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>terse</code></strong>, providing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minimal statistics on zones (including name and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding current serial number, but not query type
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These statistics may be accessed via the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">statistics-channel</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using <span><strong class="command">rndc stats</strong></span>, which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will dump them to the file listed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the <span><strong class="command">statistics-file</strong></span>. See
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For backward compatibility with earlier versions
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option can also accept <strong class="userinput"><code>yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has the same meaning as <strong class="userinput"><code>full</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding As of <acronym class="acronym">BIND</acronym> 9.10,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>no</code></strong> has the same meaning
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as <strong class="userinput"><code>none</code></strong>; previously, it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was the same as <strong class="userinput"><code>terse</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding automatically rescan network interfaces when the interface
cfa64348224b66dd1c9979b809406c4d15b1c137fielding addresses are added or removed. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Currently the OS needs to support routing sockets for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">automatic-interface-scan</strong></span> to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then zones can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding added at runtime via <span><strong class="command">rndc addzone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or deleted via <span><strong class="command">rndc delzone</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is always set on NXDOMAIN responses, even if the server is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not actually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative. The default is <strong class="userinput"><code>no</code></strong>;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a change from <acronym class="acronym">BIND</acronym> 8. If you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are using very old DNS software, you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may need to set it to <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was used in <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 8 to enable checking
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the checks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Write memory statistics to the file specified by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">memstatistics-file</strong></span> at exit.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>no</code></strong> unless
cfa64348224b66dd1c9979b809406c4d15b1c137fielding '-m record' is specified on the command line in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which case it is <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server treats all zones as if they are doing zone transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a dial-on-demand dialup link, which can be brought up by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding originating from this server. This has different effects
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to zone type and concentrates the zone maintenance so that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding hopefully during the one call. It also suppresses some of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">dialup</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may also be specified in the <span><strong class="command">view</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zone</strong></span> statements,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in which case it overrides the global <span><strong class="command">dialup</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the zone is a master zone, then the server will send out a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding request to all the slaves (default). This should trigger the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone serial
cfa64348224b66dd1c9979b809406c4d15b1c137fielding number check in the slave (providing it supports NOTIFY)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allowing the slave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to verify the zone while the connection is active.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The set of servers to which NOTIFY is sent can be controlled
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone is a slave or stub zone, then the server will suppress
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the regular
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "zone up to date" (refresh) queries and only perform them
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">heartbeat-interval</strong></span> expires in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding addition to sending
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NOTIFY requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Finer control can be achieved by using
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which suppresses normal refresh processing and sends refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when the <span><strong class="command">heartbeat-interval</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expires, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>passive</code></strong> which just disables normal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding processing.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding dialup mode
cfa64348224b66dd1c9979b809406c4d15b1c137fielding normal refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding heart-beat refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding heart-beat notify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">no</strong></span> (default)</p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">yes</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">notify</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">refresh</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">passive</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">notify-passive</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that normal NOTIFY processing is not affected by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dialup</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In <acronym class="acronym">BIND</acronym> 8, this option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding enabled simulating the obsolete DNS query type
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IQUERY simulation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is obsolete.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding caused the server to attempt to fetch glue resource records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding didn't have when constructing the additional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding data section of a response. This is now considered a bad
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and BIND 9 never does it.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the nameserver exits due receiving SIGTERM,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding flush or do not flush any pending zone writes. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was incorrectly implemented
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To achieve the intended effect
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In BIND 8, this enables keeping of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statistics for every host that the name server interacts
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Not implemented in BIND 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="emphasis"><em>This option is obsolete</em></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It was used in <acronym class="acronym">BIND</acronym> 8 to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding determine whether a transaction log was
cfa64348224b66dd1c9979b809406c4d15b1c137fielding kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
cfa64348224b66dd1c9979b809406c4d15b1c137fielding log whenever possible. If you need to disable outgoing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding incremental zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then when generating
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses the server will only add records to the authority
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and additional data sections when they are required (e.g.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding delegations, negative responses). This may improve the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding performance of the server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a domain name to have multiple CNAME records in violation of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
cfa64348224b66dd1c9979b809406c4d15b1c137fielding always strictly enforces the CNAME rules both in master
cfa64348224b66dd1c9979b809406c4d15b1c137fielding files and dynamic updates.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong> (the default),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS NOTIFY messages are sent when a zone the server is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sent to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers listed in the zone's NS records (except the master
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server identified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the SOA MNAME field), and to any servers listed in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">also-notify</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>master-only</code></strong>, notifies are only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for master zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">notify</strong></span> option may also be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified in the <span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It would only be necessary to turn off this option if it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding caused slaves
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the NS RRset against the SOA MNAME. Normally a NOTIFY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding message is not sent to the SOA MNAME (SOA ORIGIN) as it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding supposed to contain the name of the ultimate master.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sometimes, however, a slave is listed as the SOA MNAME in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding hidden master configurations and in that case you would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding want the ultimate master to still send NOTIFY messages to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all the nameservers listed in the NS RRset.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, and a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS query requests recursion, then the server will attempt
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all the work required to answer the query. If recursion is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and the server does not already know the answer, it will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding referral response. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clients from getting data from the server's cache; it only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding prevents new data from being cached as an effect of client
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Caching may still occur as an effect the server's internal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding operation, such as NOTIFY address lookups.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See also <span><strong class="command">fetch-glue</strong></span> above.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSID (Name Server Identifier) option is sent with all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries to authoritative name servers during iterative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolution. If the authoritative server returns an NSID
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option in its response, then its contents are logged in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">resolver</strong></span> category at level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">info</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">request-sit</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sit-secret</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Setting this to <strong class="userinput"><code>yes</code></strong> will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cause the server to send NS records along with the SOA
cfa64348224b66dd1c9979b809406c4d15b1c137fielding record for negative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answers. The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Not yet implemented in <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="emphasis"><em>This option is obsolete</em></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 always allocates query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IDs from a pool.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="emphasis"><em>This option is obsolete</em></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you need to disable IXFR to a particular server or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers, see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the information on the <span><strong class="command">provide-ixfr</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">provide-ixfr</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">request-ixfr</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was used in <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as a space or tab character,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to facilitate loading of zone files on a UNIX system that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding were generated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are always accepted,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and the option is ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These options control the behavior of an authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answering queries which have additional data, or when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding following CNAME
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and DNAME chains.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When both of these options are set to <strong class="userinput"><code>yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (the default) and a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query is being answered from authoritative data (a zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured into the server), the additional data section of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reply will be filled in using data from other authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and from the cache. In some situations this is undesirable,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as when there is concern over the correctness of the cache,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in servers where slave zones may be added and modified by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding untrusted third parties. Also, avoiding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the search for this additional data will speed up server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding at the possible expense of additional queries to resolve
cfa64348224b66dd1c9979b809406c4d15b1c137fielding otherwise be provided in the additional section.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if known, even though they are not in the example.com zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Setting these options to <span><strong class="command">no</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disables this behavior and makes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server only search for additional data in the zone it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answers from.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These options are intended for use in authoritative-only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers, or in authoritative-only views. Attempts to set
cfa64348224b66dd1c9979b809406c4d15b1c137fielding them to <span><strong class="command">no</strong></span> without also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">recursion no</strong></span> will cause the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ignore the options and log a warning message.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disables the use of the cache not only for additional data
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but also when looking up the answer. This is usually the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding behavior in an authoritative-only server where the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding correctness of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the cached data is an issue.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When a name server is non-recursively queried for a name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding below the apex of any served zone, it normally answers with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "upwards referral" to the root servers or the servers of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding known parent of the query name. Since the data in an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding upwards referral
cfa64348224b66dd1c9979b809406c4d15b1c137fielding comes from the cache, the server will not be able to provide
cfa64348224b66dd1c9979b809406c4d15b1c137fielding referrals when <span><strong class="command">additional-from-cache no</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has been specified. Instead, it will respond to such
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with REFUSED. This should not cause any problems since
cfa64348224b66dd1c9979b809406c4d15b1c137fielding upwards referrals are not required for the resolution
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, then an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4-mapped IPv6 address will match any address match
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list entries that match the corresponding IPv4 address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was introduced to work around a kernel quirk
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in some operating systems that causes IPv4 TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding connections, such as zone transfers, to be accepted on an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 socket using mapped addresses. This caused address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match lists designed for IPv4 to fail to match. However,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> now solves this problem
cfa64348224b66dd1c9979b809406c4d15b1c137fielding internally. The use of this option is discouraged.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is only available when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 is compiled with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "configure" command line. It is intended to help the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transition from IPv4 to IPv6 by not giving IPv6 addresses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to DNS clients unless they have connections to the IPv6
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Internet. This is not recommended unless absolutely
cfa64348224b66dd1c9979b809406c4d15b1c137fielding necessary. The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may also be specified in <span><strong class="command">view</strong></span> statements
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and if the response does not include DNSSEC signatures,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then all AAAA records are deleted from the response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This filtering applies to all responses and not only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative responses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>break-dnssec</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then AAAA records are deleted even when DNSSEC is enabled.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding As suggested by the name, this makes the response not verify,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding because the DNSSEC protocol is designed detect deletions.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This mechanism can erroneously cause other servers to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not give AAAA records to their clients.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A recursing server with both IPv6 and IPv4 network connections
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that queries an authoritative server using this mechanism
cfa64348224b66dd1c9979b809406c4d15b1c137fielding via IPv4 will be denied AAAA records even if its client is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using IPv6.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This mechanism is applied to authoritative as well as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding non-authoritative records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A client using IPv4 that is not allowed recursion can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding erroneously be given AAAA records because the server is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allowed to check for A records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Some AAAA records are given to IPv4 clients in glue records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 clients that are servers can then erroneously
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answer requests for AAAA records received via IPv4.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">filter-aaaa-on-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Identical to <span><strong class="command">filter-aaaa-on-v4</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except it filters AAAA responses to queries from IPv6
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clients instead of IPv4 clients. To filter all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses, set both options to <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When <strong class="userinput"><code>yes</code></strong> and the server loads a new
cfa64348224b66dd1c9979b809406c4d15b1c137fielding version of a master zone from its zone file or receives a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding new version of a slave file via zone transfer, it will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding compare the new version to the previous one and calculate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a set of differences. The differences are then logged in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone's journal file such that the changes can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transmitted to downstream slaves as an incremental zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By allowing incremental zone transfers to be used for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding non-dynamic zones, this option saves bandwidth at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expense of increased CPU and memory consumption at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In particular, if the new version of a zone is completely
cfa64348224b66dd1c9979b809406c4d15b1c137fielding different from the previous one, the set of differences
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be of a size comparable to the combined size of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding old and new zone version, and the server will need to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding temporarily allocate memory to hold this complete
cfa64348224b66dd1c9979b809406c4d15b1c137fielding difference set.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">ixfr-from-differences</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also accepts <span><strong class="command">master</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">slave</strong></span> at the view and options
cfa64348224b66dd1c9979b809406c4d15b1c137fielding levels which causes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all <span><strong class="command">master</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">slave</strong></span> zones respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is off by default.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This should be set when you have multiple masters for a zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when the serial number on the master is less than what <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has. The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set to <strong class="userinput"><code>yes</code></strong> to be effective.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC validation is enabled, and a default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding trust-anchor for the DNS root zone is used. If set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but a trust anchor must be manually configured using
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a <span><strong class="command">trusted-keys</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> statement. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is <strong class="userinput"><code>yes</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Accept expired signatures when verifying DNSSEC signatures.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>no</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Setting this option to <strong class="userinput"><code>yes</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding leaves <span><strong class="command">named</strong></span> vulnerable to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding replay attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify whether query logging should be started when <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">querylog</strong></span> is not specified,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the query logging
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is used to restrict the character set and syntax
cfa64348224b66dd1c9979b809406c4d15b1c137fielding certain domain names in master files and/or DNS responses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the network. The default varies according to usage
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For <span><strong class="command">slave</strong></span> zones the default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is <span><strong class="command">warn</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For answers received from the network (<span><strong class="command">response</strong></span>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the default is <span><strong class="command">ignore</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The rules for legal hostnames and mail domains are derived
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from RFC 952 and RFC 821 as modified by RFC 1123.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">check-names</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding applies to the owner names of A, AAAA and MX records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It also applies to the domain names in the RDATA of NS, SOA,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding MX, and SRV records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It also applies to the RDATA of PTR records where the owner
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name indicated that it is a reverse lookup of a hostname
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Check master zones for records that are treated as different
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by DNSSEC but are semantically equal in plain DNS. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default is to <span><strong class="command">warn</strong></span>. Other possible
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values are <span><strong class="command">fail</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ignore</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Check whether the MX record appears to refer to a IP address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is to <span><strong class="command">warn</strong></span>. Other possible
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values are <span><strong class="command">fail</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ignore</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is used to check for non-terminal wildcards.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The use of non-terminal wildcards is almost always as a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding result of a failure
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to understand the wildcard matching algorithm (RFC 1034).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for non-terminal wildcards and issue a warning.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Perform post load zone integrity checks on master
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones. This checks that MX and SRV records refer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to address (A or AAAA) records and that glue
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address records exist for delegated zones. For
cfa64348224b66dd1c9979b809406c4d15b1c137fielding MX and SRV records only in-zone hostnames are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checked (for out-of-zone hostnames use
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named-checkzone</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For NS records only names below top of zone are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checked (for out-of-zone names and glue consistency
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checks use <span><strong class="command">named-checkzone</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <span><strong class="command">yes</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Check that the two forms of Sender Policy Framework
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records (TXT records starting with "v=spf1" and SPF) either
cfa64348224b66dd1c9979b809406c4d15b1c137fielding both exist or both don't exist. Warnings are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding emitted it they don't and be suppressed with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-spf</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">check-integrity</strong></span> is set then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding fail, warn or ignore MX records that refer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">check-integrity</strong></span> is set then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding fail, warn or ignore SRV records that refer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When performing integrity checks, also check that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When performing integrity checks, check that the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding two forms of Sender Policy Framwork records (TXT
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records starting with "v=spf1" and SPF) both exist
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or both don't exist and issue a warning if not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding met. The default is <span><strong class="command">warn</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When returning authoritative negative responses to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SOA queries set the TTL of the SOA record returned in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the authority section to zero.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <span><strong class="command">yes</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When caching a negative response to a SOA query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set the TTL to zero.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <span><strong class="command">no</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When set to the default value of <code class="literal">yes</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding check the KSK bit in each key to determine how the key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should be used when generating RRSIGs for a secure zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Ordinarily, zone-signing keys (that is, keys without the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding KSK bit set) are used to sign the entire zone, while
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key-signing keys (keys with the KSK bit set) are only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to sign the DNSKEY RRset at the zone apex.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, if this option is set to <code class="literal">no</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the KSK bit is ignored; KSKs are treated as if they
cfa64348224b66dd1c9979b809406c4d15b1c137fielding were ZSKs and are used to sign the entire zone. This is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding command line option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When this option is set to <code class="literal">yes</code>, there
cfa64348224b66dd1c9979b809406c4d15b1c137fielding must be at least two active keys for every algorithm
cfa64348224b66dd1c9979b809406c4d15b1c137fielding represented in the DNSKEY RRset: at least one KSK and one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ZSK per algorithm. If there is any algorithm for which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this requirement is not met, this option will be ignored
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for that algorithm.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When this option and <span><strong class="command">update-check-ksk</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are both set to <code class="literal">yes</code>, only key-signing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys (that is, keys with the KSK bit set) will be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to sign the DNSKEY RRset at the zone apex. Zone-signing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys (keys without the KSK bit set) will be used to sign
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the remainder of the zone, but not the DNSKEY RRset.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is similar to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <span><strong class="command">no</strong></span>. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-check-ksk</strong></span> is set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">no</code>, this option is ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When a zone is configured with <span><strong class="command">auto-dnssec
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maintain;</strong></span> its key repository must be checked
cfa64348224b66dd1c9979b809406c4d15b1c137fielding periodically to see if any new keys have been added
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or any existing keys' timing metadata has been updated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-loadkeys-interval</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sets the frequency of automatic repository checks, in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minutes. The default is <code class="literal">60</code> (1 hour),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the minimum is <code class="literal">1</code> (1 minute), and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum is <code class="literal">1440</code> (24 hours); any higher
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value is silently reduced.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Try to refresh the zone using TCP if UDP queries fail.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For BIND 8 compatibility, the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Allow a dynamic zone to transition from secure to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding insecure (i.e., signed to unsigned) by deleting all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the DNSKEY records. The default is <span><strong class="command">no</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
cfa64348224b66dd1c9979b809406c4d15b1c137fielding at the zone apex is deleted, all RRSIG and NSEC records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be removed from the zone as well.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the zone uses NSEC3, then it is also necessary to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding delete the NSEC3PARAM RRset from the zone apex; this will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cause the removal of all corresponding NSEC3 records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (It is expected that this requirement will be eliminated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a future release.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that if a zone has been configured with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">auto-dnssec maintain</strong></span> and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding private keys remain accessible in the key repository,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the zone will be automatically signed again the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding next time <span><strong class="command">named</strong></span> is started.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2583821"></a>Forwarding</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The forwarding facility can be used to create a large site-wide
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cache on a few servers, reducing traffic over links to external
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name servers. It can also be used to allow queries by servers that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding do not have direct access to the Internet, but wish to look up
cfa64348224b66dd1c9979b809406c4d15b1c137fielding names anyway. Forwarding occurs only on those queries for which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server is not authoritative and does not have the answer in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is only meaningful if the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarders list is not empty. A value of <code class="varname">first</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the default, causes the server to query the forwarders
cfa64348224b66dd1c9979b809406c4d15b1c137fielding first — and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if that doesn't answer the question, the server will then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the answer itself. If <code class="varname">only</code> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server will only query the forwarders.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies the IP addresses to be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for forwarding. The default is the empty list (no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarding).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Forwarding can also be configured on a per-domain basis, allowing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for the global forwarding options to be overridden in a variety
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of ways. You can set particular domains to use different
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarders,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or have a different <span><strong class="command">forward only/first</strong></span> behavior,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Statement Grammar">the section called “<span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Statement Grammar”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2583880"></a>Dual-stack Servers</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Dual-stack servers are used as servers of last resort to work
cfa64348224b66dd1c9979b809406c4d15b1c137fielding problems in reachability due the lack of support for either IPv4
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on the host machine.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies host names or addresses of machines with access to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding both IPv4 and IPv6 transports. If a hostname is used, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server must be able
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to resolve the name using only the transport it has. If the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding machine is dual
cfa64348224b66dd1c9979b809406c4d15b1c137fielding stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
cfa64348224b66dd1c9979b809406c4d15b1c137fielding access to a transport has been disabled on the command line
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (e.g. <span><strong class="command">named -4</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="access_control"></a>Access Control</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Access to the server can be restricted based on the IP address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding details on how to specify IP address lists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding notify this server, a slave, of zone changes in addition
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the zone masters.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-notify</strong></span> may also be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zone</strong></span> statement, in which case
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it overrides the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">options allow-notify</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement. It is only meaningful
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for a slave zone. If not specified, the default is to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding process notify messages
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only from a zone's master.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to ask ordinary
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS questions. <span><strong class="command">allow-query</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also be specified in the <span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement, in which case it overrides the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">options allow-query</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is to allow queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from all hosts.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query-cache</strong></span> is now
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to specify access to the cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which local addresses can accept ordinary
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS questions. This makes it possible, for instance,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to allow queries on internal-facing interfaces but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disallow them on external-facing ones, without
cfa64348224b66dd1c9979b809406c4d15b1c137fielding necessarily knowing the internal network's addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that <span><strong class="command">allow-query-on</strong></span> is only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checked for queries that are permitted by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query</strong></span>. A query must be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allowed by both ACLs, or it will be refused.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query-on</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also be specified in the <span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement, in which case it overrides the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">options allow-query-on</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is to allow queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on all addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query-cache</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to specify access to the cache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to get answers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the cache. If <span><strong class="command">allow-query-cache</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is not set then <span><strong class="command">allow-recursion</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used if set, otherwise <span><strong class="command">allow-query</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used if set unless <span><strong class="command">recursion no;</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set in which case <span><strong class="command">none;</strong></span> is used,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding otherwise the default (<span><strong class="command">localnets;</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">localhost;</strong></span>) is used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which local addresses can give answers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the cache. If not specified, the default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to allow cache queries on any address,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">localnets</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">localhost</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to make recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries through this server. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-recursion</strong></span> is not set
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then <span><strong class="command">allow-query-cache</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used if set, otherwise <span><strong class="command">allow-query</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used if set, otherwise the default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (<span><strong class="command">localnets;</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">localhost;</strong></span>) is used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which local addresses can accept recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries. If not specified, the default is to allow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recursive queries on all addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding submit Dynamic DNS updates for master zones. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding updates from all hosts. Note that allowing updates based
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on the requestor's IP address is insecure; see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding submit Dynamic DNS updates to slave zones to be forwarded to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding means that no update forwarding will be performed. To
cfa64348224b66dd1c9979b809406c4d15b1c137fielding update forwarding, specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>{ any; }</code></strong> is usually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding counterproductive, since
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the responsibility for update access control should rest
cfa64348224b66dd1c9979b809406c4d15b1c137fielding master server, not the slaves.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that enabling the update forwarding feature on a slave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may expose master servers relying on insecure IP address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for more details.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option was introduced for the smooth transition from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to A6 and from "nibble labels" to binary labels.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, since both A6 and binary labels were then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding deprecated,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this option was also deprecated.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is now ignored with some warning messages.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies which hosts are allowed to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also be specified in the <span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement, in which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If not specified, the default is to allow transfers to all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies a list of addresses that the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server will not accept queries from or use to resolve a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query. Queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from these addresses will not be responded to. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is <strong class="userinput"><code>none</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies a list of addresses to which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">filter-aaaa-on-v4</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is applies. The default is <strong class="userinput"><code>any</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies a list of addresses which require responses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to use case-insensitive compression. This ACL can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used when <span><strong class="command">named</strong></span> needs to work with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clients that do not comply with the requirement in RFC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 1034 to use case-insensitive name comparisons when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checking for matching domain names.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If left undefined, the ACL defaults to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">none</strong></span>: case-insensitive compression
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be used for all clients. If the ACL is defined and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matches a client, then case will be ignored when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding compressing domain names in DNS responses sent to that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This can result in slightly smaller responses: if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a response contains the names "example.com" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "example.COM", case-insensitive compression would treat
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the second one as a duplicate. It also ensures
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that the case of the query name exactly matches the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding case of the owner names of returned records, rather
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than matching the case of the records entered in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone file. This allows responses to exactly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match the query, which is required by some clients
cfa64348224b66dd1c9979b809406c4d15b1c137fielding due to incorrect use of case-sensitive comparisions.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Case-insensitive compression is <span class="emphasis"><em>always</em></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used in AXFR and IXFR responses, regardless of whether
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the client matches this ACL.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding There are circusmstances in which <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will not preserve the case of owner names of records:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if a zone file defines records of different types with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the same name, but the capitalization of the name is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "WWW.EXAMPLE.COM/AAAA"), then all resposnes for that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name will use the <span class="emphasis"><em>first</em></span> version
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the name that was used in the zone file. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limitation may be addressed in a future release. However,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding domain names specified in the rdata of resource records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (i.e., records of type NS, MX, CNAME, etc) will always
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have their case preserved unless the client matches this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The amount of time the resolver will spend attempting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to resolve a recursive query before failing. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and minimum is <code class="literal">10</code> and the maximum is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">30</code>. Setting it to <code class="literal">0</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will result in the default being used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2584554"></a>Interfaces</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The interfaces and ports that the server will answer queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an optional port and an <code class="varname">address_match_list</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server will listen on all interfaces allowed by the address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match list. If a port is not specified, port 53 will be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Multiple <span><strong class="command">listen-on</strong></span> statements are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will enable the name server on port 53 for the IP address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 5.6.7.8, and on port 1234 of an address on the machine in net
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 1.2 that is not 1.2.3.4.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no <span><strong class="command">listen-on</strong></span> is specified, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server will listen on port 53 on all IPv4 interfaces.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">listen-on-v6</strong></span> option is used to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specify the interfaces and the ports on which the server will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding listen for incoming queries sent using IPv6. If not specified,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server will listen on port 53 on all IPv6 interfaces.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as the <code class="varname">address_match_list</code> for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">listen-on-v6</strong></span> option,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server does not bind a separate socket to each IPv6 interface
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address as it does for IPv4 if the operating system has enough API
cfa64348224b66dd1c9979b809406c4d15b1c137fielding support for IPv6 (specifically if it conforms to RFC 3493 and RFC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Instead, it listens on the IPv6 wildcard address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the system only has incomplete API support for IPv6, however,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the behavior is the same as that for IPv4.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A list of particular IPv6 addresses can also be specified, in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server listens on a separate socket for each specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regardless of whether the desired API is supported by the system.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Multiple <span><strong class="command">listen-on-v6</strong></span> options can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinglisten-on-v6 port 1234 { !2001:db8::/32; any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will enable the name server on port 53 for any IPv6 addresses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (with a single wildcard socket),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and on port 1234 of IPv6 addresses that is not in the prefix
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 2001:db8::/32 (with separate sockets for each matched address.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To make the server not listen on any IPv6 address, use
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="query_address"></a>Query Address</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the server doesn't know the answer to a question, it will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query other name servers. <span><strong class="command">query-source</strong></span> specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the address and port used for such queries. For queries sent over
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a random port number from a pre-configured
cfa64348224b66dd1c9979b809406c4d15b1c137fielding range is picked up and will be used for each query.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The port range(s) is that specified in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding options, excluding the ranges specified in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">avoid-v4-udp-ports</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The defaults of the <span><strong class="command">query-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">query-source-v6</strong></span> options
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">query-source address * port *;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingquery-source-v6 address * port *;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">use-v4-udp-ports</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will check if the operating
cfa64348224b66dd1c9979b809406c4d15b1c137fielding system provides a programming interface to retrieve the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding system's default range for ephemeral ports.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If such an interface is available,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will use the corresponding system
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default range; otherwise, it will use its own defaults:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinguse-v6-udp-ports { range 1024 65535; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: make sure the ranges be sufficiently large for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding security. A desirable size depends on various parameters,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but we generally recommend it contain at least 16384 ports
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (14 bits of entropy).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note also that the system's default range when used may be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding too small for this purpose, and that the range may even be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changed while <span><strong class="command">named</strong></span> is running; the new
cfa64348224b66dd1c9979b809406c4d15b1c137fielding range will automatically be applied when <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is reloaded.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is encouraged to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configure <span><strong class="command">use-v4-udp-ports</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ranges are sufficiently large and are reasonably
cfa64348224b66dd1c9979b809406c4d15b1c137fielding independent from the ranges used by other applications.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: the operational configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding where <span><strong class="command">named</strong></span> runs may prohibit the use
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of some ports. For example, UNIX systems will not allow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> running without a root privilege
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to use ports less than 1024.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If such ports are included in the specified (or detected)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set of query ports, the corresponding query attempts will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding fail, resulting in resolution failures or delay.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is therefore important to configure the set of ports
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that can be safely used in the expected operational environment.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-v6-udp-ports</strong></span> options
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingavoid-v6-udp-ports {};
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: BIND 9.5.0 introduced
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">use-queryport-pool</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option to support a pool of such random ports, but this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option is now obsolete because reusing the same ports in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the pool may not be sufficiently secure.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For the same reason, it is generally strongly discouraged to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specify a particular port for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">query-source</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">query-source-v6</strong></span> options;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it implicitly disables the use of randomized port numbers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is obsolete.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is obsolete.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is obsolete.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The address specified in the <span><strong class="command">query-source</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used for both UDP and TCP queries, but the port applies only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to UDP queries. TCP queries always use a random
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unprivileged port.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Solaris 2.5.1 and earlier does not support setting the source
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address for TCP sockets.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See also <span><strong class="command">transfer-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-source</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> has mechanisms in place to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding facilitate zone transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and set limits on the amount of load that transfers place on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding system. The following options apply to zone transfers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Defines a global list of IP addresses of name servers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that are also sent NOTIFY messages whenever a fresh copy of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone is loaded, in addition to the servers listed in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone's NS records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This helps to ensure that copies of the zones will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding quickly converge on stealth servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Optionally, a port may be specified with each
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">also-notify</strong></span> address to send
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the notify messages to a port other than the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default of 53.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An optional TSIG key can also be specified with each
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address to cause the notify messages to be signed; this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be useful when sending notifies to multiple views.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In place of explicit addresses, one or more named
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">masters</strong></span> lists can be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If an <span><strong class="command">also-notify</strong></span> list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is given in a <span><strong class="command">zone</strong></span> statement,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it will override
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">options also-notify</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement. When a <span><strong class="command">zone notify</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is set to <span><strong class="command">no</strong></span>, the IP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding addresses in the global <span><strong class="command">also-notify</strong></span> list will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not be sent NOTIFY messages for that zone. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list (no global notification list).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Inbound zone transfers running longer than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this many minutes will be terminated. The default is 120
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (2 hours). The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Inbound zone transfers making no progress
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in this many minutes will be terminated. The default is 60
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (1 hour). The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Outbound zone transfers running longer than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this many minutes will be terminated. The default is 120
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (2 hours). The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Outbound zone transfers making no progress
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in this many minutes will be terminated. The default is 60
cfa64348224b66dd1c9979b809406c4d15b1c137fielding hour). The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Slave servers will periodically query master
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers to find out if zone serial numbers have
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changed. Each such query uses a minute amount of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the slave server's network bandwidth. To limit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the amount of bandwidth used, BIND 9 limits the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate at which queries are sent. The value of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">serial-query-rate</strong></span> option, an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding integer, is the maximum number of queries sent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding per second. The default is 20.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In addition to controlling the rate SOA refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries are issued at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">serial-query-rate</strong></span> also controls
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the rate at which NOTIFY messages are sent from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding both master and slave zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In BIND 8, the <span><strong class="command">serial-queries</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set the maximum number of concurrent serial number queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allowed to be outstanding at any given time.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding BIND 9 does not limit the number of outstanding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Instead, it limits the rate at which the queries are sent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zone transfers can be sent using two different formats,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">one-answer</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">many-answers</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">transfer-format</strong></span> option is used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on the master server to determine which format it sends.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">one-answer</strong></span> uses one DNS message per
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resource record transferred.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">many-answers</strong></span> packs as many resource
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records as possible into a message.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">many-answers</strong></span> is more efficient, but is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only supported by relatively new slave servers,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">many-answers</strong></span> format is also supported by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recent Microsoft Windows nameservers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <span><strong class="command">many-answers</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-format</strong></span> may be overridden on a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding per-server basis by using the <span><strong class="command">server</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of inbound zone transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that can be running concurrently. The default value is <code class="literal">10</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Increasing <span><strong class="command">transfers-in</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding speed up the convergence
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of slave zones, but it also may increase the load on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding local system.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of outbound zone transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that can be running concurrently. Zone transfer requests in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the limit will be refused. The default value is <code class="literal">10</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of inbound zone transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that can be concurrently transferring from a given remote
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default value is <code class="literal">2</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Increasing <span><strong class="command">transfers-per-ns</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding speed up the convergence of slave zones, but it also may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the <span><strong class="command">server</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">transfer-source</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding determines which local address will be bound to IPv4
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TCP connections used to fetch zones transferred
cfa64348224b66dd1c9979b809406c4d15b1c137fielding inbound by the server. It also determines the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding source IPv4 address, and optionally the UDP port,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used for the refresh queries and forwarded dynamic
cfa64348224b66dd1c9979b809406c4d15b1c137fielding updates. If not set, it defaults to a system
cfa64348224b66dd1c9979b809406c4d15b1c137fielding controlled value which will usually be the address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the interface "closest to" the remote end. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address must appear in the remote end's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-transfer</strong></span> option for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone being transferred, if one is specified. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement sets the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source</strong></span> for all zones,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but can be overridden on a per-view or per-zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding basis by including a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source</strong></span> statement within
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">view</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zone</strong></span> block in the configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Solaris 2.5.1 and earlier does not support setting the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding source address for TCP sockets.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The same as <span><strong class="command">transfer-source</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except zone transfers are performed using IPv6.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An alternate transfer source if the one listed in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source</strong></span> fails and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-alt-transfer-source</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you do not wish the alternate transfer source
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be used, you should set
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-alt-transfer-source</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appropriately and you should not depend upon
cfa64348224b66dd1c9979b809406c4d15b1c137fielding getting an answer back to the first refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An alternate transfer source if the one listed in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source-v6</strong></span> fails and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-alt-transfer-source</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Use the alternate transfer sources or not. If views are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified this defaults to <span><strong class="command">no</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding otherwise it defaults to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">yes</strong></span> (for BIND 8
cfa64348224b66dd1c9979b809406c4d15b1c137fielding compatibility).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">notify-source</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding determines which local source address, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding optionally UDP port, will be used to send NOTIFY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages. This address must appear in the slave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server's <span><strong class="command">masters</strong></span> zone clause or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in an <span><strong class="command">allow-notify</strong></span> clause. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement sets the <span><strong class="command">notify-source</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for all zones, but can be overridden on a per-zone or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding per-view basis by including a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-source</strong></span> statement within
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">zone</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">view</strong></span> block in the configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Solaris 2.5.1 and earlier does not support setting the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding source address for TCP sockets.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Like <span><strong class="command">notify-source</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but applies to notify messages sent to IPv6 addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2585957"></a>UDP Port Lists</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v4-udp-ports</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-v4-udp-ports</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v6-udp-ports</strong></span>, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-v6-udp-ports</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specify a list of IPv4 and IPv6 UDP ports that will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used or not used as source ports for UDP messages.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding available ports are determined.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, with the following configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fieldinguse-v6-udp-ports { range 32768 65535; };
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingavoid-v6-udp-ports { 40000; range 50000 60000; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding UDP ports of IPv6 messages sent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from <span><strong class="command">named</strong></span> will be in one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the following ranges: 32768 to 39999, 40001 to 49999,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and 60001 to 65535.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-v4-udp-ports</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding port that is blocked by your firewall or a port that is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used by other applications;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if a query went out with a source port blocked by a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding firewall, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answer would not get by the firewall and the name server would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have to query again.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note: the desired range can also be represented only with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v4-udp-ports</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-v6-udp-ports</strong></span>, and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">avoid-</strong></span> options are redundant in that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sense; they are provided for backward compatibility and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to possibly simplify the port specification.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2586085"></a>Operating System Resource Limits</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server's usage of many system resources can be limited.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Scaled values are allowed when specifying resource limits. For
cfa64348224b66dd1c9979b809406c4d15b1c137fielding example, <span><strong class="command">1G</strong></span> can be used instead of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">1073741824</strong></span> to specify a limit of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding gigabyte. <span><strong class="command">unlimited</strong></span> requests
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unlimited use, or the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum available amount. <span><strong class="command">default</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding uses the limit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that was in force when the server was started. See the description
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following options set operating system resource limits for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the name server process. Some operating systems don't support
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any of the limits. On such systems, a warning will be issued if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unsupported limit is used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum size of a core dump. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum amount of data memory the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may use. The default is <code class="literal">default</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is a hard limit on server memory usage.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the server attempts to allocate memory in excess of this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limit, the allocation will fail, which may in turn leave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server unable to perform DNS service. Therefore,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this option is rarely useful as a way of limiting the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding amount of memory used by the server, but it can be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to raise an operating system data size limit that is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding too small by default. If you wish to limit the amount
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of memory used by the server, use the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-cache-size</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">recursive-clients</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding options instead.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of files the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may have open concurrently. The default is <code class="literal">unlimited</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum amount of stack memory the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may use. The default is <code class="literal">default</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following options set limits on the server's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resource consumption that are enforced internally by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server rather than the operating system.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is obsolete; it is accepted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and ignored for BIND 8 compatibility. The option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-journal-size</strong></span> performs a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding similar function in BIND 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sets a maximum size for each journal file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the specified size, some of the oldest transactions in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be automatically removed. The largest permitted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value is 2 gigabytes. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding means 2 gigabytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This may also be set on a per-zone basis.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In BIND 8, specifies the maximum number of host statistics
cfa64348224b66dd1c9979b809406c4d15b1c137fielding entries to be kept.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Not implemented in BIND 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of simultaneous recursive lookups
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server will perform on behalf of clients. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">1000</code>. Because each recursing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding client uses a fair
cfa64348224b66dd1c9979b809406c4d15b1c137fielding bit of memory, on the order of 20 kilobytes, the value of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">recursive-clients</strong></span> option may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have to be decreased
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on hosts with limited memory.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum number of simultaneous client TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding connections that the server will accept.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The number of file descriptors reserved for TCP, stdio,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding etc. This needs to be big enough to cover the number of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to provide room for outgoing TCP queries and incoming zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transfers. The default is <code class="literal">512</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The minimum value is <code class="literal">128</code> and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum value is <code class="literal">128</code> less than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maxsockets (-S). This option may be removed in the future.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option has little effect on Windows.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum amount of memory to use for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server's cache, in bytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the amount of data in the cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reaches this limit, the server will cause records to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expire prematurely based on an LRU based strategy so
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that the limit is not exceeded.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The keyword <strong class="userinput"><code>unlimited</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or the value 0, will place no limit on cache size;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records will be purged from the cache only when their
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TTLs expire.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Any positive values less than 2MB will be ignored
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and reset to 2MB.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In a server with multiple views, the limit applies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding separately to the cache of each view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>unlimited</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The listen queue depth. The default and minimum is 10.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the kernel supports the accept filter "dataready" this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also controls how
cfa64348224b66dd1c9979b809406c4d15b1c137fielding many TCP connections that will be queued in kernel space
cfa64348224b66dd1c9979b809406c4d15b1c137fielding waiting for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding some data before being passed to accept. Nonzero values
cfa64348224b66dd1c9979b809406c4d15b1c137fielding less than 10 will be silently raised. A value of 0 may also
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be used; on most platforms this sets the listen queue
cfa64348224b66dd1c9979b809406c4d15b1c137fielding length to a system-defined default value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2586510"></a>Periodic Task Intervals</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This interval is effectively obsolete. Previously,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server would remove expired resource records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 now manages cache
cfa64348224b66dd1c9979b809406c4d15b1c137fielding memory in a more sophisticated manner and does not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rely on the periodic cleaning any more.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifying this option therefore has no effect on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server's behavior.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server will perform zone maintenance tasks
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interval expires. The default is 60 minutes. Reasonable
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values are up
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to 1 day (1440 minutes). The maximum value is 28 days
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to 0, no zone maintenance for these zones will occur.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server will scan the network interface list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding every <span><strong class="command">interface-interval</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minutes. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is 60 minutes. The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to 0, interface scanning will only occur when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the configuration file is loaded. After the scan, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding begin listening for queries on any newly discovered
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interfaces (provided they are allowed by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">listen-on</strong></span> configuration), and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding stop listening on interfaces that have gone away.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Name server statistics will be logged
cfa64348224b66dd1c9979b809406c4d15b1c137fielding every <span><strong class="command">statistics-interval</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minutes. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 60. The maximum value is 28 days (40320 minutes).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to 0, no statistics will be logged.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Not yet implemented in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="topology"></a>Topology</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All other things being equal, when the server chooses a name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to query from a list of name servers, it prefers the one that is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding takes an <span><strong class="command">address_match_list</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interprets it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a special way. Each top-level list element is assigned a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Non-negated elements get a distance based on their position in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list, where the closer the match is to the start of the list, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding shorter the distance is between it and the server. A negated match
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be assigned the maximum distance from the server. If there
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is no match, the address will get a distance which is further than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any non-negated list element, and closer than any negated element.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will prefer servers on network 10 the most, followed by hosts
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is preferred least of all.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default topology is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"> topology { localhost; localnets; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">topology</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is not implemented in <acronym class="acronym">BIND</acronym> 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The response to a DNS query may consist of multiple resource
cfa64348224b66dd1c9979b809406c4d15b1c137fielding records (RRs) forming a resource records set (RRset).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The name server will normally return the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRs within the RRset in an indeterminate order
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (but see the <span><strong class="command">rrset-order</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The client resolver code should rearrange the RRs as appropriate,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that is, using any addresses on the local net in preference to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding other addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, not all resolvers can do this or are correctly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When a client is using a local server, the sorting can be performed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the server, based on the client's address. This only requires
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuring the name servers, not all the clients.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">sortlist</strong></span> statement (see below)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an <span><strong class="command">address_match_list</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interprets it even
cfa64348224b66dd1c9979b809406c4d15b1c137fielding more specifically than the <span><strong class="command">topology</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each top level statement in the <span><strong class="command">sortlist</strong></span> must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding itself be an explicit <span><strong class="command">address_match_list</strong></span> with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one or two elements. The first element (which may be an IP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of each top level list is checked against the source address of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the query until a match is found.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Once the source address of the query has been matched, if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the top level statement contains only one element, the actual
cfa64348224b66dd1c9979b809406c4d15b1c137fielding element that matched the source address is used to select the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the response to move to the beginning of the response. If the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement is a list of two elements, then the second element is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding treated the same as the <span><strong class="command">address_match_list</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a <span><strong class="command">topology</strong></span> statement. Each top
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level element
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is assigned a distance and the address in the response with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding distance is moved to the beginning of the response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In the following example, any queries received from any of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the addresses of the host itself will get responses preferring
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on any of the locally connected networks. Next most preferred are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on the 192.168.1/24 network, and after that either the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 192.168.3/24 network with no preference shown between these two
cfa64348224b66dd1c9979b809406c4d15b1c137fielding networks. Queries received from a host on the 192.168.1/24 network
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will prefer other addresses on that network to the 192.168.2/24
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 192.168.3/24 networks. Queries received from a host on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or the 192.168.5/24 network will only prefer other addresses on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding their directly connected networks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // IF the local host
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // THEN first fit on the following nets
cfa64348224b66dd1c9979b809406c4d15b1c137fielding { localhost;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding { localnets;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // IF on class C 192.168.1 THEN use .1, or .2 or .3
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // IF on class C 192.168.2 THEN use .2, or .1 or .3
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // IF on class C 192.168.3 THEN use .3, or .1 or .2
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // IF .4 or .5 THEN prefer that net
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following example will give reasonable behavior for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding local host and hosts on directly connected networks. It is similar
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to queries from the local host will favor any of the directly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding networks. Responses sent to queries from any other hosts on a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding connected network will prefer addresses on that same network.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to other queries will not be sorted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding { localhost; localnets; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding { localnets; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When multiple records are returned in an answer it may be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding useful to configure the order of the records placed into the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">rrset-order</strong></span> statement permits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the ordering of the records in a multiple record response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See also the <span><strong class="command">sortlist</strong></span> statement,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An <span><strong class="command">order_spec</strong></span> is defined as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding order <em class="replaceable"><code>ordering</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The legal values for <span><strong class="command">ordering</strong></span> are:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">fixed</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Records are returned in the order they
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are defined in the zone file.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">random</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Records are returned in some random order.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <p><span><strong class="command">cyclic</strong></span></p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Records are returned in a cyclic round-robin order.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <acronym class="acronym">BIND</acronym> is configured with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "--enable-fixed-rrset" option at compile time, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the initial ordering of the RRset will match the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one specified in the zone file.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding class IN type A name "host.example.com" order random;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding order cyclic;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will cause any responses for type A records in class IN that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have "<code class="literal">host.example.com</code>" as a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding suffix, to always be returned
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in random order. All other records are returned in cyclic order.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If multiple <span><strong class="command">rrset-order</strong></span> statements
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appear, they are not combined — the last one applies.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By default, all records are returned in random order.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In this release of <acronym class="acronym">BIND</acronym> 9, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rrset-order</strong></span> statement does not support
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "fixed" ordering by default. Fixed ordering can be enabled
cfa64348224b66dd1c9979b809406c4d15b1c137fielding at compile time by specifying "--enable-fixed-rrset" on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the "configure" command line.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sets the number of seconds to cache a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lame server indication. 0 disables caching. (This is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="bold"><strong>NOT</strong></span> recommended.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <code class="literal">600</code> (10 minutes) and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum value is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Lame-ttl also controls the amount of time DNSSEC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding validation failures are cached. There is a minimum
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of 30 seconds applied to bad cache entries if the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lame-ttl is set to less than 30 seconds.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To reduce network traffic and increase performance,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to set a maximum retention time for these answers in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in seconds. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 7 days and will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be silently truncated to 7 days if set to a greater value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sets the maximum time for which the server will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cache ordinary (positive) answers. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one week (7 days).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A value of zero may cause all queries to return
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SERVFAIL, because of lost caches of intermediate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRsets (such as NS and glue AAAA/A records) in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolution process.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The minimum number of root servers that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is required for a request for the root servers to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding accepted. The default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is <strong class="userinput"><code>2</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Not implemented in <acronym class="acronym">BIND</acronym> 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies the number of days into the future when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC signatures automatically generated as a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is an optional second field which specifies how
cfa64348224b66dd1c9979b809406c4d15b1c137fielding long before expiry that the signatures will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regenerated. If not specified, the signatures will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be regenerated at 1/4 of base interval. The second
cfa64348224b66dd1c9979b809406c4d15b1c137fielding field is specified in days if the base interval is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding greater than 7 days otherwise it is specified in hours.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default base interval is <code class="literal">30</code> days
cfa64348224b66dd1c9979b809406c4d15b1c137fielding giving a re-signing interval of 7 1/2 days. The maximum
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values are 10 years (3660 days).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The signature inception time is unconditionally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set to one hour before the current time to allow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for a limited amount of clock skew.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">sig-validity-interval</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should be, at least, several multiples of the SOA
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expire interval to allow for reasonable interaction
cfa64348224b66dd1c9979b809406c4d15b1c137fielding between the various timer and expiry dates.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify the maximum number of nodes to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding examined in each quantum when signing a zone with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a new DNSKEY. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify a threshold number of signatures that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will terminate processing a quantum when signing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a zone with a new DNSKEY. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify a private RDATA type to be used when generating
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key signing records. The default is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is expected that this parameter may be removed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a future version once there is a standard type.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These records can be removed from the zone once named
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has completed signing the zone with the matching key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using <span><strong class="command">nsupdate</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc signing -clear</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc signing -clear</strong></span> is the only supported
cfa64348224b66dd1c9979b809406c4d15b1c137fielding way to remove these records from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">inline-signing</strong></span> zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These options control the server's behavior on refreshing a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (querying for SOA changes) or retrying failed transfers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usually the SOA values for the zone are used, but these
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are set by the master, giving slave server administrators
cfa64348224b66dd1c9979b809406c4d15b1c137fielding control over their contents.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These options allow the administrator to set a minimum and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding refresh and retry time either per-zone, per-view, or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These options are valid for slave and stub zones,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and clamp the SOA refresh and retry times to the specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following defaults apply.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">min-refresh-time</strong></span> 300 seconds,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sets the initial advertised EDNS UDP buffer size in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding bytes, to control the size of packets received from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative servers in response to recursive queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Valid values are 512 to 4096 (values outside this range
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be silently adjusted to the nearest value within
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it). The default value is 4096.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The usual reason for setting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">edns-udp-size</strong></span> to a non-default value
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is to get UDP answers to pass through broken firewalls
cfa64348224b66dd1c9979b809406c4d15b1c137fielding packets that are greater than 512 bytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When <span><strong class="command">named</strong></span> first queries a remote
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server, it will advertise a UDP buffer size of 512, as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this has the greatest chance of success on the first try.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the initial response times out, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will try again with plain DNS, and if that is successful,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it will be taken as evidence that the server does not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding support EDNS. After enough failures using EDNS and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding successes using plain DNS, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will default to plain DNS for future communications
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with that server. (Periodically, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will send an EDNS query to see if the situation has
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, if the initial query is successful with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding EDNS advertising a buffer size of 512, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will advertise progressively
cfa64348224b66dd1c9979b809406c4d15b1c137fielding larger buffer sizes on successive queries, until
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses begin timing out or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">edns-udp-size</strong></span> is reached.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default buffer sizes used by <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are 512, 1232, 1432, and 4096, but never exceeding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">edns-udp-size</strong></span>. (The values 1232 and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 1432 are chosen to allow for an IPv4/IPv6 encapsulated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding UDP message to be sent without fragmentation at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minimum MTU sizes for Ethernet and IPv6 networks.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Sets the maximum EDNS UDP message size
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will send in bytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Valid values are 512 to 4096 (values outside this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding range will be silently adjusted to the nearest
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value within it). The default value is 4096.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This value applies to responses sent by a server; to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set the advertised buffer size in queries, see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">edns-udp-size</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The usual reason for setting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-udp-size</strong></span> to a non-default
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value is to get UDP answers to pass through broken
cfa64348224b66dd1c9979b809406c4d15b1c137fielding block UDP packets that are greater than 512 bytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is independent of the advertised receive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding buffer (<span><strong class="command">edns-udp-size</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Setting this to a low value will encourage additional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TCP traffic to the nameserver.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p>Specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the file format of zone files (see
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default value is <code class="constant">text</code>, which is the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding standard textual representation, except for slave zones,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in which the default value is <code class="constant">raw</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Files in other formats than <code class="constant">text</code> are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding typically expected to be generated by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named-compilezone</strong></span> tool, or dumped by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that when a zone file in a different format than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may omit some of the checks which would be performed for a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file in the <code class="constant">text</code> format. In particular,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-names</strong></span> checks do not apply
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for the <code class="constant">raw</code> format. This means
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a zone file in the <code class="constant">raw</code> format
cfa64348224b66dd1c9979b809406c4d15b1c137fielding must be generated with the same check level as that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified in the <span><strong class="command">named</strong></span> configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file. Also, <code class="constant">map</code> format files are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding loaded directly into memory via memory mapping, with only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding minimal checking.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This statement sets the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">masterfile-format</strong></span> for all zones,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but can be overridden on a per-zone or per-view basis
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by including a <span><strong class="command">masterfile-format</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement within the <span><strong class="command">zone</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">view</strong></span> block in the configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p>These set the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding initial value (minimum) and maximum number of recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding simultaneous clients for any given query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (<qname,qtype,qclass>) that the server will accept
cfa64348224b66dd1c9979b809406c4d15b1c137fielding before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding self tune this value and changes will be logged. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default values are 10 and 100.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This value should reflect how many queries come in for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a given name in the time it takes to resolve that name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding assume that it is dealing with a non-responsive zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and will drop additional queries. If it gets a response
cfa64348224b66dd1c9979b809406c4d15b1c137fielding after dropping queries, it will raise the estimate. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding estimate will then be lowered in 20 minutes if it has
cfa64348224b66dd1c9979b809406c4d15b1c137fielding remained unchanged.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">clients-per-query</strong></span> is set to zero,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then there is no limit on the number of clients per query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and no queries will be dropped.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then there is no upper bound other than imposed by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">recursive-clients</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The delay, in seconds, between sending sets of notify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages for a zone. The default is five (5) seconds.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The overall rate that NOTIFY messages are sent for all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum RSA exponent size, in bits, that will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be accepted when validating. Valid values are 35
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to 4096 bits. The default zero (0) is also accepted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and is equivalent to 4096.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">prefetch</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When a query is received for cached data which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is to expire shortly, <span><strong class="command">named</strong></span> can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding refresh the data from the authoritative server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding immediately, ensuring that the cache always has an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answer available.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <code class="option">prefetch</code> specifies the the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "trigger" TTL value at which prefetch of the current
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query will take place: when a cache record with a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lower TTL value is encountered during query processing,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it will be refreshed. Valid trigger TTL values are 1 to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 10 seconds. Setting a trigger TTL to zero disables
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An optional second argument can be used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to set the smallest <span class="emphasis"><em>original</em></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TTL value that will be accepted for a record to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding eligible for prefetching. The difference between
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the trigger TTL and the eligibility TTL must be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding at least 6 seconds.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default trigger and eligibility TTLs are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">2</code> and <code class="literal">9</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server provides some helpful diagnostic information
cfa64348224b66dd1c9979b809406c4d15b1c137fielding through a number of built-in zones under the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding pseudo-top-level-domain <code class="literal">bind</code> in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">CHAOS</strong></span> class. These zones are part
cfa64348224b66dd1c9979b809406c4d15b1c137fielding built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">CHAOS</strong></span> which is separate from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default view of class <span><strong class="command">IN</strong></span>. Most global
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration options (<span><strong class="command">allow-query</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding etc) will apply to this view, but some are locally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding overridden: <span><strong class="command">notify</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">recursion</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-new-zones</strong></span> are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding always set to <strong class="userinput"><code>no</code></strong>, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rate-limit</strong></span> is set to allow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding three responses per second.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you need to disable these zones, use the options
cfa64348224b66dd1c9979b809406c4d15b1c137fielding below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that matches all clients.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The version the server should report
cfa64348224b66dd1c9979b809406c4d15b1c137fielding via a query of the name <code class="literal">version.bind</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is the real version number of this server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifying <span><strong class="command">version none</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disables processing of the queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The hostname the server should report via a query of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the name <code class="filename">hostname.bind</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This defaults to the hostname of the machine hosting the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name server as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding found by the gethostname() function. The primary purpose of such queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding identify which of a group of anycast servers is actually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disables processing of the queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The ID the server should report when receiving a Name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Server Identifier (NSID) query, or a query of the name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The primary purpose of such queries is to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding identify which of a group of anycast servers is actually
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disables processing of the queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use the hostname as found by the gethostname() function.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Named has some built-in empty zones (SOA and NS records only).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These are for zones that should normally be answered locally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and which queries should not be sent to the Internet's root
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers. The official servers which cover these namespaces
cfa64348224b66dd1c9979b809406c4d15b1c137fielding return NXDOMAIN responses to these queries. In particular,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding these cover the reverse namespaces for addresses from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reverse namespace for IPv6 local address (locally assigned),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 link local addresses, the IPv6 loopback address and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 unknown address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Named will attempt to determine if a built-in zone already exists
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or is active (covered by a forward-only forwarding declaration)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and will not create an empty zone in that case.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The current list of empty zones is:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Empty zones are settable at the view level and only apply to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding views of class IN. Disabled empty zones are only inherited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from options if there are no disabled empty zones specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding at the view level. To override the options list of disabled
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones, you can disable the root zone at the view level, for example:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disable-empty-zone ".";
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you are using the address ranges covered here, you should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding already have reverse zones covering the addresses you use.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In practice this appears to not be the case with many queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding being made to the infrastructure servers for names in these
cfa64348224b66dd1c9979b809406c4d15b1c137fielding spaces. So many in fact that sacrificial servers were needed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be deployed to channel the query load away from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding infrastructure servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The real parent servers for these zones should disable all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding empty zone under the parent zone they serve. For the real
cfa64348224b66dd1c9979b809406c4d15b1c137fielding root servers, this is all built-in empty zones. This will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding enable them to return referrals to deeper in the tree.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify what server name will appear in the returned
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SOA record for empty zones. If none is specified, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone's name will be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify what contact name will appear in the returned
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SOA record for empty zones. If none is specified, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "." will be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Enable or disable all empty zones. By default, they
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are enabled.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Disable individual empty zones. By default, none are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disabled. This option can be specified multiple times.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="acache"></a>Additional Section Caching</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The additional section cache, also called <span><strong class="command">acache</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is an internal cache to improve the response performance of BIND 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When additional section caching is enabled, BIND 9 will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cache an internal short-cut to the additional section content for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding each answer RR.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that <span><strong class="command">acache</strong></span> is an internal caching
cfa64348224b66dd1c9979b809406c4d15b1c137fielding mechanism of BIND 9, and is not related to the DNS caching
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server function.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Additional section caching does not change the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding response content (except the RRsets ordering of the additional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding section, see below), but can improve the response performance
cfa64348224b66dd1c9979b809406c4d15b1c137fielding significantly.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is particularly effective when BIND 9 acts as an authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server for a zone that has many delegations with many glue RRs.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In order to obtain the maximum performance improvement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from additional section caching, setting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">additional-from-cache</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to <span><strong class="command">no</strong></span> is recommended, since the current
cfa64348224b66dd1c9979b809406c4d15b1c137fielding implementation of <span><strong class="command">acache</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding does not short-cut of additional section information from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS cache data.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding One obvious disadvantage of <span><strong class="command">acache</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that it requires much more
cfa64348224b66dd1c9979b809406c4d15b1c137fielding memory for the internal cached data.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Thus, if the response performance does not matter and memory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding consumption is much more critical, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">acache</strong></span> mechanism can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disabled by setting <span><strong class="command">acache-enable</strong></span> to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is also possible to specify the upper limit of memory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding consumption
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for acache by using <span><strong class="command">max-acache-size</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Additional section caching also has a minor effect on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRset ordering in the additional section.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Without <span><strong class="command">acache</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">cyclic</strong></span> order is effective for the additional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding section as well as the answer and authority sections.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, additional section caching fixes the ordering when it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding first caches an RRset for the additional section, and the same
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ordering will be kept in succeeding responses, regardless of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding setting of <span><strong class="command">rrset-order</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The effect of this should be minor, however, since an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRset in the additional section
cfa64348224b66dd1c9979b809406c4d15b1c137fielding typically only contains a small number of RRs (and in many cases
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it only contains a single RR), in which case the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ordering does not matter much.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following is a summary of options related to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">acache</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">yes</strong></span>, additional section caching is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding enabled. The default value is <span><strong class="command">no</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server will remove stale cache entries, based on an LRU
cfa64348224b66dd1c9979b809406c4d15b1c137fielding algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is 60 minutes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to 0, no periodic cleaning will occur.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum amount of memory in bytes to use for the server's acache.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the amount of data in the acache reaches this limit,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will clean more aggressively so that the limit is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In a server with multiple views, the limit applies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding separately to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding acache of each view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2589052"></a>Content Filtering</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
cfa64348224b66dd1c9979b809406c4d15b1c137fielding out DNS responses from external DNS servers containing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding certain types of data in the answer section.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifically, it can reject address (A or AAAA) records if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the corresponding IPv4 or IPv6 addresses match the given
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">address_match_list</code> of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">deny-answer-addresses</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It can also reject CNAME or DNAME records if the "alias"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name (i.e., the CNAME alias or the substituted query name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding due to DNAME) matches the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">deny-answer-aliases</strong></span> option, where
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "match" means the alias name is a subdomain of one of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <code class="varname">name_list</code> elements.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the optional <code class="varname">namelist</code> is specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with <span><strong class="command">except-from</strong></span>, records whose query name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matches the list will be accepted regardless of the filter
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Likewise, if the alias name is a subdomain of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding filter will not apply;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for example, even if "example.com" is specified for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">deny-answer-aliases</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding returned by an "example.com" server will be accepted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In the <code class="varname">address_match_list</code> of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">deny-answer-addresses</strong></span> option, only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are meaningful;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any <code class="varname">key_id</code> will be silently ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a response message is rejected due to the filtering,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the entire message is discarded without being cached, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a SERVFAIL error will be returned to the client.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This filtering is intended to prevent "DNS rebinding attacks," in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which an attacker, in response to a query for a domain name the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding attacker controls, returns an IP address within your own network or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an alias name within your own domain.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A naive web browser or script could then serve as an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unintended proxy, allowing the attacker
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to get access to an internal node of your local network
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that couldn't be externally accessed otherwise.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the paper available at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding http://portal.acm.org/citation.cfm?id=1315245.1315298
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for more details about the attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if you own a domain named "example.net" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding your internal network uses an IPv4 prefix 192.0.2.0/24,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding you might specify the following rules:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingdeny-answer-aliases { "example.net"; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If an external attacker lets a web browser in your local
cfa64348224b66dd1c9979b809406c4d15b1c137fielding network look up an IPv4 address of "attacker.example.com",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the attacker's DNS server would return a response like this:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the answer section.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Since the rdata of this record (the IPv4 address) matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the specified prefix 192.0.2.0/24, this response will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding On the other hand, if the browser looks up a legitimate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding internal web server "www.example.net" and the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding following response is returned to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <acronym class="acronym">BIND</acronym> 9 server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it will be accepted since the owner name "www.example.net"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matches the <span><strong class="command">except-from</strong></span> element,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that this is not really an attack on the DNS per se.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In fact, there is nothing wrong for an "external" name to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be mapped to your "internal" IP address or domain name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding from the DNS point of view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It might actually be provided for a legitimate purpose,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding such as for debugging.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding As long as the mapping is provided by the correct owner,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it is not possible or does not make sense to detect
cfa64348224b66dd1c9979b809406c4d15b1c137fielding whether the intent of the mapping is legitimate or not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding within the DNS.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The "rebinding" attack must primarily be protected at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding application that uses the DNS.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For a large site, however, it may be difficult to protect
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all possible applications at once.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This filtering feature is provided only to help such an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding operational environment;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it is generally discouraged to turn it on unless you are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding very sure you have no other choice and the attack is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding real threat for your applications.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Care should be particularly taken if you want to use this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option for addresses within 127.0.0.0/8.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These addresses are obviously "internal", but many
cfa64348224b66dd1c9979b809406c4d15b1c137fielding applications conventionally rely on a DNS mapping from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding some name to such an address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Filtering out DNS records containing this address
cfa64348224b66dd1c9979b809406c4d15b1c137fielding spuriously can break such applications.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2589178"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 includes a limited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding mechanism to modify DNS responses for requests
cfa64348224b66dd1c9979b809406c4d15b1c137fielding analogous to email anti-spam DNS blacklists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses can be changed to deny the existence of domains(NXDOMAIN),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding deny the existence of IP addresses for domains (NODATA),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or contain other IP addresses or data.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Response policy zones are named in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">response-policy</strong></span> option for the view or among the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding global options if there is no response-policy option for the view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Response policy zones are ordinary DNS zones containing RRsets
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that can be queried normally if allowed.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is usually best to restrict those queries with something like
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query { localhost; };</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <span><strong class="command">response-policy</strong></span> option can support
cfa64348224b66dd1c9979b809406c4d15b1c137fielding multiple policy zones. To maximize performance, a radix
cfa64348224b66dd1c9979b809406c4d15b1c137fielding tree is used to quickly identify response policy zones
cfa64348224b66dd1c9979b809406c4d15b1c137fielding containing triggers that match the current query. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding imposes an upper limit of 32 on the number of policy zones
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a single <span><strong class="command">response-policy</strong></span> option; more
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than that is a configuration error.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Five policy triggers can be encoded in RPZ records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">RPZ-CLIENT-IP</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IP records are triggered by the IP address of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS client.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Client IP address triggers are encoded in records that have
cfa64348224b66dd1c9979b809406c4d15b1c137fielding owner names that are subdomains of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rpz-client-ip</strong></span> relativized to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding policy zone origin name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and encode an address or address block.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 addresses are represented as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The IPv4 prefix length must be between 1 and 32.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All four bytes, B4, B3, B2, and B1, must be present.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding B4 is the decimal value of the least significant byte of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 address as in IN-ADDR.ARPA.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 addresses are encoded in a format similar
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the standard IPv6 text representation,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each of W8,...,W1 is a one to four digit hexadecimal number
cfa64348224b66dd1c9979b809406c4d15b1c137fielding representing 16 bits of the IPv6 address as in the standard
cfa64348224b66dd1c9979b809406c4d15b1c137fielding text representation of IPv6 addresses,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but reversed as in IN-ADDR.ARPA.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All 8 words must be present except when one set of consecutive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zero words is replaced with <strong class="userinput"><code>.zz.</code></strong>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding analogous to double colons (::) in standard IPv6 text
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The IPv6 prefix length must be between 64 and 128.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">QNAME</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding QNAME policy records are triggered by query names of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requests and targets of CNAME records resolved to generate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The owner name of a QNAME policy record is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the query name relativized to the policy zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">RPZ-IP</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IP triggers are IP addresses in an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A or AAAA record in the ANSWER section of a response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding They are encoded like client-IP triggers except as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding subdomains of <span><strong class="command">rpz-ip</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">RPZ-NSDNAME</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSDNAME triggers match names of authoritative servers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for the query name, a parent of the query name, a CNAME for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query name, or a parent of a CNAME.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding They are encoded as subdomains of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rpz-nsdname</strong></span> relativized
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the RPZ origin name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSIP triggers match IP addresses in A and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding AAAA RRsets for domains that can be checked against NSDNAME
cfa64348224b66dd1c9979b809406c4d15b1c137fielding policy records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">RPZ-NSIP</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSIP triggers are encoded like IP triggers except as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding subdomains of <span><strong class="command">rpz-nsip</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSDNAME and NSIP triggers are checked only for names with at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding least <span><strong class="command">min-ns-dots</strong></span> dots.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exclude top level domains.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The query response is checked against all response policy zones,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding so two or more policy records can be triggered by a response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Because DNS responses are rewritten according to at most one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding policy record, a single record encoding an action (other than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">DISABLED</strong></span> actions) must be chosen.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Triggers or the records that encode them are chosen for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rewriting in the following order:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>Choose the triggered record in the zone that appears
cfa64348224b66dd1c9979b809406c4d15b1c137fielding first in the <span><strong class="command">response-policy</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding triggers in a single zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>Among NSDNAME triggers, prefer the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding trigger that matches the smallest name under the DNSSEC ordering.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>Among IP or NSIP triggers, prefer the trigger
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the longest prefix.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<li>Among triggers with the same prefex length,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding prefer the IP or NSIP trigger that matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the smallest IP address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the processing of a response is restarted to resolve
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNAME or CNAME records and a policy record set has
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not been triggered,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all response policy zones are again consulted for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNAME or CNAME names and addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RPZ record sets are any types of DNS record except
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNAME or DNSSEC that encode actions or responses to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding individual queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Any of the policies can be used with any of the triggers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, while the <span><strong class="command">TCP-only</strong></span> policy is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding commonly used with <span><strong class="command">client-IP</strong></span> triggers,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it cn be used with any type of trigger to force the use of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TCP for responses with owner names in a zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">PASSTHRU</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The whitelist policy is specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by a CNAME whose target is <span><strong class="command">rpz-passthru</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It causes the response to not be rewritten
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and is most often used to "poke holes" in policies for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding CIDR blocks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">DROP</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The blacklist policy is specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by a CNAME whose target is <span><strong class="command">rpz-drop</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It causes the response to be discarded.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Nothing is sent to the DNS client.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">TCP-Only</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The "slip" policy is specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by a CNAME whose target is <span><strong class="command">rpz-tcp-only</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It changes UDP responses to short, truncated DNS responses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that require the DNS client to try again with TCP.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is used to mitigate distributed DNS reflection attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">NXDOMAIN</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The domain undefined response is encoded
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by a CNAME whose target is the root domain (.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">NODATA</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The empty set of resource records is specified by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding CNAME whose target is the wildcard top-level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding domain (*.).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It rewrites the response to NODATA or ANCOUNT=1.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">Local Data</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A set of ordinary DNS records can be used to answer queries.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Queries for record types not the set are answered with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A special form of local data is a CNAME whose target is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding wildcard such as *.example.com.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is used as if were an ordinary CNAME after the astrisk (*)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has been replaced with the query name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The purpose for this special form is query logging in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding walled garden's authority DNS server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All of the actions specified in all of the individual records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a policy zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be overridden with a <span><strong class="command">policy</strong></span> clause in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">response-policy</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An organization using a policy zone provided by another
cfa64348224b66dd1c9979b809406c4d15b1c137fielding organization might use this mechanism to redirect domains
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to its own walled garden.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">GIVEN</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dd><p>The placeholder policy says "do not override but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding perform the action specified in the zone."
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">DISABLED</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The testing override policy causes policy zone records to do
cfa64348224b66dd1c9979b809406c4d15b1c137fielding nothing but log what they would have done if the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding policy zone were not disabled.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The response to the DNS query will be written (or not)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding according to any triggered policy records that are not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Disabled policy zones should appear first,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding because they will often not be logged
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if a higher precedence trigger is found first.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding override with the corresponding per-record policy.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">CNAME domain</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding causes all RPZ policy records to act as if they were
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "cname domain" records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By default, the actions encoded in a response policy zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are applied only to queries that ask for recursion (RD=1).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding That default can be changed for a single policy zone or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all response policy zones in a view
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with a <span><strong class="command">recursive-only no</strong></span> clause.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This feature is useful for serving the same zone files
cfa64348224b66dd1c9979b809406c4d15b1c137fielding both inside and outside an RFC 1918 cloud and using RPZ to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding delete answers that would otherwise contain RFC 1918 values
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on the externally visible name server or view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Also by default, RPZ actions are applied only to DNS requests
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that either do not request DNSSEC metadata (DO=0) or when no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC records are available for request name in the original
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone (not the response policy zone). This default can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding changed for all response policy zones in a view with a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">break-dnssec yes</strong></span> clause. In that case, RPZ
cfa64348224b66dd1c9979b809406c4d15b1c137fielding actions are applied regardless of DNSSEC. The name of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding clause option reflects the fact that results rewritten by RPZ
cfa64348224b66dd1c9979b809406c4d15b1c137fielding actions cannot verify.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding No DNS records are needed for a QNAME or Client-IP trigger.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The name or IP address itself is sufficient,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding so in principle the query name need not be recursively resolved.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding However, not resolving the requested
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name can leak the fact that response policy rewriting is in use
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and that the name is listed in a policy zone to operators of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers for listed names. To prevent that information leak, by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default any recursion needed for a request is done before any
cfa64348224b66dd1c9979b809406c4d15b1c137fielding policy triggers are considered. Because listed domains often
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have slow authoritative servers, this default behavior can cost
cfa64348224b66dd1c9979b809406c4d15b1c137fielding significant time.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">qname-wait-recurse no</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding overrides that default behavior when recursion cannot
cfa64348224b66dd1c9979b809406c4d15b1c137fielding change a non-error response.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The option does not affect QNAME or client-IP triggers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in policy zones listed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding after other zones containing IP, NSIP and NSDNAME triggers, because
cfa64348224b66dd1c9979b809406c4d15b1c137fielding those may depend on the A, AAAA, and NS records that would be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding found during recursive resolution. It also does not affect
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC requests (DO=1) unless <span><strong class="command">break-dnssec yes</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is in use, because the response would depend on whether or not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRSIG records were found during resolution.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Using this option can cause error responses such as SERVFAIL to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appear to be rewritten, since no recursion is being done to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding discover problems at the authoritative server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The TTL of a record modified by RPZ policies is set from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TTL of the relevant record in policy zone. It is then limited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to a maximum value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">max-policy-ttl</strong></span> clause changes that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum from its default of 5.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, you might use this option statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"> response-policy { zone "badlist"; };</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and this zone statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with this zone file
cfa64348224b66dd1c9979b809406c4d15b1c137fielding@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NS LOCALHOST.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; QNAME policy records. There are no periods (.) after the owner names.
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingnxdomain.domain.com CNAME . ; NXDOMAIN policy
cfa64348224b66dd1c9979b809406c4d15b1c137fielding*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingnodata.domain.com CNAME *. ; NODATA policy
cfa64348224b66dd1c9979b809406c4d15b1c137fielding*.nodata.domain.com CNAME *. ; NODATA policy
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingbad.domain.com A 10.0.0.1 ; redirect to a walled garden
cfa64348224b66dd1c9979b809406c4d15b1c137fielding AAAA 2001:2::1
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; do not rewrite (PASSTHRU) OK.DOMAIN.COM
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingok.domain.com CNAME rpz-passthru.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; IP policy records that rewrite all responses containing A records in 127/8
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; except 127.0.0.1
cfa64348224b66dd1c9979b809406c4d15b1c137fielding32.1.0.0.127.rpz-ip CNAME rpz-passthru.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; NSDNAME and NSIP policy records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; blacklist and whitelist some DNS clients
cfa64348224b66dd1c9979b809406c4d15b1c137fielding; force some DNS clients and responses in the example.com zone to TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingexample.com CNAME rpz-tcp-only.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding*.example.com CNAME rpz-tcp-only.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RPZ can affect server performance.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each configured response policy zone requires the server to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding perform one to four additional database lookups before a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding query can be answered.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, a DNS server with four policy zones, each with all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding four kinds of response triggers, QNAME, IP, NSIP, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NSDNAME, requires a total of 17 times as many database
cfa64348224b66dd1c9979b809406c4d15b1c137fielding lookups as a similar DNS server with no response policy zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding response policy zone with QNAME and IP triggers might achieve a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum queries-per-second rate about 20% lower.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A server with four response policy zones with QNAME and IP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding triggers might have a maximum QPS rate about 50% lower.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses rewritten by RPZ are counted in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">RPZRewrites</strong></span> statistics.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2590091"></a>Response Rate Limiting</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be controlled by configuring a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rate-limit</strong></span> clause in an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This mechanism keeps authoritative BIND 9 from being used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in amplifying reflection denial of service (DoS) attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Short truncated (TC=1) responses can be sent to provide
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate-limited responses to legitimate clients within
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a range of forged, attacked IP addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Legitimate clients react to dropped or truncated response
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by retrying with UDP or with TCP respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This mechanism is intended for authoritative DNS servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It can be used on recursive servers but can slow
cfa64348224b66dd1c9979b809406c4d15b1c137fielding applications such as SMTP servers (mail receivers) and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding HTTP clients (web browsers) that repeatedly request the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding same domains.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When possible, closing "open" recursive servers is better.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Response rate limiting uses a "credit" or "token bucket" scheme.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each combination of identical response and client
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has a conceptual account that earns a specified number
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of credits every second.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A prospective response debits its account by one.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses are dropped or truncated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding while the account is negative.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses are tracked within a rolling window of time
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which defaults to 15 seconds, but can be configured with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">window</strong></span> option to any value from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 1 to 3600 seconds (1 hour).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The account cannot become more positive than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the per-second limit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or more negative than <span><strong class="command">window</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding times the per-second limit.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the specified number of credits for a class of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses is set to 0, those responses are not rate limited.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The notions of "identical response" and "DNS client"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for rate limiting are not simplistic.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All responses to an address block are counted as if to a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding single client.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The prefix lengths of addresses blocks are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All non-empty responses for a valid domain name (qname)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and record type (qtype) are identical and have a limit specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by the base <span><strong class="command">responses-per-second</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (that is, <span><strong class="command">responses-per-second</strong></span> with only a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding single argument and no additional modifiers).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is 0, which indicates that there should be no limit.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All empty (NODATA) responses for a valid domain,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regardless of query type, are identical.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses in the NODATA class are limited by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">nodata-per-second</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (default base <span><strong class="command">responses-per-second</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Requests for any and all undefined subdomains of a given
cfa64348224b66dd1c9979b809406c4d15b1c137fielding valid domain result in NXDOMAIN errors, and are identical
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regardless of query type.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding They are limited by <span><strong class="command">nxdomain-per-second</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (default base <span><strong class="command">responses-per-second</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This controls some attacks using random names, but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be relaxed or turned off (set to 0)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on servers that expect many legitimate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NXDOMAIN responses, such as from anti-spam blacklists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Referrals or delegations to the server of a given
cfa64348224b66dd1c9979b809406c4d15b1c137fielding domain are identical and are limited by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">referrals-per-second</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (default base <span><strong class="command">responses-per-second</strong></span>).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses generated from local wildcards are counted and limited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as if they were for the parent domain name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This controls flooding using random.wild.example.com.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All requests that result in DNS errors other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
cfa64348224b66dd1c9979b809406c4d15b1c137fielding regardless of requested name (qname) or record type (qtype).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This controls attacks using invalid requests or distant,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding broken authoritative servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By default the limit on errors is the same as the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default base <span><strong class="command">responses-per-second</strong></span> value,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but it can be set separately with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">errors-per-second</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In addition to the base
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">responses-per-second</strong></span> value,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding up to four (4) additional
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">responses-per-second</strong></span> options can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured, with additional parameters to indicate that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding they apply to responses larger than a given size,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or with an amplification factor larger than a given
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">size</strong></span> parameter sets the minimum
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS response size that will trigger the use of this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">responses-per-second</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">ratio</strong></span> parameter sets the minimum
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS response-size / request-size ratio that falls into the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding band, to two decimal places.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These selective rate limits are applied after any other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate limits have been applied, and they only apply to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding positive answers. For example:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingrate-limit {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second 10;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second size 1100 5;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ...indicates that responses should be limited to ten per second
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for responses up to 1099 bytes in size, but only five per second
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for responses larger than that. This configuration:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingrate-limit {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second 10;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second ratio 7.25 5;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second ratio 15.00 2;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ...indicates that responses should be limited to ten per
cfa64348224b66dd1c9979b809406c4d15b1c137fielding second if the amplification factor is below 7.25, five per
cfa64348224b66dd1c9979b809406c4d15b1c137fielding second if above 7.25 but below 15, and two per second if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Both sizes and ratios can be used together. For example:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingrate-limit {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second 10;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second size 1000 ratio 5.00 5;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses-per-second ratio 10.00 2;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This configuration will rate-limit to five per second if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the ratio is over 5 <span class="emphasis"><em>or</em></span> the size is over
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 1000, and to two per second if the ratio is over 10. In the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding event that two bands might be chosen (i.e., because the size
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is over 1000 <span class="emphasis"><em>and</em></span> the ratio is over 10),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the one that appears last in the configuration file is the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one chosen. To eliminate any ambiguity, it is recommended
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that under normal circumstnaces, rate limiting bands should
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be configured using either <span><strong class="command">size</strong></span> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ratio</strong></span> parameters, but not both.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Many attacks using DNS involve UDP requests with forged source
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Rate limiting prevents the use of BIND 9 to flood a network
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with responses to requests with forged source addresses,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but could let a third party block responses to legitimate requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding There is a mechanism that can answer some legitimate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requests from a client whose address is being forged in a flood.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every
cfa64348224b66dd1c9979b809406c4d15b1c137fielding other UDP request to be answered with a small truncated (TC=1)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The small size and reduced frequency, and so lack of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding amplification, of "slipped" responses make them unattractive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for reflection DoS attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">slip</strong></span> must be between 0 and 10.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A value of 0 does not "slip":
cfa64348224b66dd1c9979b809406c4d15b1c137fielding no truncated responses are sent due to rate limiting,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all responses are dropped.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A value of 1 causes every response to slip;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values between 2 and 10 cause every n'th response to slip.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Some error responses including REFUSED and SERVFAIL
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cannot be replaced with truncated responses and are instead
cfa64348224b66dd1c9979b809406c4d15b1c137fielding leaked at the <span><strong class="command">slip</strong></span> rate.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (NOTE: Dropped responses from an authoritative server may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reduce the difficulty of a third party successfully forging
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a response to a recursive resolver. The best security
cfa64348224b66dd1c9979b809406c4d15b1c137fielding against forged responses is for authoritative operators
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to sign their zones using DNSSEC and for resolver operators
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to validate the responses. When this is not an option,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding operators who are more concerned with response integrity
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than with flood mitigation may consider setting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">slip</strong></span> to 1, causing all rate-limited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding responses to be truncated rather than dropped. This reduces
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the effectiveness of rate-limiting against reflection attacks.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the approximate query per second rate exceeds
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <span><strong class="command">qps-scale</strong></span> value,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the <span><strong class="command">responses-per-second</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">errors-per-second</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">nxdomains-per-second</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">all-per-second</strong></span> values are reduced by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This feature can tighten defenses during attacks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a total query rate of 1000 queries/second for all queries from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all DNS clients including via TCP,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the effective responses/second limit changes to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses sent via TCP are not limited
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but are counted to compute the query per second rate.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The optional <span><strong class="command">domain</strong></span> clause specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the namespace to which rate limits will apply. It
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is possible to use different rate limits for different names
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by specifying multiple <span><strong class="command">rate-limit</strong></span> blocks
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with different <span><strong class="command">domain</strong></span> clauses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">rate-limit</strong></span> statement's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">domain</strong></span> most closely matches the query
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name will be the one applied to a given query.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Rate limiters for different name spaces maintain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding separate counters: If, for example, there is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rate-limit</strong></span> statement for "com" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding another for "example.com", queries matching "example.com"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will not be debited against the rate limiter for "com".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a <span><strong class="command">rate-limit</strong></span> statement does not specify a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">domain</strong></span>, then it applies to the root domain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (".") and thus affects the entire DNS namespace, except those
cfa64348224b66dd1c9979b809406c4d15b1c137fielding portions covered by other <span><strong class="command">rate-limit</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Communities of DNS clients can be given their own parameters or no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate limiting by putting
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements instead of the global <span><strong class="command">option</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <span><strong class="command">rate-limit</strong></span> statement in a view replaces,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rather than supplementing, a <span><strong class="command">rate-limit</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement among the main options.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS clients within a view can be exempted from rate limits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the <span><strong class="command">exempt-clients</strong></span> clause.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding UDP responses of all kinds can be limited with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">all-per-second</strong></span> phrase. This rate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limiting is unlike the rate limiting provided by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">responses-per-second</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">errors-per-second</strong></span>, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which are often invisible to the victim of a DNS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reflection attack. Unless the forged requests of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding attack are the same as the legitimate requests of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding victim, the victim's requests are not affected. Responses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding affected by an <span><strong class="command">all-per-second</strong></span> limit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are always dropped; the <span><strong class="command">slip</strong></span> value
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has no effect. An <span><strong class="command">all-per-second</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limit should be at least 4 times as large as the other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limits, because single DNS clients often send bursts
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of legitimate requests. For example, the receipt of a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding single mail message can prompt requests from an SMTP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server for NS, PTR, A, and AAAA records as the incoming
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SMTP/TCP/IP connection is considered. The SMTP server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can need additional NS, A, AAAA, MX, TXT, and SPF records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as it considers the STMP <span><strong class="command">Mail From</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding command. Web browsers often repeatedly resolve the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding same names that are repeated in HTML <IMG> tags
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a page. <span><strong class="command">All-per-second</strong></span> is similar
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the rate limiting offered by firewalls but often
cfa64348224b66dd1c9979b809406c4d15b1c137fielding inferior. Attacks that justify ignoring the contents
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of DNS responses are likely to be attacks on the DNS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server itself. They usually should be discarded before
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the DNS server spends resources make TCP connections
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or parsing DNS requests, but that rate limiting must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be done before the DNS server sees the requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The maximum size of the table used to track requests and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rate limit responses is set with <span><strong class="command">max-table-size</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each entry in the table is between 40 and 80 bytes.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The table needs approximately as many entries as the number
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of requests received per second.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is 20,000.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To reduce the cold start of growing the table,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">min-table-size</strong></span> (default 500)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can set the minimum table size.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expansions of the table and inform
cfa64348224b66dd1c9979b809406c4d15b1c137fielding choices for the initial and maximum table size.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters
cfa64348224b66dd1c9979b809406c4d15b1c137fielding without actually dropping any requests.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses dropped by rate limits are included in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statistics.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Responses that truncated by rate limits are included in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> nosit-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">server</strong></span> statement defines
cfa64348224b66dd1c9979b809406c4d15b1c137fielding characteristics
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be associated with a remote name server. If a prefix length is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, then a range of servers is covered. Only the most
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server clause applies regardless of the order in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">server</strong></span> statement can occur at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the top level of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuration file or inside a <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a <span><strong class="command">view</strong></span> statement contains
cfa64348224b66dd1c9979b809406c4d15b1c137fielding one or more <span><strong class="command">server</strong></span> statements, only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding apply to the view and any top-level ones are ignored.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a view contains no <span><strong class="command">server</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any top-level <span><strong class="command">server</strong></span> statements are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If you discover that a remote server is giving out bad data,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding marking it as bogus will prevent further queries to it. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">provide-ixfr</strong></span> clause determines
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the local server, acting as master, will respond with an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding incremental
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone transfer when the given remote server, a slave, requests it.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If set to <span><strong class="command">yes</strong></span>, incremental transfer
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be provided
cfa64348224b66dd1c9979b809406c4d15b1c137fielding whenever possible. If set to <span><strong class="command">no</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all transfers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the remote server will be non-incremental. If not set, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the <span><strong class="command">provide-ixfr</strong></span> option in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding global options block is used as a default.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">request-ixfr</strong></span> clause determines
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the local server, acting as a slave, will request incremental zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transfers from the given remote server, a master. If not set, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value of the <span><strong class="command">request-ixfr</strong></span> option in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the view or global options block is used as a default. It may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also be set in the zone block and, if set there, it will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding override the global or view setting for that zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IXFR requests to servers that do not support IXFR will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding automatically
cfa64348224b66dd1c9979b809406c4d15b1c137fielding fall back to AXFR. Therefore, there is no need to manually list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which servers support IXFR and which ones do not; the global
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of <span><strong class="command">yes</strong></span> should always work.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">request-ixfr</strong></span> clauses is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to make it possible to disable the use of IXFR even when both
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and slave claim to support it, for example if one of the servers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is buggy and crashes or corrupts data when IXFR is used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">edns</strong></span> clause determines whether
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the local server will attempt to use EDNS when communicating
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the remote server. The default is <span><strong class="command">yes</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Valid values are 512 to 4096 bytes (values outside this range will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding silently adjusted to the nearest value within it). This option is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding useful when you wish to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding advertises a different value to this server than the value you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding advertise globally, for example, when there is a firewall at the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding remote site that is blocking large replies.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">max-udp-size</strong></span> option sets the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid
cfa64348224b66dd1c9979b809406c4d15b1c137fielding values are 512 to 4096 bytes (values outside this range will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be silently adjusted). This option is useful when you
cfa64348224b66dd1c9979b809406c4d15b1c137fielding know that there is a firewall that is blocking large
cfa64348224b66dd1c9979b809406c4d15b1c137fielding replies from <span><strong class="command">named</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">nosit-udp-size</strong></span> option sets the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maximum size of UDP responses that will be sent to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries without a valid source identity token. The command
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-udp-size</strong></span> option may further limit
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the response size.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 4.9.5. You can specify which method
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <span><strong class="command">transfer-format</strong></span> is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, the <span><strong class="command">transfer-format</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by the <span><strong class="command">options</strong></span> statement will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><span><strong class="command">transfers</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used to limit the number of concurrent inbound zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transfers from the specified server. If no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfers</strong></span> clause is specified, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding limit is set according to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfers-per-ns</strong></span> option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">keys</strong></span> clause identifies a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when talking to the remote server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When a request is sent to the remote server, a request signature
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be generated using the key specified here and appended to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding message. A request originating from the remote server is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be signed by this key.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Although the grammar of the <span><strong class="command">keys</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allows for multiple keys, only a single key per server is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">transfer-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source-v6</strong></span> clauses specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the IPv4 and IPv6 source
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address to be used for zone transfer with the remote server,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Similarly, for an IPv6 remote server, only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source-v6</strong></span> can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For more details, see the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source-v6</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">notify-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-source-v6</strong></span> clauses specify the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 and IPv6 source address to be used for notify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages sent to remote servers, respectively. For an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can be specified. Similarly, for an IPv6 remote server,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only <span><strong class="command">notify-source-v6</strong></span> can be specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">query-source</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">query-source-v6</strong></span> clauses specify the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv4 and IPv6 source address to be used for queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sent to remote servers, respectively. For an IPv4
cfa64348224b66dd1c9979b809406c4d15b1c137fielding remote server, only <span><strong class="command">query-source</strong></span> can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be specified. Similarly, for an IPv6 remote server,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only <span><strong class="command">query-source-v6</strong></span> can be specified.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ inet ( ip_addr | * ) [ port ip_port ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [ inet ...; ]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2591642"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">statistics-channels</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding declares communication channels to be used by system
cfa64348224b66dd1c9979b809406c4d15b1c137fielding administrators to get access to statistics information of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the name server.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This statement intends to be flexible to support multiple
cfa64348224b66dd1c9979b809406c4d15b1c137fielding communication protocols in the future, but currently only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding HTTP access is supported.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It requires that BIND 9 be compiled with libxml2 and/or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding json-c (also known as libjson0); the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">statistics-channels</strong></span> statement is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding still accepted even if it is built without the library,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but any HTTP access will fail with an error.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An <span><strong class="command">inet</strong></span> control channel is a TCP socket
cfa64348224b66dd1c9979b809406c4d15b1c137fielding listening at the specified <span><strong class="command">ip_port</strong></span> on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (asterisk) is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interpreted as the IPv4 wildcard address; connections will be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding accepted on any of the system's IPv4 addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To listen on the IPv6 wildcard address,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no port is specified, port 80 is used for HTTP channels.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The asterisk "<code class="literal">*</code>" cannot be used for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ip_port</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The attempt of opening a statistics channel is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding restricted by the optional <span><strong class="command">allow</strong></span> clause.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Connections to the statistics channel are permitted based on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">address_match_list</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no <span><strong class="command">allow</strong></span> clause is present,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> accepts connection
cfa64348224b66dd1c9979b809406c4d15b1c137fielding attempts from any address; since the statistics may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contain sensitive internal information, it is highly
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recommended to restrict the source of connection requests
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appropriately.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no <span><strong class="command">statistics-channels</strong></span> statement is present,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will not open any communication channels.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The statistics are available in various formats and views
cfa64348224b66dd1c9979b809406c4d15b1c137fielding depending on the URI used to access them. For example, if
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the statistics channel is configured to listen on 127.0.0.1
cfa64348224b66dd1c9979b809406c4d15b1c137fielding port 8888, then the statistics are accessible in XML format at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding included which can format the XML statistics into tables
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when viewed with a stylesheet-capable browser, and into
cfa64348224b66dd1c9979b809406c4d15b1c137fielding charts and graphs using the Google Charts API when using a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding javascript-capable browser.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Applications that depend on a particular XML schema
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can request
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the statistics XML schema or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the requested schema is supported by the server, then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it will respond; if not, it will return a "page not found"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Broken-out subsets of the statistics can be viewed at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (server uptime and last reconfiguration time),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (server and resolver statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (zone statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (network status and socket statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (memory manager statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (task manager statistics).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The full set of statistics can also be read in JSON format at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the broken-out subsets at
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (server uptime and last reconfiguration time),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (server and resolver statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (zone statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (network status and socket statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (memory manager statistics),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (task manager statistics).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2591923"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">trusted-keys</strong></span> statement defines
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding public key for a non-authoritative zone is known, but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding cannot be securely obtained through DNS, either because
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it is the DNS root zone or because its parent zone is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unsigned. Once a key has been configured as a trusted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key, it is treated as if it had been validated and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding proven secure. The resolver attempts DNSSEC validation
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on all DNS data in subdomains of a security root.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding All keys (and corresponding zones) listed in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of what parent zones say. Similarly for all keys listed in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> only those keys are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to validate the DNSKEY RRset. The parent's DS RRset
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will not be used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">trusted-keys</strong></span> statement can contain
cfa64348224b66dd1c9979b809406c4d15b1c137fielding multiple key entries, each consisting of the key's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding domain name, flags, protocol, algorithm, and the Base-64
cfa64348224b66dd1c9979b809406c4d15b1c137fielding representation of the key data.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Spaces, tabs, newlines and carriage returns are ignored
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the key data, so the configuration may be split up into
cfa64348224b66dd1c9979b809406c4d15b1c137fielding multiple lines.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> may be set at the top level
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of <code class="filename">named.conf</code> or within a view. If it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set in both places, they are additive: keys defined at the top
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level are inherited by all views, but keys defined in a view
cfa64348224b66dd1c9979b809406c4d15b1c137fielding are only used within that view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2591970"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">managed-keys</strong></span> statement, like
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding security roots. The difference is that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> can be kept up to date
cfa64348224b66dd1c9979b809406c4d15b1c137fielding automatically, without intervention from the resolver
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Suppose, for example, that a zone's key-signing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key was compromised, and the zone owner had to revoke and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding replace the key. A resolver which had the old key in a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> statement would be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unable to validate this zone any longer; it would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reply with a SERVFAIL response code. This would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding continue until the resolver operator had updated the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">trusted-keys</strong></span> statement with the new key.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If, however, the zone were listed in a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> statement instead, then the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone owner could add a "stand-by" key to the zone in advance.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> would store the stand-by key, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when the original key was revoked, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding would be able to transition smoothly to the new key. It would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also recognize that the old key had been revoked, and cease
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using that key to validate answers, minimizing the damage that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the compromised key could do.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <span><strong class="command">managed-keys</strong></span> statement contains a list of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the keys to be managed, along with information about how the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys are to be initialized for the first time. The only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding initialization method currently supported (as of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This means the <span><strong class="command">managed-keys</strong></span> statement must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contain a copy of the initializing key. (Future releases may
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allow keys to be initialized by other methods, eliminating this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requirement.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Consequently, a <span><strong class="command">managed-keys</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the presence of the second field, containing the keyword
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">initial-key</code>. The difference is, whereas the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding trusted until they are removed from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">named.conf</code>, an initializing key listed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding managed key database and start the RFC 5011 key maintenance
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The first time <span><strong class="command">named</strong></span> runs with a managed key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured in <code class="filename">named.conf</code>, it fetches the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNSKEY RRset directly from the zone apex, and validates it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using the key specified in the <span><strong class="command">managed-keys</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement. If the DNSKEY RRset is validly signed, then it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used as the basis for a new managed keys database.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding From that point on, whenever <span><strong class="command">named</strong></span> runs, it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding make sure RFC 5011 key maintenance has already been initialized
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for the specified domain, and if so, it simply moves on. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key specified in the <span><strong class="command">managed-keys</strong></span> is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to validate answers; it has been superseded by the key or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys stored in the managed keys database.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The next time <span><strong class="command">named</strong></span> runs after a name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding has been <span class="emphasis"><em>removed</em></span> from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> statement, the corresponding
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone will be removed from the managed keys database,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and RFC 5011 key maintenance will no longer be used for that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> only maintains a single managed keys
cfa64348224b66dd1c9979b809406c4d15b1c137fielding database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">managed-keys</strong></span> may only be set at the top
cfa64348224b66dd1c9979b809406c4d15b1c137fielding level of <code class="filename">named.conf</code>, not within a view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In the current implementation, the managed keys database is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding stored as a master-format zone file called
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">managed-keys.bind</code>. When the key database
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is changed, the zone is updated. As with any other dynamic
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone, changes will be written into a journal file,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">managed-keys.bind.jnl</code>. They are committed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the master file as soon as possible afterward; in the case
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the managed key database, this will usually occur within 30
cfa64348224b66dd1c9979b809406c4d15b1c137fielding seconds. So, whenever <span><strong class="command">named</strong></span> is using
cfa64348224b66dd1c9979b809406c4d15b1c137fielding automatic key maintenance, those two files can be expected to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exist in the working directory. (For this reason among others,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the working directory should be always be writable by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span>.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the <span><strong class="command">dnssec-validation</strong></span> option is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will automatically initialize a managed key for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option is set to <strong class="userinput"><code>auto</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> will automatically initialize
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a managed key for the zone <code class="literal">dlv.isc.org</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In both cases, the key that is used to initialize the key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding maintenance process is built into <span><strong class="command">named</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and can be overridden from <span><strong class="command">bindkeys-file</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-clients { <em class="replaceable"><code>address_match_list</code></em> };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2592411"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">view</strong></span> statement is a powerful
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of <acronym class="acronym">BIND</acronym> 9 that lets a name server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answer a DNS query differently
cfa64348224b66dd1c9979b809406c4d15b1c137fielding depending on who is asking. It is particularly useful for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding implementing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding split DNS setups without having to run multiple servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each <span><strong class="command">view</strong></span> statement defines a view
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS namespace that will be seen by a subset of clients. A client
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a view if its source IP address matches the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">address_match_list</code> of the view's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">match-clients</strong></span> clause and its
cfa64348224b66dd1c9979b809406c4d15b1c137fielding destination IP address matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the <code class="varname">address_match_list</code> of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">match-destinations</strong></span> clause. If not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified, both
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding default to matching all addresses. In addition to checking IP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can also take <span><strong class="command">keys</strong></span> which provide an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding mechanism for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding client to select the view. A view can also be specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as <span><strong class="command">match-recursive-only</strong></span>, which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding means that only recursive
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requests from matching clients will match that view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The order of the <span><strong class="command">view</strong></span> statements is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding significant —
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a client request will be resolved in the context of the first
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">view</strong></span> that it matches.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zones defined within a <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only be accessible to clients that match the <span><strong class="command">view</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By defining a zone of the same name in multiple views, different
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone data can be given to different clients, for example,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and "external" clients in a split DNS setup.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Many of the options given in the <span><strong class="command">options</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can also be used within a <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement, and then
cfa64348224b66dd1c9979b809406c4d15b1c137fielding apply only when resolving queries with that view. When no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding view-specific
cfa64348224b66dd1c9979b809406c4d15b1c137fielding value is given, the value in the <span><strong class="command">options</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is used as a default. Also, zone options can have default values
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the <span><strong class="command">view</strong></span> statement; these
cfa64348224b66dd1c9979b809406c4d15b1c137fielding view-specific defaults
cfa64348224b66dd1c9979b809406c4d15b1c137fielding take precedence over those in the <span><strong class="command">options</strong></span> statement.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Views are class specific. If no class is given, class IN
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is assumed. Note that all non-IN views must contain a hint zone,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding since only the IN class has compiled-in default hints.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If there are no <span><strong class="command">view</strong></span> statements in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file, a default view that matches any client is automatically
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in class IN. Any <span><strong class="command">zone</strong></span> statements
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified on
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the top level of the configuration file are considered to be part
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this default view, and the <span><strong class="command">options</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding apply to the default view. If any explicit <span><strong class="command">view</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements are present, all <span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statements must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding occur inside <span><strong class="command">view</strong></span> statements.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Here is an example of a typical split DNS setup implemented
cfa64348224b66dd1c9979b809406c4d15b1c137fielding using <span><strong class="command">view</strong></span> statements:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // This should match our internal networks.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-clients { 10.0.0.0/8; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Provide recursive service to internal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // clients only.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recursion yes;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Provide a complete view of the example.com
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // zone including addresses of internal hosts.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type master;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingview "external" {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Match all clients not matched by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // previous view.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-clients { any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Refuse recursive service to external clients.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recursion no;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // Provide a restricted view of the example.com
cfa64348224b66dd1c9979b809406c4d15b1c137fielding // zone containing only publicly accessible hosts.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type master;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type master;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type slave;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file <em class="replaceable"><code>string</code></em> ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type static-stub;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type forward;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type redirect;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file <em class="replaceable"><code>string</code></em> ;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type delegation-only;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingzone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding [<span class="optional"> in-view <em class="replaceable"><code>string</code></em> ; </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2594496"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2594503"></a>Zone Types</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The server has a master copy of the data
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for the zone and will be able to provide authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding answers for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A slave zone is a replica of a master
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone. The <span><strong class="command">masters</strong></span> list
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specifies one or more IP addresses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of master servers that the slave contacts to update
cfa64348224b66dd1c9979b809406c4d15b1c137fielding its copy of the zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Masters list elements can also be names of other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding masters lists.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding By default, transfers are made from port 53 on the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers; this can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be changed for all servers by specifying a port number
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list of IP addresses, or on a per-server basis after
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the IP address.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Authentication to the master can also be done with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding per-server TSIG keys.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If a file is specified, then the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding replica will be written to this file whenever the zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is changed,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and reloaded from this file on a server restart. Use
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of a file is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding recommended, since it often speeds server startup and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a needless waste of bandwidth. Note that for large
cfa64348224b66dd1c9979b809406c4d15b1c137fielding numbers (in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding tens or hundreds of thousands) of zones per server, it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use a two-level naming scheme for zone filenames. For
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a slave server for the zone <code class="literal">example.com</code> might place
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone contents into a file called
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding just the first two letters of the zone name. (Most
cfa64348224b66dd1c9979b809406c4d15b1c137fielding operating systems
cfa64348224b66dd1c9979b809406c4d15b1c137fielding behave very slowly if you put 100000 files into
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a single directory.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A stub zone is similar to a slave zone,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except that it replicates only the NS records of a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding master zone instead
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the entire zone. Stub zones are not a standard part
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the DNS;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Stub zones can be used to eliminate the need for glue
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a parent zone at the expense of maintaining a stub
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone entry and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a set of name server addresses in <code class="filename">named.conf</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This usage is not recommended for new configurations,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding supports it only in a limited way.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In <acronym class="acronym">BIND</acronym> 4/8, zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding transfers of a parent zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding included the NS records from stub children of that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone. This meant
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that, in some cases, users could get away with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configuring child stubs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 9 never mixes together zone data from different zones
cfa64348224b66dd1c9979b809406c4d15b1c137fielding way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone has child stub zones configured, all the slave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding parent zone also need to have the same child stub
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Stub zones can also be used as a way of forcing the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of a given domain to use a particular set of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, the caching name servers on a private
cfa64348224b66dd1c9979b809406c4d15b1c137fielding network using
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RFC1918 addressing may be configured with stub zones
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to use a set of internal name servers as the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers for that domain.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A static-stub zone is similar to a stub zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the following exceptions:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone data is statically configured, rather
cfa64348224b66dd1c9979b809406c4d15b1c137fielding than transferred from a master server;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when recursion is necessary for a query that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matches a static-stub zone, the locally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configured data (nameserver names and glue addresses)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is always used even if different authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information is cached.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zone data is configured via the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">server-addresses</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">server-names</strong></span> zone options.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The zone data is maintained in the form of NS
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and (if necessary) glue A or AAAA RRs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding internally, which can be seen by dumping zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The configured RRs are considered local configuration
cfa64348224b66dd1c9979b809406c4d15b1c137fielding parameters rather than public data.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Non recursive queries (i.e., those with the RD
cfa64348224b66dd1c9979b809406c4d15b1c137fielding bit off) to a static-stub zone are therefore
cfa64348224b66dd1c9979b809406c4d15b1c137fielding prohibited and will be responded with REFUSED.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Since the data is statically configured, no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone maintenance action takes place for a static-stub
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, there is no periodic refresh
cfa64348224b66dd1c9979b809406c4d15b1c137fielding attempt, and an incoming notify message
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will be rejected with an rcode of NOTAUTH.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each static-stub zone is configured with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding internally generated NS and (if necessary)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding glue A or AAAA RRs
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A "forward zone" is a way to configure
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of type <span><strong class="command">forward</strong></span> can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contain a <span><strong class="command">forward</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and/or <span><strong class="command">forwarders</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding which will apply to queries within the domain given by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name. If no <span><strong class="command">forwarders</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statement is present or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding forwarding will be done for the domain, canceling the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
cfa64348224b66dd1c9979b809406c4d15b1c137fielding if you want to use this type of zone to change the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding behavior of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding global <span><strong class="command">forward</strong></span> option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (that is, "forward first"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to, then "forward only", or vice versa, but want to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding use the same
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers as set globally) you need to re-specify the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding global forwarders.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The initial set of root name servers is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified using a "hint zone". When the server starts
cfa64348224b66dd1c9979b809406c4d15b1c137fielding up, it uses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the root hints to find a root name server and get the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding most recent
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list of root name servers. If no hint zone is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified for class
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IN, the server uses a compiled-in default set of root
cfa64348224b66dd1c9979b809406c4d15b1c137fielding servers hints.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Classes other than IN have no built-in defaults hints.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Redirect zones are used to provide answers to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries when normal resolution would result in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NXDOMAIN being returned.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only one redirect zone is supported
cfa64348224b66dd1c9979b809406c4d15b1c137fielding per view. <span><strong class="command">allow-query</strong></span> can be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to restrict which clients see these answers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If the client has requested DNSSEC records (DO=1) and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the NXDOMAIN response is signed then no substitution
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will occur.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To redirect all NXDOMAIN responses to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 100.100.100.2 and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 2001:ffff:ffff::100.100.100.2, one would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configure a type redirect zone named ".",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the zone file containing wildcard records
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that point to the desired addresses:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">"*. IN A 100.100.100.2"</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To redirect all Spanish names (under .ES) one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding would use similar entries but with the names
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "*.ES." instead of "*.". To redirect all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding commercial Spanish names (under COM.ES) one
cfa64348224b66dd1c9979b809406c4d15b1c137fielding would use wildcard entries called "*.COM.ES.".
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Note that the redirect zone supports all
cfa64348224b66dd1c9979b809406c4d15b1c137fielding possible types; it is not limited to A and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding AAAA records.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Because redirect zones are not referenced
cfa64348224b66dd1c9979b809406c4d15b1c137fielding directly by name, they are not kept in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone lookup table with normal master and slave
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones. Consequently, it is not currently possible
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>zonename</code></em></strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to reload a redirect zone. However, when using
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc reload</strong></span> without specifying
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a zone name, redirect zones will be reloaded along
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with other zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is used to enforce the delegation-only
cfa64348224b66dd1c9979b809406c4d15b1c137fielding status of infrastructure zones (e.g. COM,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding NET, ORG). Any answer that is received
cfa64348224b66dd1c9979b809406c4d15b1c137fielding without an explicit or implicit delegation
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the authority section will be treated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as NXDOMAIN. This does not apply to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone apex. This should not be applied to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding leaf zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">delegation-only</code> has no
cfa64348224b66dd1c9979b809406c4d15b1c137fielding effect on answers received from forwarders.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2595111"></a>Class</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The zone's name may optionally be followed by a class. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is assumed. This is correct for the vast majority of cases.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding named for an information service from MIT's Project Athena. It
cfa64348224b66dd1c9979b809406c4d15b1c137fielding used to share information about various systems databases, such
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as users, groups, printers and so on. The keyword
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a synonym for hesiod.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Another MIT development is Chaosnet, a LAN protocol created
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2595144"></a>Zone Options</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">allow-transfer</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">allow-update</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies a "Simple Secure Update" policy. See
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">allow-update-forwarding</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only meaningful if <span><strong class="command">notify</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding active for this zone. The set of machines that will
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for this zone is made up of all the listed name servers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (other than
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the primary master) for the zone plus any IP addresses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with <span><strong class="command">also-notify</strong></span>. A port
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may be specified
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with each <span><strong class="command">also-notify</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address to send the notify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding messages to a port other than the default of 53.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A TSIG key may also be specified to cause the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="literal">NOTIFY</code> to be signed by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">also-notify</strong></span> is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding meaningful for stub zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is the empty list.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This option is used to restrict the character set and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding certain domain names in master files and/or DNS responses
cfa64348224b66dd1c9979b809406c4d15b1c137fielding received from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones the default is <span><strong class="command">warn</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is not implemented for <span><strong class="command">hint</strong></span> zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specify the type of database to be used for storing the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone data. The string following the <span><strong class="command">database</strong></span> keyword
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is interpreted as a list of whitespace-delimited words.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The first word
cfa64348224b66dd1c9979b809406c4d15b1c137fielding identifies the database type, and any subsequent words are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as arguments to the database to be interpreted in a way
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the database type.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
cfa64348224b66dd1c9979b809406c4d15b1c137fielding native in-memory
cfa64348224b66dd1c9979b809406c4d15b1c137fielding red-black-tree database. This database does not take
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Other values are possible if additional database drivers
cfa64348224b66dd1c9979b809406c4d15b1c137fielding have been linked into the server. Some sample drivers are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with the distribution but none are linked in by default.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The flag only applies to forward, hint and stub
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones. If set to <strong class="userinput"><code>yes</code></strong>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding then the zone will also be treated as if it is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding also a delegation-only type zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only meaningful if the zone has a forwarders
cfa64348224b66dd1c9979b809406c4d15b1c137fielding list. The <span><strong class="command">only</strong></span> value causes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the lookup to fail
cfa64348224b66dd1c9979b809406c4d15b1c137fielding after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allow a normal lookup to be tried.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Used to override the list of global forwarders.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding no forwarding is done for the zone and the global options are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Was used in <acronym class="acronym">BIND</acronym> 8 to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specify the name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of the transaction log (journal) file for dynamic update
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <acronym class="acronym">BIND</acronym> 9 ignores the option
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and constructs the name of the journal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding file by appending "<code class="filename">.jnl</code>"
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the name of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Ignored in <acronym class="acronym">BIND</acronym> 9.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Allow the default journal's filename to be overridden.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-to-soa</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In <acronym class="acronym">BIND</acronym> 8, this option was
cfa64348224b66dd1c9979b809406c4d15b1c137fielding intended for specifying
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a public zone key for verification of signatures in DNSSEC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
cfa64348224b66dd1c9979b809406c4d15b1c137fielding on load and ignores the option.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If <strong class="userinput"><code>yes</code></strong>, the server will keep
cfa64348224b66dd1c9979b809406c4d15b1c137fielding statistical
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information for this zone, which can be dumped to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">statistics-file</strong></span> defined in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the server options.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only meaningful for static-stub zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is a list of IP addresses to which queries
cfa64348224b66dd1c9979b809406c4d15b1c137fielding should be sent in recursive resolution for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A non empty list for this option will internally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configure the apex NS RR with associated glue A or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if "example.com" is configured as a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding static-stub zone with 192.0.2.1 and 2001:db8::1234
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a <span><strong class="command">server-addresses</strong></span> option,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the following RRs will be internally configured.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">example.com. NS example.com.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These records are internally used to resolve
cfa64348224b66dd1c9979b809406c4d15b1c137fielding names under the static-stub zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For instance, if the server receives a query for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "www.example.com" with the RD bit on, the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will initiate recursive resolution and send
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Only meaningful for static-stub zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This is a list of domain names of nameservers that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding act as authoritative servers of the static-stub
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These names will be resolved to IP addresses when
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> needs to send queries to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding these servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding To make this supplemental resolution successful,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding these names must not be a subdomain of the origin
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name of static-stub zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding That is, when "example.net" is the origin of a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding static-stub zone, "ns.example" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "master.example.com" can be specified in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">server-names</strong></span> option, but
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "ns.example.net" cannot, and will be rejected by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the configuration parser.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A non empty list for this option will internally
cfa64348224b66dd1c9979b809406c4d15b1c137fielding configure the apex NS RR with the specified names.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For example, if "example.com" is configured as a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding static-stub zone with "ns1.example.net" and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in a <span><strong class="command">server-names</strong></span> option,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the following RRs will be internally configured.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">example.com. NS ns1.example.net.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These records are internally used to resolve
cfa64348224b66dd1c9979b809406c4d15b1c137fielding names under the static-stub zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For instance, if the server receives a query for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "www.example.com" with the RD bit on, the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding initiate recursive resolution,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "ns2.example.net" to IP addresses, and then send
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries to (one or more of) these addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>master</code></strong> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>slave</code></strong> choices are not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding available at the zone level.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zones configured for dynamic DNS may also use this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option to allow varying levels of automatic DNSSEC key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding management. There are three possible settings:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">auto-dnssec allow;</strong></span> permits
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys to be updated and the zone fully re-signed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding whenever the user issues the command <span><strong class="command">rndc sign
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>zonename</code></em></strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding above, but also automatically adjusts the zone's DNSSEC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding keys on schedule, according to the keys' timing metadata
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>zonename</code></em></strong></span> causes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> to load keys from the key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding repository and sign the zone with all keys that are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>zonename</code></em></strong></span> causes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> to load keys from the key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding repository and schedule key maintenance events to occur
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in the future, but it does not sign the full zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding immediately. Note: once keys have been loaded for a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone the first time, the repository will be searched
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for changes periodically, regardless of whether
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interval is defined by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-loadkeys-interval</strong></span>.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Zones configured for dynamic DNS may use this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding option to set the update method that will be used for
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone serial number in the SOA record.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding With the default setting of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">serial-update-method increment;</strong></span>, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SOA serial number will be incremented by one each time
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone is updated.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When set to
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">serial-update-method unixtime;</strong></span>, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SOA serial number will be set to the number of seconds
cfa64348224b66dd1c9979b809406c4d15b1c137fielding since the UNIX epoch, unless the serial number is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding already greater than or equal to that value, in which
cfa64348224b66dd1c9979b809406c4d15b1c137fielding case it is simply incremented by one.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "bump in the wire" signing of a zone, where a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding unsigned zone is transferred in or loaded from
cfa64348224b66dd1c9979b809406c4d15b1c137fielding disk and a signed version of the zone is served,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding with possibly, a different serial number. This
cfa64348224b66dd1c9979b809406c4d15b1c137fielding behaviour is disabled by default.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">multi-master</strong></span> in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">masterfile-format</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of <span><strong class="command">max-zone-ttl</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Usage”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding See the description of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding methods of granting clients the right to perform
cfa64348224b66dd1c9979b809406c4d15b1c137fielding dynamic updates to a zone, configured by the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-update</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-policy</strong></span> option, respectively.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">allow-update</strong></span> clause works the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding same way as in previous versions of <acronym class="acronym">BIND</acronym>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It grants given clients the permission to update any
cfa64348224b66dd1c9979b809406c4d15b1c137fielding record of any name in the zone.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <span><strong class="command">update-policy</strong></span> clause
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allows more fine-grained control over what updates are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding allowed. A set of rules is specified, where each rule
cfa64348224b66dd1c9979b809406c4d15b1c137fielding either grants or denies permissions for one or more
cfa64348224b66dd1c9979b809406c4d15b1c137fielding names to be updated by one or more identities. If
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the dynamic update request message is signed (that is,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it includes either a TSIG or SIG(0) record), the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding identity of the signer can be determined.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Rules are specified in the <span><strong class="command">update-policy</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding zone option, and are only meaningful for master zones.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When the <span><strong class="command">update-policy</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is present, it is a configuration error for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">allow-update</strong></span> statement to be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding present. The <span><strong class="command">update-policy</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only examines the signer of a message; the source
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address is not relevant.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding There is a pre-defined <span><strong class="command">update-policy</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding rule which can be switched on with the command
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-policy local;</strong></span>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Switching on this rule in a zone causes
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">named</strong></span> to generate a TSIG session
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key and place it in a file, and to allow that key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to update the zone. (By default, the file is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="filename">/var/run/named/session.key</code>, the key
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name is "local-ddns" and the key algorithm is HMAC-SHA256,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding but these values are configurable with the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">session-keyfile</strong></span>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">session-keyname</strong></span> and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">session-keyalg</strong></span> options, respectively).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A client running on the local system, and with appropriate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding permissions, may read that file and use the key to sign update
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requests. The zone's update policy will be set to allow that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key to change any record within the zone. Assuming the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding key name is "local-ddns", this policy is equivalent to:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The command <span><strong class="command">nsupdate -l</strong></span> sends update
cfa64348224b66dd1c9979b809406c4d15b1c137fielding requests to localhost, and signs them using the session key.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Other rule definitions look like this:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Each rule grants or denies privileges. Once a message has
cfa64348224b66dd1c9979b809406c4d15b1c137fielding successfully matched a rule, the operation is immediately
cfa64348224b66dd1c9979b809406c4d15b1c137fielding granted or denied and no further rules are examined. A rule
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is matched when the signer matches the identity field, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name matches the name field in accordance with the nametype
cfa64348224b66dd1c9979b809406c4d15b1c137fielding field, and the type matches the types specified in the type
cfa64348224b66dd1c9979b809406c4d15b1c137fielding No signer is required for <em class="replaceable"><code>tcp-self</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding or <em class="replaceable"><code>6to4-self</code></em> however the standard
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reverse mapping / prefix conversion must match the identity
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The identity field specifies a name or a wildcard
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name. Normally, this is the name of the TSIG or
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SIG(0) key used to sign the update request. When a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TKEY exchange has been used to create a shared secret,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the identity of the shared secret is the same as the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding identity of the key used to authenticate the TKEY
cfa64348224b66dd1c9979b809406c4d15b1c137fielding exchange. TKEY is also the negotiation method used
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by GSS-TSIG, which establishes an identity that is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the Kerberos principal of the client, such as
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a wildcard name, it is subject to DNS wildcard
cfa64348224b66dd1c9979b809406c4d15b1c137fielding expansion, so the rule will apply to multiple identities.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>identity</code></em> field must
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contain a fully-qualified domain name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For nametypes <code class="varname">krb5-self</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the Windows or Kerberos realm of the machine belongs to.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>nametype</code></em> field has 13
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">name</code>, <code class="varname">subdomain</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">wildcard</code>, <code class="varname">self</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <code class="varname">zonesub</code>, and <code class="varname">external</code>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Exact-match semantics. This rule matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding when the name being updated is identical
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to the contents of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>name</code></em> field.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule matches when the name being updated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is a subdomain of, or identical to, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding contents of the <em class="replaceable"><code>name</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule is similar to subdomain, except that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding it matches when the name being updated is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding subdomain of the zone in which the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-policy</strong></span> statement
cfa64348224b66dd1c9979b809406c4d15b1c137fielding appears. This obviates the need to type the zone
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name twice, and enables the use of a standard
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">update-policy</strong></span> statement in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding multiple zones without modification.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When this rule is used, the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>name</code></em> field is omitted.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>name</code></em> field
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is subject to DNS wildcard expansion, and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding this rule matches when the name being updated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name is a valid expansion of the wildcard.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule matches when the name being updated
cfa64348224b66dd1c9979b809406c4d15b1c137fielding matches the contents of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The <em class="replaceable"><code>name</code></em> field
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is ignored, but should be the same as the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding most useful when allowing using one key per
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name to update, where the key has the same
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name as the name to be updated. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> would
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be specified as <code class="constant">*</code> (an asterisk) in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule is similar to <code class="varname">self</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except that subdomains of <code class="varname">self</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding can also be updated.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule is similar to <code class="varname">self</code>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding except that only subdomains of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule takes a Windows machine principal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (machine$@REALM) for machine in REALM and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and converts it machine.realm allowing the machine
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to update machine.realm. The REALM to be matched
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is specified in the <em class="replaceable"><code>identity</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule takes a Windows machine principal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding (machine$@REALM) for machine in REALM and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding converts it to machine.realm allowing the machine
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to update subdomains of machine.realm. The REALM
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be matched is specified in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule takes a Kerberos machine principal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and converts it machine.realm allowing the machine
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to update machine.realm. The REALM to be matched
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is specified in the <em class="replaceable"><code>identity</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule takes a Kerberos machine principal
cfa64348224b66dd1c9979b809406c4d15b1c137fielding converts it to machine.realm allowing the machine
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to update subdomains of machine.realm. The REALM
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to be matched is specified in the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <em class="replaceable"><code>identity</code></em> field.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Allow updates that have been sent via TCP and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding for which the standard mapping from the initiating
cfa64348224b66dd1c9979b809406c4d15b1c137fielding namespaces match the name to be updated.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is theoretically possible to spoof these TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Allow the 6to4 prefix to be update by any TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding connection from the 6to4 network or from the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding corresponding IPv4 address. This is intended
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to allow NS or DNAME RRsets to be added to the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding reverse tree.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding It is theoretically possible to spoof these TCP
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This rule allows <span><strong class="command">named</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding to defer the decision of whether to allow a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding given update to an external daemon.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The method of communicating with the daemon is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding specified in the <em class="replaceable"><code>identity</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding field, the format of which is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
cfa64348224b66dd1c9979b809406c4d15b1c137fielding where <em class="replaceable"><code>path</code></em> is the location
cfa64348224b66dd1c9979b809406c4d15b1c137fielding of a UNIX-domain socket. (Currently, "local" is the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding only supported mechanism.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Requests to the external daemon are sent over the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding UNIX-domain socket as datagrams with the following
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Protocol version number (4 bytes, network byte order, currently 1)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Request length (4 bytes, network byte order)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Signer (null-terminated string)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Name (null-terminated string)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TCP source address (null-terminated string)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Rdata type (null-terminated string)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Key (null-terminated string)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TKEY token length (4 bytes, network byte order)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding TKEY token (remainder of packet)</pre>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The daemon replies with a four-byte value in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding network byte order, containing either 0 or 1; 0
cfa64348224b66dd1c9979b809406c4d15b1c137fielding indicates that the specified update is not
cfa64348224b66dd1c9979b809406c4d15b1c137fielding permitted, and 1 indicates that it is.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding In all cases, the <em class="replaceable"><code>name</code></em>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding field must specify a fully-qualified domain name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding If no types are explicitly specified, this rule matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
cfa64348224b66dd1c9979b809406c4d15b1c137fielding may be specified by name, including "ANY" (ANY matches
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all types except NSEC and NSEC3, which can never be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding updated). Note that when an attempt is made to delete
cfa64348224b66dd1c9979b809406c4d15b1c137fielding all records associated with a name, the rules are
cfa64348224b66dd1c9979b809406c4d15b1c137fielding checked for each existing record type.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2598066"></a>Multiple views</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding When multiple views are in use, a zone may be
cfa64348224b66dd1c9979b809406c4d15b1c137fielding referenced by more than one of them. Often, the views
cfa64348224b66dd1c9979b809406c4d15b1c137fielding will contain different zones with the same name, allowing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding different clients to receive different answers for the same
cfa64348224b66dd1c9979b809406c4d15b1c137fielding queries. At times, however, it is desirable for multiple
cfa64348224b66dd1c9979b809406c4d15b1c137fielding views to contain identical zones. The
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">in-view</strong></span> zone option provides an efficient
cfa64348224b66dd1c9979b809406c4d15b1c137fielding way to do this: it allows a view to reference a zone that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding was defined in a previously configured view. Example:
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingview internal {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-clients { 10/8; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding type master;
cfa64348224b66dd1c9979b809406c4d15b1c137fieldingview external {
cfa64348224b66dd1c9979b809406c4d15b1c137fielding match-clients { any; };
cfa64348224b66dd1c9979b809406c4d15b1c137fielding in-view internal;
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An <span><strong class="command">in-view</strong></span> option cannot refer to a view
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that is configured later in the configuration file.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A <span><strong class="command">zone</strong></span> statement which uses the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding <span><strong class="command">in-view</strong></span> option may not use any other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding options with the exception of <span><strong class="command">forward</strong></span>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and <span><strong class="command">forwarders</strong></span>. (These options control
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the behavior of the containing view, rather than changing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the zone object itself.)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<div class="titlepage"><div><div><h2 class="title" style="clear: both">
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2598107"></a>Zone File</h2></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding This section, largely borrowed from RFC 1034, describes the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding concept of a Resource Record (RR) and explains when each is used.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Since the publication of RFC 1034, several new RRs have been
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and implemented in the DNS. These are also included.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<a name="id2598125"></a>Resource Records</h4></div></div></div>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A domain name identifies a node. Each node has a set of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resource information, which may be empty. The set of resource
cfa64348224b66dd1c9979b809406c4d15b1c137fielding information associated with a particular name is composed of
cfa64348224b66dd1c9979b809406c4d15b1c137fielding separate RRs. The order of RRs in a set is not significant and
cfa64348224b66dd1c9979b809406c4d15b1c137fielding need not be preserved by name servers, resolvers, or other
cfa64348224b66dd1c9979b809406c4d15b1c137fielding parts of the DNS. However, sorting of multiple RRs is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding permitted for optimization purposes, for example, to specify
cfa64348224b66dd1c9979b809406c4d15b1c137fielding that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The components of a Resource Record are:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The domain name where the RR is found.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An encoded 16-bit value that specifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding the type of the resource record.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The time-to-live of the RR. This field
cfa64348224b66dd1c9979b809406c4d15b1c137fielding is a 32-bit integer in units of seconds, and is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding primarily used by
cfa64348224b66dd1c9979b809406c4d15b1c137fielding resolvers when they cache RRs. The TTL describes how
cfa64348224b66dd1c9979b809406c4d15b1c137fielding long a RR can
cfa64348224b66dd1c9979b809406c4d15b1c137fielding be cached before it should be discarded.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding An encoded 16-bit value that identifies
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a protocol family or instance of a protocol.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The resource data. The format of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding data is type (and sometimes class) specific.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The following are <span class="emphasis"><em>types</em></span> of valid RRs:
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A host address. In the IN class, this is a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding 32-bit IP address. Described in RFC 1035.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 address. Described in RFC 1886.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding IPv6 address. This can be a partial
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address (a suffix) and an indirection to the name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding where the rest of the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding address (the prefix) can be found. Experimental.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 2874.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Location of AFS database servers.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Experimental. Described in RFC 1183.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Address prefix list. Experimental.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 3123.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Holds a digital certificate.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 2538.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Identifies the canonical name of an alias.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 1035.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Is used for identifying which DHCP client is
cfa64348224b66dd1c9979b809406c4d15b1c137fielding associated with this name. Described in RFC 4701.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Replaces the domain name specified with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding another name to be looked up, effectively aliasing an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding subtree of the domain name space rather than a single
cfa64348224b66dd1c9979b809406c4d15b1c137fielding as in the case of the CNAME RR.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 2672.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Stores a public key associated with a signed
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS zone. Described in RFC 4034.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Stores the hash of a public key associated with a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding signed DNS zone. Described in RFC 4034.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Specifies the global position. Superseded by LOC.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Identifies the CPU and OS used by a host.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 1035.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Provides a method for storing IPsec keying material in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS. Described in RFC 4025.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Representation of ISDN addresses.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Experimental. Described in RFC 1183.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Stores a public key associated with a
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS name. Used in original DNSSEC; replaced
cfa64348224b66dd1c9979b809406c4d15b1c137fielding by DNSKEY in DNSSECbis, but still used with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding SIG(0). Described in RFCs 2535 and 2931.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Identifies a key exchanger for this
cfa64348224b66dd1c9979b809406c4d15b1c137fielding DNS name. Described in RFC 2230.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding For storing GPS info. Described in RFC 1876.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Experimental.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Identifies a mail exchange for the domain with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a 16-bit preference value (lower is better)
cfa64348224b66dd1c9979b809406c4d15b1c137fielding followed by the host name of the mail exchange.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 974, RFC 1035.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Name authority pointer. Described in RFC 2915.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding A network service access point.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 1706.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding The authoritative name server for the
cfa64348224b66dd1c9979b809406c4d15b1c137fielding domain. Described in RFC 1035.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Used in DNSSECbis to securely indicate that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRs with an owner name in a certain name interval do
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not exist in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a zone and indicate what RR types are present for an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding existing name.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 4034.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Used in DNSSECbis to securely indicate that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRs with an owner name in a certain name
cfa64348224b66dd1c9979b809406c4d15b1c137fielding interval do not exist in a zone and indicate
cfa64348224b66dd1c9979b809406c4d15b1c137fielding what RR types are present for an existing
cfa64348224b66dd1c9979b809406c4d15b1c137fielding name. NSEC3 differs from NSEC in that it
cfa64348224b66dd1c9979b809406c4d15b1c137fielding prevents zone enumeration but is more
cfa64348224b66dd1c9979b809406c4d15b1c137fielding computationally expensive on both the server
cfa64348224b66dd1c9979b809406c4d15b1c137fielding and the client than NSEC. Described in RFC
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Used in DNSSECbis to tell the authoritative
cfa64348224b66dd1c9979b809406c4d15b1c137fielding server which NSEC3 chains are available to use.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Described in RFC 5155.
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Used in DNSSEC to securely indicate that
cfa64348224b66dd1c9979b809406c4d15b1c137fielding RRs with an owner name in a certain name interval do
cfa64348224b66dd1c9979b809406c4d15b1c137fielding not exist in
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a zone and indicate what RR types are present for an
cfa64348224b66dd1c9979b809406c4d15b1c137fielding existing name.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2601102"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2601118"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2601179"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2601249"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2601285"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2605899"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>