Bv9ARM.ch06.html revision e4adb07cc1f8253b3c39aeeeb3ea03dc5b7011cc
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - Permission to use, copy, modify, and/or distribute this software for any
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - purpose with or without fee is hereby granted, provided that the above
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - copyright notice and this permission notice appear in all copies.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync - PERFORMANCE OF THIS SOFTWARE.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<!-- $Id: Bv9ARM.ch06.html,v 1.240 2009/10/27 01:14:46 tbox Exp $ -->
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<title>Chapter�6.�BIND 9 Configuration Reference</title>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573923">Comment Syntax</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574577"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574835"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575194"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575211"><span><strong class="command">include</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575235"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575258"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575349"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575475"><span><strong class="command">logging</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577474"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577547"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577611"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577723"><span><strong class="command">masters</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577738"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587897"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588052"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588171"><span><strong class="command">trusted-keys</strong></span> Statement Definition
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588218"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588269"><span><strong class="command">managed-keys</strong></span> Statement Definition
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588573"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590147"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593017">Zone File</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595111">Discussion of MX Records</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595795">Inverse Mapping in IPv4</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595922">Other Zone File Directives</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596195"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of configuration, such as views. <acronym class="acronym">BIND</acronym>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync 9, although more complex configurations should be reviewed to check
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync if they can be more efficiently implemented using the new features
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync found in <acronym class="acronym">BIND</acronym> 9.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <acronym class="acronym">BIND</acronym> 4 configuration files can be
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync converted to the new format
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync using the shell script
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync file documentation:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The name of an <code class="varname">address_match_list</code> as
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defined by the <span><strong class="command">acl</strong></span> statement.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A list of one or more
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or <code class="varname">acl_name</code> elements, see
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A named list of one or more <code class="varname">ip_addr</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync with optional <code class="varname">key_id</code> and/or
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A <code class="varname">masters_list</code> may include other
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A quoted string which will be used as
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a DNS name, for example "<code class="literal">my.test.domain</code>".
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A list of one or more <code class="varname">domain_name</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync One to four integers valued 0 through
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An IPv4 address with exactly four elements
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in <code class="varname">dotted_decimal</code> notation.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync IPv6 scoped addresses that have ambiguity on their
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync scope zones must be disambiguated by an appropriate
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync zone ID with the percent character (`%') as
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync delimiter. It is strongly recommended to use
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync string zone names rather than numeric identifiers,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in order to be robust against system configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync changes. However, since there is no standard
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync mapping for such names and identifier values,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync currently only interface names as link identifiers
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync are supported, assuming one-to-one mapping between
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync interfaces and links. For example, a link-local
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync address <span><strong class="command">fe80::1</strong></span> on the link
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync attached to the interface <span><strong class="command">ne0</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note that on most systems link-local addresses
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync always have the ambiguity, and need to be
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync disambiguated.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <code class="varname">number</code> is limited to 0
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync through 65535, with values
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync below 1024 typically restricted to use by processes running
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In some cases, an asterisk (`*') character can be used as a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync placeholder to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync select a random high-numbered port.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An IP network specified as an <code class="varname">ip_addr</code>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync followed by a slash (`/') and then the number of bits in the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Trailing zeros in a <code class="varname">ip_addr</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync may omitted.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync For example, <span><strong class="command">127/8</strong></span> is the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync network <span><strong class="command">127.0.0.0</strong></span> with
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync When specifying a prefix involving a IPv6 scoped address
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the scope may be omitted. In that case the prefix will
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync match packets from any scope.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A <code class="varname">domain_name</code> representing
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the name of a shared key, to be used for transaction
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A list of one or more
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync separated by semicolons and ending with a semicolon.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A non-negative 32-bit integer
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (i.e., a number between 0 and 4294967295, inclusive).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Its acceptable value might further
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be limited by the context in which it is used.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A quoted string which will be used as
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A list of an <code class="varname">ip_port</code> or a port
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A port range is specified in the form of
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>range</code></strong> followed by
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="varname">port_high</code>, which represents
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync port numbers from <code class="varname">port_low</code> through
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="varname">port_low</code> must not be larger than
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync For example,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>range 1024 65535</code></strong> represents
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ports from 1024 through 65535.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In either case an asterisk (`*') character is not
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync allowed as a valid <code class="varname">ip_port</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A number, the word <strong class="userinput"><code>unlimited</code></strong>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or the word <strong class="userinput"><code>default</code></strong>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the limit that was in force when the server was started.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A <code class="varname">number</code> can optionally be
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync followed by a scaling factor:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync for kilobytes,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync for megabytes, and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync which scale by 1024, 1024*1024, and 1024*1024*1024
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync respectively.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The value must be representable as a 64-bit unsigned integer
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (0 to 18446744073709551615, inclusive).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Using <code class="varname">unlimited</code> is the best
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to safely set a really large number.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and <strong class="userinput"><code>0</code></strong>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync One of <strong class="userinput"><code>yes</code></strong>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>passive</code></strong>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync are restricted to slave and stub zones.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2573689"></a>Syntax</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> address_match_list_element; ... </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync key key_id | acl_name | { address_match_list } )
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2573717"></a>Definition and Usage</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Address match lists are primarily used to determine access
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync control for various server operations. They are also used in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statements. The elements which constitute an address match
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync list can be any of the following:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a key ID, as defined by the <span><strong class="command">key</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<li>the name of an address match list defined with
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the <span><strong class="command">acl</strong></span> statement
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<li>a nested address match list enclosed in braces</li>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Elements can be negated with a leading exclamation mark (`!'),
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and the match list names "any", "none", "localhost", and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync "localnets" are predefined. More information on those names
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync can be found in the description of the acl statement.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The addition of the key clause made the name of this syntactic
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync element something of a misnomer, since security keys can be used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to validate access without regard to a host or network address.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Nonetheless, the term "address match list" is still used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync throughout the documentation.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync When a given IP address or prefix is compared to an address
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync match list, the comparison takes place in approximately O(1)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync time. However, key comparisons require that the list of keys
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be traversed until a matching key is found, and therefore may
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be somewhat slower.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The interpretation of a match depends on whether the list is being
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync When used as an access control list, a non-negated match
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync allows access and a negated match denies access. If
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync there is no match, access is denied. The clauses
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-notify</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-recursion</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-recursion-on</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-query</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-query-on</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-query-cache</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-query-cache-on</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-transfer</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-update</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">allow-update-forwarding</strong></span>, and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">blackhole</strong></span> all use address match
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server to refuse queries on any of the machine's
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync addresses which do not match the list.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Order of insertion is significant. If more than one element
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in an ACL is found to match a given IP address or prefix,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync preference will be given to the one that came
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span class="emphasis"><em>first</em></span> in the ACL definition.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Because of this first-match behavior, an element that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines a subset of another element in the list should
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync come before the broader element, regardless of whether
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync either is negated. For example, in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the 1.2.3.13 element is completely useless because the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that problem by having 1.2.3.13 blocked by the negation, but
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync all other 1.2.3.* hosts fall through.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2573923"></a>Comment Syntax</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync comments to appear
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync file. To appeal to programmers of all kinds, they can be written
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2574006"></a>Syntax</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync# and perl</pre>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2574036"></a>Definition and Usage</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Comments may appear anywhere that whitespace may appear in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a <acronym class="acronym">BIND</acronym> configuration file.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync C-style comments start with the two characters /* (slash,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync star) and end with */ (star, slash). Because they are completely
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync delimited with these characters, they can be used to comment only
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a portion of a line or to span multiple lines.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync C-style comments cannot be nested. For example, the following
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is not valid because the entire comment ends with the first */:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">/* This is the start of a comment.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is still part of the comment.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync/* This is an incorrect attempt at nesting a comment. */
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is no longer in any comment. */
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync C++-style comments start with the two characters // (slash,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync slash) and continue to the end of the physical line. They cannot
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be continued across multiple physical lines; to have one logical
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync comment span multiple lines, each line must use the // pair.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync For example:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">// This is the start of a comment. The next line
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync// is a new comment, even though it is logically
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync// part of the previous comment.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Shell-style (or perl-style, if you prefer) comments start
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync with the character <code class="literal">#</code> (number sign)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and continue to the end of the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync physical line, as in C++ comments.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync For example:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"># This is the start of a comment. The next line
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync# is a new comment, even though it is logically
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync# part of the previous comment.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync You cannot use the semicolon (`;') character
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to start a comment such as you would in a zone file. The
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync semicolon indicates the end of a configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A <acronym class="acronym">BIND</acronym> 9 configuration consists of
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statements and comments.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Statements end with a semicolon. Statements and comments are the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync only elements that can appear without enclosing braces. Many
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statements contain a block of sub-statements, which are also
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync terminated with a semicolon.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The following statements are supported:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">acl</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines a named IP address
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync matching list, for access control and other uses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">controls</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync declares control channels to be used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync by the <span><strong class="command">rndc</strong></span> utility.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">include</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync includes a file.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">key</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specifies key information for use in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync authentication and authorization using TSIG.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">logging</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specifies what the server logs, and where
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the log messages are sent.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">lwres</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync configures <span><strong class="command">named</strong></span> to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">masters</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines a named masters list for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync inclusion in stub and slave zone masters clauses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">options</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync controls global server configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync options and sets defaults for other statements.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">server</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync sets certain configuration options on
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a per-server basis.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">statistics-channels</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync declares communication channels to get access to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span> statistics.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">trusted-keys</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines trusted DNSSEC keys.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">managed-keys</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lists DNSSEC keys to be kept up to date
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync using RFC 5011 trust anchor maintenance.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">view</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines a view.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">zone</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defines a zone.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">logging</strong></span> and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">options</strong></span> statements may only occur once
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync configuration.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2574577"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync address_match_list
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">acl</strong></span> statement assigns a symbolic
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync name to an address match list. It gets its name from a primary
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync use of address match lists: Access Control Lists (ACLs).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note that an address match list's name must be defined
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync with <span><strong class="command">acl</strong></span> before it can be used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync elsewhere; no forward references are allowed.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The following ACLs are built-in:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">any</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Matches all hosts.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">none</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Matches no hosts.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">localhost</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Matches the IPv4 and IPv6 addresses of all network
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync interfaces on the system.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">localnets</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Matches any host on an IPv4 or IPv6 network
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync for which the system has an interface.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Some systems do not provide a way to determine the prefix
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync local IPv6 addresses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In such a case, <span><strong class="command">localnets</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync only matches the local
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2574835"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">controls</strong></span> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ inet ( ip_addr | * ) [ port ip_port ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync allow { <em class="replaceable"><code> address_match_list </code></em> }
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync keys { <em class="replaceable"><code>key_list</code></em> }; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ inet ...; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync keys { <em class="replaceable"><code>key_list</code></em> }; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ unix ...; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">controls</strong></span> statement declares control
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync channels to be used by system administrators to control the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync operation of the name server. These control channels are
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync used by the <span><strong class="command">rndc</strong></span> utility to send
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync commands to and retrieve non-DNS results from a name server.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync An <span><strong class="command">inet</strong></span> control channel is a TCP socket
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync listening at the specified <span><strong class="command">ip_port</strong></span> on the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync interpreted as the IPv4 wildcard address; connections will be
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync accepted on any of the system's IPv4 addresses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync To listen on the IPv6 wildcard address,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If you will only use <span><strong class="command">rndc</strong></span> on the local host,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync using the loopback address (<code class="literal">127.0.0.1</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or <code class="literal">::1</code>) is recommended for maximum security.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If no port is specified, port 953 is used. The asterisk
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The ability to issue commands over the control channel is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync restricted by the <span><strong class="command">allow</strong></span> and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">keys</strong></span> clauses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Connections to the control channel are permitted based on the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">address_match_list</strong></span>. This is for simple
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync IP address based filtering only; any <span><strong class="command">key_id</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync elements of the <span><strong class="command">address_match_list</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync are ignored.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync socket listening at the specified path in the file system.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note on some platforms (SunOS and Solaris) the permissions
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (<span><strong class="command">perm</strong></span>) are applied to the parent directory
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync as the permissions on the socket itself are ignored.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The primary authorization mechanism of the command
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync channel is the <span><strong class="command">key_list</strong></span>, which
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync contains a list of <span><strong class="command">key_id</strong></span>s.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is authorized to execute commands over the control channel.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync for information about configuring keys in <span><strong class="command">rndc</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If no <span><strong class="command">controls</strong></span> statement is present,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span> will set up a default
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync control channel listening on the loopback address 127.0.0.1
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and its IPv6 counterpart ::1.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In this case, and also when the <span><strong class="command">controls</strong></span> statement
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is present but does not have a <span><strong class="command">keys</strong></span> clause,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span> will attempt to load the command channel key
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync from the file <code class="filename">rndc.key</code> in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync was specified as when <acronym class="acronym">BIND</acronym> was built).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync To create a <code class="filename">rndc.key</code> file, run
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <strong class="userinput"><code>rndc-confgen -a</code></strong>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <code class="filename">rndc.key</code> feature was created to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync which did not have digital signatures on its command channel
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and still have <span><strong class="command">rndc</strong></span> work the same way
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Since the <code class="filename">rndc.key</code> feature
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is only intended to allow the backward-compatible usage of
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <acronym class="acronym">BIND</acronym> 8 configuration files, this
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync feature does not
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync have a high degree of configurability. You cannot easily change
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the key name or the size of the secret, so you should make a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">rndc.conf</code> with your own key if you
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync wish to change
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync those things. The <code class="filename">rndc.key</code> file
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync also has its
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync permissions set such that only the owner of the file (the user that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span> is running as) can access it.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync desire greater flexibility in allowing other users to access
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">rndc</strong></span> commands, then you need to create
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">rndc.conf</code> file and make it group
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync readable by a group
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that contains the users who should have access.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync To disable the command channel, use an empty
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">controls</strong></span> statement:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">controls { };</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575194"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575211"></a><span><strong class="command">include</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">include</strong></span> statement inserts the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specified file at the point where the <span><strong class="command">include</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement is encountered. The <span><strong class="command">include</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement facilitates the administration of configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync by permitting the reading or writing of some things but not
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync others. For example, the statement could include private keys
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that are readable only by the name server.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575235"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync algorithm <em class="replaceable"><code>string</code></em>;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync secret <em class="replaceable"><code>string</code></em>;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575258"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">key</strong></span> statement defines a shared
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or the command channel
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Usage”</a>).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">key</strong></span> statement can occur at the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of the configuration file or inside a <span><strong class="command">view</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement. Keys defined in top-level <span><strong class="command">key</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statements can be used in all views. Keys intended for use in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a <span><strong class="command">controls</strong></span> statement
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Usage”</a>)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync must be defined at the top level.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <em class="replaceable"><code>key_id</code></em>, also known as the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync key name, is a domain name uniquely identifying the key. It can
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be used in a <span><strong class="command">server</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement to cause requests sent to that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server to be signed with this key, or in address match lists to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync verify that incoming requests have been signed with a key
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync matching this name, algorithm, and secret.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <em class="replaceable"><code>algorithm_id</code></em> is a string
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that specifies a security/authentication algorithm. Named
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and <code class="literal">hmac-sha512</code> TSIG authentication.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Truncated hashes are supported by appending the minimum
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync number of required bits preceded by a dash, e.g.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <em class="replaceable"><code>secret_string</code></em> is the secret
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to be used by the algorithm, and is treated as a base-64
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync encoded string.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575349"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">logging</strong></span> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync | <span><strong class="command">stderr</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync | <span><strong class="command">null</strong></span> );
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575475"></a><span><strong class="command">logging</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">logging</strong></span> statement configures a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync associates output methods, format options and severity levels with
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a name that can then be used with the <span><strong class="command">category</strong></span> phrase
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to select how various classes of messages are logged.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Only one <span><strong class="command">logging</strong></span> statement is used to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the logging configuration will be:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync category default { default_syslog; default_debug; };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync category unmatched { null; };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In <acronym class="acronym">BIND</acronym> 9, the logging configuration
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is only established when
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync established as soon as the <span><strong class="command">logging</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync was parsed. When the server is starting up, all logging messages
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync regarding syntax errors in the configuration file go to the default
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync channels, or to standard error if the "<code class="option">-g</code>" option
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync was specified.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2575527"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync you can make as many of them as you want.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Every channel definition must include a destination clause that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync says whether messages selected for the channel go to a file, to a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync particular syslog facility, to the standard error stream, or are
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync discarded. It can optionally also limit the message severity level
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that will be accepted by the channel (the default is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">info</strong></span>), and whether to include a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span>-generated time stamp, the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync category name
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync and/or severity level (the default is not to include any).
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">null</strong></span> destination clause
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync causes all messages sent to the channel to be discarded;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in that case, other options for the channel are meaningless.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">file</strong></span> destination clause directs
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the channel
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to a disk file. It can include limitations
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync both on how large the file is allowed to become, and how many
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of the file will be saved each time the file is opened.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If you use the <span><strong class="command">versions</strong></span> log file
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync option, then
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span> will retain that many backup
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync versions of the file by
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync renaming them when opening. For example, if you choose to keep
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync three old versions
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of the file <code class="filename">lamers.log</code>, then just
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync before it is opened
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">lamers.log.1</code> is renamed to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync renamed to <code class="filename">lamers.log.0</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync You can say <span><strong class="command">versions unlimited</strong></span> to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the number of versions.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If a <span><strong class="command">size</strong></span> option is associated with
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the log file,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync then renaming is only done when the file being opened exceeds the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync indicated size. No backup versions are kept by default; any
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync log file is simply appended.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">size</strong></span> option for files is used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to limit log
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync associated with it. If backup versions are kept, the files are
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync described above and a new one begun. If there is no
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">versions</strong></span> option, no more data will
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be written to the log
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync until some out-of-band mechanism removes or truncates the log to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync less than the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync maximum size. The default behavior is not to limit the size of
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Example usage of the <span><strong class="command">size</strong></span> and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">versions</strong></span> options:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">channel an_example_channel {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync file "example.log" versions 3 size 20m;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync print-time yes;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync print-category yes;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">syslog</strong></span> destination clause
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync directs the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync channel to the system log. Its argument is a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync syslog facility as described in the <span><strong class="command">syslog</strong></span> man
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">local7</strong></span>, however not all facilities
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync are supported on
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync all operating systems.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync How <span><strong class="command">syslog</strong></span> will handle messages
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync then this clause is silently ignored.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync "priorities", except that they can also be used if you are writing
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync straight to a file rather than using <span><strong class="command">syslog</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Messages which are not at least of the severity level given will
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync not be selected for the channel; messages of higher severity
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync will be accepted.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync will also determine what eventually passes through. For example,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync cause messages of severity <span><strong class="command">info</strong></span> and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">notice</strong></span> to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync messages of only <span><strong class="command">warning</strong></span> or higher,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync then <span><strong class="command">syslogd</strong></span> would
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync print all messages it received from the channel.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">stderr</strong></span> destination clause
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync directs the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync channel to the server's standard error stream. This is intended
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync use when the server is running as a foreground process, for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync when debugging a configuration.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The server can supply extensive debugging information when
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync it is in debugging mode. If the server's global debug level is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync than zero, then debugging mode will be active. The global debug
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync level is set either by starting the <span><strong class="command">named</strong></span> server
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync with the <code class="option">-d</code> flag followed by a positive integer,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or by running <span><strong class="command">rndc trace</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The global debug level
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncnotrace</strong></span>. All debugging messages in the server have a debug
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync level, and higher debug levels give more detailed output. Channels
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that specify a specific debug severity, for example:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">channel specific_debug_level {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync file "foo";
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity debug 3;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync will get debugging output of level 3 or less any time the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server is in debugging mode, regardless of the global debugging
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync level. Channels with <span><strong class="command">dynamic</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity use the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server's global debug level to determine what messages to print.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If <span><strong class="command">print-time</strong></span> has been turned on,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the date and time will be logged. <span><strong class="command">print-time</strong></span> may
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be specified for a <span><strong class="command">syslog</strong></span> channel,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync but is usually
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync pointless since <span><strong class="command">syslog</strong></span> also logs
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the date and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync time. If <span><strong class="command">print-category</strong></span> is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync requested, then the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync be used in any combination, and will always be printed in the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync order: time, category, severity. Here is an example where all
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync three <span><strong class="command">print-</strong></span> options
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync There are four predefined channels that are used for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">named</strong></span>'s default logging as follows.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync How they are
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">channel default_syslog {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // send to syslog's daemon facility
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync syslog daemon;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // only send priority info and higher
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity info;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncchannel default_debug {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // write to named.run in the working directory
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // Note: stderr is used instead of "named.run" if
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // the server is started with the '-f' option.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // log at the server's current debug level
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity dynamic;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncchannel default_stderr {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // writes to stderr
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // only send priority info and higher
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity info;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncchannel null {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync // toss anything sent to this channel
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">default_debug</strong></span> channel has the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync property that it only produces output when the server's debug
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync nonzero. It normally writes to a file called <code class="filename">named.run</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in the server's working directory.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync For security reasons, when the "<code class="option">-u</code>"
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync command line option is used, the <code class="filename">named.run</code> file
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync is created only after <span><strong class="command">named</strong></span> has
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync changed to the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync starting up and still running as root is discarded. If you need
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to capture this output, you must run the server with the "<code class="option">-g</code>"
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync option and redirect standard error to a file.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Once a channel is defined, it cannot be redefined. Thus you
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync cannot alter the built-in channels directly, but you can modify
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the default logging by pointing categories at channels you have
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync There are many categories, so you can send the logs you want
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to see wherever you want, without seeing logs you don't want. If
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync you don't specify a list of channels for a category, then log
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in that category will be sent to the <span><strong class="command">default</strong></span> category
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync instead. If you don't specify a default category, the following
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync "default default" is used:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">category default { default_syslog; default_debug; };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync As an example, let's say you want to log security events to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync a file, but you also want keep the default logging behavior. You'd
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specify the following:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">channel my_security_channel {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync file "my_security_file";
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync severity info;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsynccategory security {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync my_security_channel;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync default_syslog;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync default_debug;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting">category xfer-out { null; };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsynccategory notify { null; };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Following are the available categories and brief descriptions
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of the types of log information they contain. More
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync categories may be added in future <acronym class="acronym">BIND</acronym> releases.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">default</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The default category defines the logging
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync options for those categories where no specific
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync configuration has been
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">general</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The catch-all. Many things still aren't
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync classified into categories, and they all end up here.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">database</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Messages relating to the databases used
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync internally by the name server to store zone and cache
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">security</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Approval and denial of requests.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">config</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Configuration file parsing and processing.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">resolver</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync DNS resolution, such as the recursive
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lookups performed on behalf of clients by a caching name
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">xfer-in</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Zone transfers the server is receiving.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">xfer-out</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Zone transfers the server is sending.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">notify</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The NOTIFY protocol.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">client</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Processing of client requests.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">unmatched</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Messages that <span><strong class="command">named</strong></span> was unable to determine the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync class of or for which there was no matching <span><strong class="command">view</strong></span>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This category is best sent to a file or stderr, by
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync default it is sent to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the <span><strong class="command">null</strong></span> channel.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">network</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Network operations.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">update</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Dynamic updates.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">update-security</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Approval and denial of update requests.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">queries</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Specify where queries should be logged to.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync At startup, specifying the category <span><strong class="command">queries</strong></span> will also
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync enable query logging unless <span><strong class="command">querylog</strong></span> option has been
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The query log entry reports the client's IP
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync address and port number, and the query name,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync class and type. Next it reports whether the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Recursion Desired flag was set (+ if set, -
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync if not set), if the query was signed (S),
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync EDNS was in use (E), if DO (DNSSEC Ok) was
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync set (D), or if CD (Checking Disabled) was set
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (C). After this the destination address the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync query was sent to is reported.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">query-errors</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Information about queries that resulted in some
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">dispatch</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Dispatching of incoming packets to the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server modules where they are to be processed.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">dnssec</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync DNSSEC and TSIG protocol processing.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">lame-servers</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Lame servers. These are misconfigurations
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in remote servers, discovered by BIND 9 when trying to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync query those servers during resolution.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">delegation-only</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Delegation only. Logs queries that have been
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync forced to NXDOMAIN as the result of a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync delegation-only zone or a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">delegation-only</strong></span> in a hint
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync or stub zone declaration.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <p><span><strong class="command">edns-disabled</strong></span></p>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Log queries that have been forced to use plain
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync DNS due to timeouts. This is often due to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the remote servers not being RFC 1034 compliant
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (not always returning FORMERR or similar to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync EDNS queries and other extensions to the DNS
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync when they are not understood). In other words, this is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync targeted at servers that fail to respond to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync DNS queries that they don't understand.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note: the log message can also be due to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync packet loss. Before reporting servers for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync non-RFC 1034 compliance they should be re-tested
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to determine the nature of the non-compliance.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This testing should prevent or reduce the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync number of false-positive reports.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note: eventually <span><strong class="command">named</strong></span> will have to stop
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync treating such timeouts as due to RFC 1034 non
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync compliance and start treating it as plain
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync packet loss. Falsely classifying packet
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync loss as due to RFC 1034 non compliance impacts
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync on DNSSEC validation which requires EDNS for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the DNSSEC records to be returned.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577022"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">query-errors</strong></span> category is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync specifically intended for debugging purposes: To identify
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync why and how specific queries result in responses which
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync indicate an error.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Messages of this category are therefore only logged
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync with <span><strong class="command">debug</strong></span> levels.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync At the debug levels of 1 or higher, each response with the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync rcode of SERVFAIL is logged as follows:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This means an error resulting in SERVFAIL was
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync detected at line 3880 of source file
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Log messages of this level will particularly
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync help identify the cause of SERVFAIL for an
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync authoritative server.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync At the debug levels of 2 or higher, detailed context
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync information of recursive resolutions that resulted in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync SERVFAIL is logged.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The log message will look like as follows:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncfetch completed at resolver.c:2970 for www.example.com/A
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncin 30.000183: timed out/success [domain:example.com,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsyncbadresp:1,adberr:0,findfail:0,valfail:0]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The first part before the colon shows that a recursive
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync resolution for AAAA records of www.example.com completed
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync in 30.000183 seconds and the final result that led to the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync SERVFAIL was determined at line 2970 of source file
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The following part shows the detected final result and the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync latest result of DNSSEC validation.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The latter is always success when no validation attempt
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In this example, this query resulted in SERVFAIL probably
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync because all name servers are down or unreachable, leading
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to a timeout in 30 seconds.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync DNSSEC validation was probably not attempted.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The last part enclosed in square brackets shows statistics
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync information collected for this particular resolution
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <code class="varname">domain</code> field shows the deepest zone
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync that the resolver reached;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync it is the zone where the error was finally detected.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The meaning of the other fields is summarized in the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync following table.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of referrals the resolver received
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync throughout the resolution process.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In the above example this is 2, which are most
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync likely com and example.com.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of cycles that the resolver tried
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync remote servers at the <code class="varname">domain</code>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync In each cycle the resolver sends one query
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync (possibly resending it, depending on the response)
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync to each known name server of
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of queries the resolver sent at the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of timeouts since the resolver
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync received the last response.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of lame servers the resolver detected
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync A server is detected to be lame either by an
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync invalid response or as a result of lookup in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync BIND9's address database (ADB), where lame
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync servers are cached.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of erroneous results that the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync resolver encountered in sending queries
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync One common case is the remote server is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync unreachable and the resolver receives an ICMP
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync unreachable error message.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The number of unexpected responses (other than
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="varname">lame</code>) to queries sent by the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync resolver at the <code class="varname">domain</code> zone.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Failures in finding remote server addresses
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync of the <code class="varname">domain</code> zone in the ADB.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync One common case of this is that the remote
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server's name does not have any address records.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Failures of resolving remote server addresses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is a total number of failures throughout
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the resolution process.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Failures of DNSSEC validation.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Validation failures are counted throughout
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the resolution process (not limited to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync the <code class="varname">domain</code> zone), but should
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync only happen in <code class="varname">domain</code>.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync At the debug levels of 3 or higher, the same messages
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync as those at the debug 1 level are logged for other errors
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync than SERVFAIL.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Note that negative responses such as NXDOMAIN are not
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync regarded as errors here.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync At the debug levels of 4 or higher, the same messages
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync as those at the debug 2 level are logged for other errors
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync than SERVFAIL.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync Unlike the above case of level 3, messages are logged for
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync negative responses.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is because any unexpected results can be difficult to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync debug in the recursion case.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577474"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is the grammar of the <span><strong class="command">lwres</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement in the <code class="filename">named.conf</code> file:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577547"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">lwres</strong></span> statement configures the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync server to also act as a lightweight resolver server. (See
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">lwres</strong></span> statements configuring
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lightweight resolver servers with different properties.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">listen-on</strong></span> statement specifies a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync addresses (and ports) that this instance of a lightweight resolver
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync should accept requests on. If no port is specified, port 921 is
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync If this statement is omitted, requests will be accepted on
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">view</strong></span> statement binds this
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync instance of a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lightweight resolver daemon to a view in the DNS namespace, so that
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync response will be constructed in the same manner as a normal DNS
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync matching this view. If this statement is omitted, the default view
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync used, and if there is no default view, an error is triggered.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">search</strong></span> statement is equivalent to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">search</strong></span> statement in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">/etc/resolv.conf</code>. It provides a
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync list of domains
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync which are appended to relative names in queries.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync The <span><strong class="command">ndots</strong></span> statement is equivalent to
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <span><strong class="command">ndots</strong></span> statement in
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <code class="filename">/etc/resolv.conf</code>. It indicates the
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync number of dots in a relative domain name that should result in an
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync exact match lookup before search path elements are appended.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577611"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577723"></a><span><strong class="command">masters</strong></span> Statement Definition and
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<p><span><strong class="command">masters</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync lists allow for a common set of masters to be easily used by
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync multiple stub and slave zones.
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<a name="id2577738"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync This is the grammar of the <span><strong class="command">options</strong></span>
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync statement in the <code class="filename">named.conf</code> file:
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync<pre class="programlisting"><span><strong class="command">options</strong></span> {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ... }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> dnskey-ksk-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
7ce0e5475f7c2c9e35ab188330bb58e3490972d6vboxsync [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> disable-aaaa-on-v4-transport ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
[<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
<span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2587897"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
<a name="id2588052"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2588171"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2588218"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2588269"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2588573"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnskey-ksk-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2590147"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnskey-ksk-only</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2595944"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2595960"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2596089"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2596158"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2596195"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2600673"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>