Bv9ARM.ch06.html revision b287974d182a164b84eaeaead39fcbe225e2a7f9
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff - Permission to use, copy, modify, and/or distribute this software for any
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff - purpose with or without fee is hereby granted, provided that the above
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff - copyright notice and this permission notice appear in all copies.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer - PERFORMANCE OF THIS SOFTWARE.
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer<!-- $Id: Bv9ARM.ch06.html,v 1.280 2011/04/07 01:14:30 tbox Exp $ -->
f9354808d122036e66e9f007a4bb12d4aa936aaeAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f9354808d122036e66e9f007a4bb12d4aa936aaeAndreas Gustafsson<title>Chapter�6.�BIND 9 Configuration Reference</title>
f9354808d122036e66e9f007a4bb12d4aa936aaeAndreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f9354808d122036e66e9f007a4bb12d4aa936aaeAndreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b1d234eb75e2804e09d89178a76df39c321db51bBrian Wellington<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b1d234eb75e2804e09d89178a76df39c321db51bBrian Wellington<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
353dcaf1cc77d122d9b4b750bbbfc4c96b4b292bAndreas Gustafsson<div class="titlepage"><div><div><h2 class="title">
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574250">Comment Syntax</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
a55d0a9080c8ef4117d2fc27f63220a56afb2434Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574904"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575162"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575453"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575470"><span><strong class="command">include</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575494"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575517"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575676"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575870"><span><strong class="command">logging</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577869"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577943"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578007"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578051"><span><strong class="command">masters</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578066"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589225"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589365"><span><strong class="command">trusted-keys</strong></span> Statement Definition
b3e3e95537943deeb232e0b0475a726b54b868bcBrian Wellington<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589412"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589837"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591545"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2594773">Zone File</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596935">Discussion of MX Records</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597619">Inverse Mapping in IPv4</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597746">Other Zone File Directives</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597950"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff of configuration, such as views. <acronym class="acronym">BIND</acronym>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff 9, although more complex configurations should be reviewed to check
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff if they can be more efficiently implemented using the new features
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff found in <acronym class="acronym">BIND</acronym> 9.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <acronym class="acronym">BIND</acronym> 4 configuration files can be
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff converted to the new format
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff using the shell script
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h2 class="title" style="clear: both">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff file documentation:
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The name of an <code class="varname">address_match_list</code> as
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff defined by the <span><strong class="command">acl</strong></span> statement.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="varname">address_match_list</code>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff A list of one or more
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff or <code class="varname">acl_name</code> elements, see
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence A named list of one or more <code class="varname">ip_addr</code>
d85aaf6ef786e5fb92f3af7a5584675fbcb519daDavid Lawrence with optional <code class="varname">key_id</code> and/or
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff A <code class="varname">masters_list</code> may include other
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff A quoted string which will be used as
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff a DNS name, for example "<code class="literal">my.test.domain</code>".
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff A list of one or more <code class="varname">domain_name</code>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff One to four integers valued 0 through
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff An IPv4 address with exactly four elements
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff in <code class="varname">dotted_decimal</code> notation.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff IPv6 scoped addresses that have ambiguity on their
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff scope zones must be disambiguated by an appropriate
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff zone ID with the percent character (`%') as
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff delimiter. It is strongly recommended to use
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff string zone names rather than numeric identifiers,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff in order to be robust against system configuration
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff changes. However, since there is no standard
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff mapping for such names and identifier values,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff currently only interface names as link identifiers
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff are supported, assuming one-to-one mapping between
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff interfaces and links. For example, a link-local
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff address <span><strong class="command">fe80::1</strong></span> on the link
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff attached to the interface <span><strong class="command">ne0</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Note that on most systems link-local addresses
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff always have the ambiguity, and need to be
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff disambiguated.
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff An IP port <code class="varname">number</code>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <code class="varname">number</code> is limited to 0
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff through 65535, with values
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff below 1024 typically restricted to use by processes running
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff In some cases, an asterisk (`*') character can be used as a
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff placeholder to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff select a random high-numbered port.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence An IP network specified as an <code class="varname">ip_addr</code>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff followed by a slash (`/') and then the number of bits in the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Trailing zeros in a <code class="varname">ip_addr</code>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff For example, <span><strong class="command">127/8</strong></span> is the
b3e3e95537943deeb232e0b0475a726b54b868bcBrian Wellington network <span><strong class="command">127.0.0.0</strong></span> with
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence When specifying a prefix involving a IPv6 scoped address
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the scope may be omitted. In that case the prefix will
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer match packets from any scope.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence A <code class="varname">domain_name</code> representing
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the name of a shared key, to be used for transaction
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence A list of one or more
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence separated by semicolons and ending with a semicolon.
dcc6bde0a3c6580514675c59f8ffa499cee8f7c5Brian Wellington A non-negative 32-bit integer
dcc6bde0a3c6580514675c59f8ffa499cee8f7c5Brian Wellington (i.e., a number between 0 and 4294967295, inclusive).
dcc6bde0a3c6580514675c59f8ffa499cee8f7c5Brian Wellington Its acceptable value might further
dcc6bde0a3c6580514675c59f8ffa499cee8f7c5Brian Wellington be limited by the context in which it is used.
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence A quoted string which will be used as
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence A list of an <code class="varname">ip_port</code> or a port
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence A port range is specified in the form of
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>range</code></strong> followed by
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson two <code class="varname">ip_port</code>s,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <code class="varname">port_high</code>, which represents
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence port numbers from <code class="varname">port_low</code> through
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <code class="varname">port_high</code>, inclusive.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <code class="varname">port_low</code> must not be larger than
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>range 1024 65535</code></strong> represents
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence ports from 1024 through 65535.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence In either case an asterisk (`*') character is not
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence allowed as a valid <code class="varname">ip_port</code>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence A number, the word <strong class="userinput"><code>unlimited</code></strong>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence or the word <strong class="userinput"><code>default</code></strong>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the limit that was in force when the server was started.
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence A <code class="varname">number</code> can optionally be
998befa9f3a2f67577e3fc948fd9cc9f30b2ab6bMichael Sawyer followed by a scaling factor:
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence for kilobytes,
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence for megabytes, and
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence which scale by 1024, 1024*1024, and 1024*1024*1024
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence respectively.
998befa9f3a2f67577e3fc948fd9cc9f30b2ab6bMichael Sawyer The value must be representable as a 64-bit unsigned integer
998befa9f3a2f67577e3fc948fd9cc9f30b2ab6bMichael Sawyer (0 to 18446744073709551615, inclusive).
998befa9f3a2f67577e3fc948fd9cc9f30b2ab6bMichael Sawyer Using <code class="varname">unlimited</code> is the best
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence to safely set a really large number.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence and <strong class="userinput"><code>0</code></strong>.
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer One of <strong class="userinput"><code>yes</code></strong>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>passive</code></strong>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence are restricted to slave and stub zones.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<div class="titlepage"><div><div><h3 class="title">
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence<div class="titlepage"><div><div><h4 class="title">
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer<a name="id2574085"></a>Syntax</h4></div></div></div>
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer [<span class="optional"> address_match_list_element; ... </span>]
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence key key_id | acl_name | { address_match_list } )
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<div class="titlepage"><div><div><h4 class="title">
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<a name="id2574113"></a>Definition and Usage</h4></div></div></div>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence Address match lists are primarily used to determine access
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence control for various server operations. They are also used in
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence statements. The elements which constitute an address match
d3498432822fb487e58f8f72bb5f880dd8307d7dMichael Sawyer list can be any of the following:
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence a key ID, as defined by the <span><strong class="command">key</strong></span>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<li>the name of an address match list defined with
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the <span><strong class="command">acl</strong></span> statement
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<li>a nested address match list enclosed in braces</li>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Elements can be negated with a leading exclamation mark (`!'),
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff and the match list names "any", "none", "localhost", and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff "localnets" are predefined. More information on those names
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff can be found in the description of the acl statement.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The addition of the key clause made the name of this syntactic
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff element something of a misnomer, since security keys can be used
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff to validate access without regard to a host or network address.
58007c5fde59b756174280d26916eb27f593e6ccBob Halley Nonetheless, the term "address match list" is still used
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff throughout the documentation.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff When a given IP address or prefix is compared to an address
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff match list, the comparison takes place in approximately O(1)
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff time. However, key comparisons require that the list of keys
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff be traversed until a matching key is found, and therefore may
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff be somewhat slower.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The interpretation of a match depends on whether the list is being
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence When used as an access control list, a non-negated match
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence allows access and a negated match denies access. If
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence there is no match, access is denied. The clauses
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-notify</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-recursion</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-recursion-on</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-query</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-query-on</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-query-cache</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-query-cache-on</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-transfer</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-update</strong></span>,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">allow-update-forwarding</strong></span>, and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">blackhole</strong></span> all use address match
0c1002e0b0dec735621c4c7e00f5ea177e6544f8Andreas Gustafsson lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence server to refuse queries on any of the machine's
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence addresses which do not match the list.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence Order of insertion is significant. If more than one element
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence in an ACL is found to match a given IP address or prefix,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence preference will be given to the one that came
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span class="emphasis"><em>first</em></span> in the ACL definition.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence Because of this first-match behavior, an element that
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence defines a subset of another element in the list should
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence come before the broader element, regardless of whether
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence either is negated. For example, in
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence the 1.2.3.13 element is completely useless because the
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence that problem by having 1.2.3.13 blocked by the negation, but
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence all other 1.2.3.* hosts fall through.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<a name="id2574250"></a>Comment Syntax</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence comments to appear
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson file. To appeal to programmers of all kinds, they can be written
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<div class="titlepage"><div><div><h4 class="title">
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence<a name="id2574265"></a>Syntax</h4></div></div></div>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson# and perl</pre>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<div class="titlepage"><div><div><h4 class="title">
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<a name="id2574295"></a>Definition and Usage</h4></div></div></div>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson Comments may appear anywhere that whitespace may appear in
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson a <acronym class="acronym">BIND</acronym> configuration file.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson C-style comments start with the two characters /* (slash,
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson star) and end with */ (star, slash). Because they are completely
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson delimited with these characters, they can be used to comment only
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson a portion of a line or to span multiple lines.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson C-style comments cannot be nested. For example, the following
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson is not valid because the entire comment ends with the first */:
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<pre class="programlisting">/* This is the start of a comment.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson This is still part of the comment.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson/* This is an incorrect attempt at nesting a comment. */
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson This is no longer in any comment. */
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson C++-style comments start with the two characters // (slash,
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson slash) and continue to the end of the physical line. They cannot
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson be continued across multiple physical lines; to have one logical
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson comment span multiple lines, each line must use the // pair.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<pre class="programlisting">// This is the start of a comment. The next line
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson// is a new comment, even though it is logically
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson// part of the previous comment.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson Shell-style (or perl-style, if you prefer) comments start
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson with the character <code class="literal">#</code> (number sign)
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson and continue to the end of the
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson physical line, as in C++ comments.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<pre class="programlisting"># This is the start of a comment. The next line
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson# is a new comment, even though it is logically
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson# part of the previous comment.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson You cannot use the semicolon (`;') character
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson to start a comment such as you would in a zone file. The
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson semicolon indicates the end of a configuration
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson A <acronym class="acronym">BIND</acronym> 9 configuration consists of
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson statements and comments.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson Statements end with a semicolon. Statements and comments are the
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson only elements that can appear without enclosing braces. Many
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson statements contain a block of sub-statements, which are also
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson terminated with a semicolon.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson The following statements are supported:
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson<div class="informaltable"><table border="1">
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">acl</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson defines a named IP address
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson matching list, for access control and other uses.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">controls</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson declares control channels to be used
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson by the <span><strong class="command">rndc</strong></span> utility.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">include</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson includes a file.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">key</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson specifies key information for use in
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson authentication and authorization using TSIG.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">logging</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson specifies what the server logs, and where
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson the log messages are sent.
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson <p><span><strong class="command">lwres</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson configures <span><strong class="command">named</strong></span> to
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <p><span><strong class="command">masters</strong></span></p>
1689e359340a4e1ae7ac925eacd41d8b1e6c4420Andreas Gustafsson defines a named masters list for
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff inclusion in stub and slave zone masters clauses.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">options</strong></span></p>
58007c5fde59b756174280d26916eb27f593e6ccBob Halley controls global server configuration
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff options and sets defaults for other statements.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">server</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff sets certain configuration options on
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff a per-server basis.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">statistics-channels</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff declares communication channels to get access to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">named</strong></span> statistics.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">trusted-keys</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff defines trusted DNSSEC keys.
d3646bfc0ec587c8e8d1161c0336efbec1795b2fBob Halley <p><span><strong class="command">managed-keys</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff lists DNSSEC keys to be kept up to date
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff using RFC 5011 trust anchor maintenance.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">view</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff defines a view.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">zone</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff defines a zone.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">logging</strong></span> and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">options</strong></span> statements may only occur once
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff configuration.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="id2574904"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
60900508230c379ea068d692e73d7c64e2bb743fBob Halley address_match_list
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">acl</strong></span> statement assigns a symbolic
6de7f2cbf2d4204d5ecfa7ddbba039385e25a3f2Bob Halley name to an address match list. It gets its name from a primary
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff use of address match lists: Access Control Lists (ACLs).
8eee0fb33794039f5316d82c08115a178a2fad50Brian Wellington Note that an address match list's name must be defined
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff with <span><strong class="command">acl</strong></span> before it can be used
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff elsewhere; no forward references are allowed.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The following ACLs are built-in:
f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson<div class="informaltable"><table border="1">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">any</strong></span></p>
6de7f2cbf2d4204d5ecfa7ddbba039385e25a3f2Bob Halley Matches all hosts.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">none</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Matches no hosts.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">localhost</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Matches the IPv4 and IPv6 addresses of all network
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff interfaces on the system.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <p><span><strong class="command">localnets</strong></span></p>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Matches any host on an IPv4 or IPv6 network
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff for which the system has an interface.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Some systems do not provide a way to determine the prefix
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff local IPv6 addresses.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff In such a case, <span><strong class="command">localnets</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff only matches the local
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="id2575162"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<pre class="programlisting"><span><strong class="command">controls</strong></span> {
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ inet ( ip_addr | * ) [ port ip_port ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff allow { <em class="replaceable"><code> address_match_list </code></em> }
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff keys { <em class="replaceable"><code>key_list</code></em> }; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ inet ...; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff keys { <em class="replaceable"><code>key_list</code></em> }; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ unix ...; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">controls</strong></span> statement declares control
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff channels to be used by system administrators to control the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff operation of the name server. These control channels are
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff used by the <span><strong class="command">rndc</strong></span> utility to send
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff commands to and retrieve non-DNS results from a name server.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff An <span><strong class="command">inet</strong></span> control channel is a TCP socket
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff listening at the specified <span><strong class="command">ip_port</strong></span> on the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff interpreted as the IPv4 wildcard address; connections will be
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff accepted on any of the system's IPv4 addresses.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff To listen on the IPv6 wildcard address,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff If you will only use <span><strong class="command">rndc</strong></span> on the local host,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff using the loopback address (<code class="literal">127.0.0.1</code>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff or <code class="literal">::1</code>) is recommended for maximum security.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff If no port is specified, port 953 is used. The asterisk
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The ability to issue commands over the control channel is
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff restricted by the <span><strong class="command">allow</strong></span> and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">keys</strong></span> clauses.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Connections to the control channel are permitted based on the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">address_match_list</strong></span>. This is for simple
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff IP address based filtering only; any <span><strong class="command">key_id</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff elements of the <span><strong class="command">address_match_list</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff socket listening at the specified path in the file system.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Note on some platforms (SunOS and Solaris) the permissions
8eee0fb33794039f5316d82c08115a178a2fad50Brian Wellington (<span><strong class="command">perm</strong></span>) are applied to the parent directory
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff as the permissions on the socket itself are ignored.
60900508230c379ea068d692e73d7c64e2bb743fBob Halley The primary authorization mechanism of the command
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff channel is the <span><strong class="command">key_list</strong></span>, which
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff contains a list of <span><strong class="command">key_id</strong></span>s.
8f16e457f722681f67ee6af9c1cd39553f6dcc9aAndreas Gustafsson Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
8eee0fb33794039f5316d82c08115a178a2fad50Brian Wellington is authorized to execute commands over the control channel.
8eee0fb33794039f5316d82c08115a178a2fad50Brian Wellington See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff for information about configuring keys in <span><strong class="command">rndc</strong></span>.
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence If no <span><strong class="command">controls</strong></span> statement is present,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">named</strong></span> will set up a default
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff control channel listening on the loopback address 127.0.0.1
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff and its IPv6 counterpart ::1.
4e47460645a82502d02df9bf542c301a0dfab653Andreas Gustafsson In this case, and also when the <span><strong class="command">controls</strong></span> statement
81e92fbafaa07bd8ccbbeb4b5926d548b5c4560eDavid Lawrence is present but does not have a <span><strong class="command">keys</strong></span> clause,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">named</strong></span> will attempt to load the command channel key
60900508230c379ea068d692e73d7c64e2bb743fBob Halley from the file <code class="filename">rndc.key</code> in
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence was specified as when <acronym class="acronym">BIND</acronym> was built).
60900508230c379ea068d692e73d7c64e2bb743fBob Halley To create a <code class="filename">rndc.key</code> file, run
c528dee35b4ddcab939a5d9bd94718a8879fa5e2Brian Wellington <strong class="userinput"><code>rndc-confgen -a</code></strong>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <code class="filename">rndc.key</code> feature was created to
58007c5fde59b756174280d26916eb27f593e6ccBob Halley ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff which did not have digital signatures on its command channel
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
60900508230c379ea068d692e73d7c64e2bb743fBob Halley It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence and still have <span><strong class="command">rndc</strong></span> work the same way
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Since the <code class="filename">rndc.key</code> feature
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence is only intended to allow the backward-compatible usage of
60900508230c379ea068d692e73d7c64e2bb743fBob Halley <acronym class="acronym">BIND</acronym> 8 configuration files, this
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff feature does not
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff have a high degree of configurability. You cannot easily change
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff the key name or the size of the secret, so you should make a
f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson <code class="filename">rndc.conf</code> with your own key if you
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff wish to change
f93d33e24fdf76eb2558168f018b8992bcfc5681Andreas Gustafsson those things. The <code class="filename">rndc.key</code> file
6de7f2cbf2d4204d5ecfa7ddbba039385e25a3f2Bob Halley permissions set such that only the owner of the file (the user that
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">named</strong></span> is running as) can access it.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff desire greater flexibility in allowing other users to access
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">rndc</strong></span> commands, then you need to create
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="filename">rndc.conf</code> file and make it group
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff readable by a group
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff that contains the users who should have access.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff To disable the command channel, use an empty
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">controls</strong></span> statement:
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">controls { };</strong></span>.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
d85aaf6ef786e5fb92f3af7a5584675fbcb519daDavid Lawrence<a name="id2575453"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="id2575470"></a><span><strong class="command">include</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">include</strong></span> statement inserts the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff specified file at the point where the <span><strong class="command">include</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff statement is encountered. The <span><strong class="command">include</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff statement facilitates the administration of configuration
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff by permitting the reading or writing of some things but not
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence others. For example, the statement could include private keys
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff that are readable only by the name server.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<div class="titlepage"><div><div><h3 class="title">
d85aaf6ef786e5fb92f3af7a5584675fbcb519daDavid Lawrence<a name="id2575494"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
9c4cba349f52bb8176c3858b2b5b340f13603802Brian Wellington algorithm <em class="replaceable"><code>string</code></em>;
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff secret <em class="replaceable"><code>string</code></em>;
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<div class="titlepage"><div><div><h3 class="title">
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<a name="id2575517"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">key</strong></span> statement defines a shared
a721540f2096879e0e1d4448dd4c87b62e7aefd8Michael Graff secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff or the command channel
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Usage”</a>).
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">key</strong></span> statement can occur at the
5f2d1b96ac4bc3870423792520030a5ecabda925Andreas Gustafsson of the configuration file or inside a <span><strong class="command">view</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff statement. Keys defined in top-level <span><strong class="command">key</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff statements can be used in all views. Keys intended for use in
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff a <span><strong class="command">controls</strong></span> statement
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Usage”</a>)
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff must be defined at the top level.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <em class="replaceable"><code>key_id</code></em>, also known as the
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence key name, is a domain name uniquely identifying the key. It can
483a5a91ada151e7edba90b98ce376b06b0013e3Mark Andrews be used in a <span><strong class="command">server</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff statement to cause requests sent to that
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff server to be signed with this key, or in address match lists to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff verify that incoming requests have been signed with a key
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff matching this name, algorithm, and secret.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence The <em class="replaceable"><code>algorithm_id</code></em> is a string
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence that specifies a security/authentication algorithm. Named
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence supports <code class="literal">hmac-md5</code>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff and <code class="literal">hmac-sha512</code> TSIG authentication.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Truncated hashes are supported by appending the minimum
a721540f2096879e0e1d4448dd4c87b62e7aefd8Michael Graff number of required bits preceded by a dash, e.g.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <code class="literal">hmac-sha1-80</code>. The
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <em class="replaceable"><code>secret_string</code></em> is the secret
5d82424f5d3c77c092c111b935041fd3dc4b3e98Andreas Gustafsson to be used by the algorithm, and is treated as a base-64
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff encoded string.
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington<div class="titlepage"><div><div><h3 class="title">
f05941692ed90f8718e5dc5ac23a855117548629Brian Wellington<a name="id2575676"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington<pre class="programlisting"><span><strong class="command">logging</strong></span> {
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington | <span><strong class="command">stderr</strong></span>
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington | <span><strong class="command">null</strong></span> );
bc400285048b1ca9499de212e63730c7a5b89cb2Brian Wellington [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
60900508230c379ea068d692e73d7c64e2bb743fBob Halley <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<div class="titlepage"><div><div><h3 class="title">
5f2d1b96ac4bc3870423792520030a5ecabda925Andreas Gustafsson<a name="id2575870"></a><span><strong class="command">logging</strong></span> Statement Definition and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">logging</strong></span> statement configures a
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
74da616f07f038138ddd45c10fc8de0920244d12Michael Graff associates output methods, format options and severity levels with
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff a name that can then be used with the <span><strong class="command">category</strong></span> phrase
78eb5a8c850b04b06c5f87601fb7f2b6d4455c7dDavid Lawrence to select how various classes of messages are logged.
e489c8c6537e3148c6af490420b9efab71c3cbdaBrian Wellington Only one <span><strong class="command">logging</strong></span> statement is used to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
e489c8c6537e3148c6af490420b9efab71c3cbdaBrian Wellington the logging configuration will be:
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff category default { default_syslog; default_debug; };
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff category unmatched { null; };
ace5c6590f5bd7862dd3cf1bcb14d7001dbdd0bfDavid Lawrence In <acronym class="acronym">BIND</acronym> 9, the logging configuration
d85aaf6ef786e5fb92f3af7a5584675fbcb519daDavid Lawrence is only established when
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff established as soon as the <span><strong class="command">logging</strong></span>
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff was parsed. When the server is starting up, all logging messages
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff regarding syntax errors in the configuration file go to the default
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff channels, or to standard error if the "<code class="option">-g</code>" option
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff was specified.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<div class="titlepage"><div><div><h4 class="title">
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<a name="id2575991"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff you can make as many of them as you want.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff Every channel definition must include a destination clause that
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence says whether messages selected for the channel go to a file, to a
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff particular syslog facility, to the standard error stream, or are
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence discarded. It can optionally also limit the message severity level
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff that will be accepted by the channel (the default is
e489c8c6537e3148c6af490420b9efab71c3cbdaBrian Wellington <span><strong class="command">info</strong></span>), and whether to include a
d8e34837cd6c88c42b3ecdb9107a43ecf8252e79David Lawrence <span><strong class="command">named</strong></span>-generated time stamp, the
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff category name
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff and/or severity level (the default is not to include any).
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">null</strong></span> destination clause
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff causes all messages sent to the channel to be discarded;
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff in that case, other options for the channel are meaningless.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">file</strong></span> destination clause directs
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff to a disk file. It can include limitations
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff both on how large the file is allowed to become, and how many
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff of the file will be saved each time the file is opened.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff If you use the <span><strong class="command">versions</strong></span> log file
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">named</strong></span> will retain that many backup
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff versions of the file by
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff renaming them when opening. For example, if you choose to keep
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff three old versions
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff of the file <code class="filename">lamers.log</code>, then just
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff before it is opened
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="filename">lamers.log.1</code> is renamed to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
c68fa795a1c87fd5d0386e0503dc5666490ac77fMichael Graff to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
c68fa795a1c87fd5d0386e0503dc5666490ac77fMichael Graff renamed to <code class="filename">lamers.log.0</code>.
60900508230c379ea068d692e73d7c64e2bb743fBob Halley You can say <span><strong class="command">versions unlimited</strong></span> to
58007c5fde59b756174280d26916eb27f593e6ccBob Halley the number of versions.
58007c5fde59b756174280d26916eb27f593e6ccBob Halley If a <span><strong class="command">size</strong></span> option is associated with
855bda3de3bf5d55288f7a1dc57df58b5ac780b0Andreas Gustafsson then renaming is only done when the file being opened exceeds the
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews indicated size. No backup versions are kept by default; any
828a5beda384130d5e2913dadd862924c53405bfAndreas Gustafsson log file is simply appended.
c68fa795a1c87fd5d0386e0503dc5666490ac77fMichael Graff The <span><strong class="command">size</strong></span> option for files is used
c68fa795a1c87fd5d0386e0503dc5666490ac77fMichael Graff growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
58007c5fde59b756174280d26916eb27f593e6ccBob Halley stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
60900508230c379ea068d692e73d7c64e2bb743fBob Halley associated with it. If backup versions are kept, the files are
60900508230c379ea068d692e73d7c64e2bb743fBob Halley described above and a new one begun. If there is no
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">versions</strong></span> option, no more data will
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews be written to the log
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff until some out-of-band mechanism removes or truncates the log to
c68fa795a1c87fd5d0386e0503dc5666490ac77fMichael Graff less than the
de476e9bd35b6be1759d5680eb89a394eb67bc39Bob Halley maximum size. The default behavior is not to limit the size of
60900508230c379ea068d692e73d7c64e2bb743fBob Halley Example usage of the <span><strong class="command">size</strong></span> and
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence <span><strong class="command">versions</strong></span> options:
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence<pre class="programlisting">channel an_example_channel {
60900508230c379ea068d692e73d7c64e2bb743fBob Halley file "example.log" versions 3 size 20m;
58007c5fde59b756174280d26916eb27f593e6ccBob Halley print-time yes;
58007c5fde59b756174280d26916eb27f593e6ccBob Halley print-category yes;
58007c5fde59b756174280d26916eb27f593e6ccBob Halley The <span><strong class="command">syslog</strong></span> destination clause
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence channel to the system log. Its argument is a
60900508230c379ea068d692e73d7c64e2bb743fBob Halley syslog facility as described in the <span><strong class="command">syslog</strong></span> man
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
58007c5fde59b756174280d26916eb27f593e6ccBob Halley <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
58007c5fde59b756174280d26916eb27f593e6ccBob Halley <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
58007c5fde59b756174280d26916eb27f593e6ccBob Halley <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews <span><strong class="command">local7</strong></span>, however not all facilities
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews are supported on
58007c5fde59b756174280d26916eb27f593e6ccBob Halley all operating systems.
7e4d75a5daeaaf8a7f559f9bd7fbf540184e235cMark Andrews How <span><strong class="command">syslog</strong></span> will handle messages
58007c5fde59b756174280d26916eb27f593e6ccBob Halley this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
58007c5fde59b756174280d26916eb27f593e6ccBob Halley page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff then this clause is silently ignored.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence "priorities", except that they can also be used if you are writing
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence straight to a file rather than using <span><strong class="command">syslog</strong></span>.
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence Messages which are not at least of the severity level given will
b8bd3390849a02332e07befe6c0f300f86a2429eDavid Lawrence not be selected for the channel; messages of higher severity
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff will be accepted.
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff will also determine what eventually passes through. For example,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence cause messages of severity <span><strong class="command">info</strong></span> and
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff <span><strong class="command">notice</strong></span> to
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff messages of only <span><strong class="command">warning</strong></span> or higher,
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff then <span><strong class="command">syslogd</strong></span> would
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff print all messages it received from the channel.
6e01a52384007c8d083490e889c5fcd72e9f0b79David Lawrence The <span><strong class="command">stderr</strong></span> destination clause
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence channel to the server's standard error stream. This is intended
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence use when the server is running as a foreground process, for
21f17c42eca9b552d516c38b66564673c60a4504Andreas Gustafsson when debugging a configuration.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence The server can supply extensive debugging information when
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff it is in debugging mode. If the server's global debug level is
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence than zero, then debugging mode will be active. The global debug
58007c5fde59b756174280d26916eb27f593e6ccBob Halley level is set either by starting the <span><strong class="command">named</strong></span> server
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff with the <code class="option">-d</code> flag followed by a positive integer,
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence or by running <span><strong class="command">rndc trace</strong></span>.
615f17d0171dd807c6803b25a255a8ea2051fbd4David Lawrence The global debug level
58007c5fde59b756174280d26916eb27f593e6ccBob Halley can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrencenotrace</strong></span>. All debugging messages in the server have a debug
582952026017aee8b5fb8ada625165c579f7807bDavid Lawrence level, and higher debug levels give more detailed output. Channels
507bdd91f72a647cb7b89b49697f776a099a407aAndreas Gustafsson that specify a specific debug severity, for example:
5a0ffa97751ef1ff29d1bf9d7f332eeb9f8edc21Michael Graff<pre class="programlisting">channel specific_debug_level {
category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
// write to named.run in the working directory
// Note: stderr is used instead of "named.run" if
file "named.run";
new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
<a name="id2577350"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
resolution for AAAA records of www.example.com completed
likely com and example.com.
<a name="id2577869"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
<a name="id2577943"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
<a name="id2578007"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
<a name="id2578051"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2578066"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
<em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
[<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em> [<span class="optional"> policy <em class="replaceable"><code>given</code></em> | <em class="replaceable"><code>no-op</code></em> | <em class="replaceable"><code>nxdomain</code></em> | <em class="replaceable"><code>nodata</code></em> | <em class="replaceable"><code>cname domain</code></em> </span>] ; } ; </span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
Additionally a reverse IP6.ARPA zone will be created for
the prefix to provide a mapping from the IP6.ARPA names
to the corresponding IN-ADDR.ARPA names using synthesized
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
<span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255
IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or
prefix.WORDS.zz.WORDS. The words in the standard IPv6 text
of the variable part of the owner name, such as "example.com." for
<pre class="programlisting">zone "bl" {type master; file "example/bl"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME .
nodata.domain.com CNAME *.
bad.domain.com A 10.0.0.1
8.0.0.0.127.ip CNAME .
32.1.0.0.127.ip CNAME 32.1.0.0.127.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2589225"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2589365"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2589412"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2589837"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2591545"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2597768"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2597784"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2597845"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2597914"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2597950"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2602497"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>