Bv9ARM.ch06.html revision 2895f101b5585a19015ac2c2c1e1812ac467fa12
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - purpose with or without fee is hereby granted, provided that the above
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - copyright notice and this permission notice appear in all copies.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!-- $Id: Bv9ARM.ch06.html,v 1.231 2009/09/03 01:14:41 tbox Exp $ -->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<title>Chapter�6.�BIND 9 Configuration Reference</title>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573876">Comment Syntax</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574598"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574788"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575216"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575233"><span><strong class="command">include</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575256"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575280"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575370"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575496"><span><strong class="command">logging</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577495"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577569"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577633"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577676"><span><strong class="command">masters</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577691"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587559"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587645"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587765"><span><strong class="command">trusted-keys</strong></span> Statement Definition
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587812"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587931"><span><strong class="command">managed-keys</strong></span> Statement Definition
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588149"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589693"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2592396">Zone File</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594627">Discussion of MX Records</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595174">Inverse Mapping in IPv4</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595301">Other Zone File Directives</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595574"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of configuration, such as views. <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 9, although more complex configurations should be reviewed to check
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if they can be more efficiently implemented using the new features
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews found in <acronym class="acronym">BIND</acronym> 9.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> 4 configuration files can be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews converted to the new format
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using the shell script
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file documentation:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The name of an <code class="varname">address_match_list</code> as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defined by the <span><strong class="command">acl</strong></span> statement.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">address_match_list</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A list of one or more
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or <code class="varname">acl_name</code> elements, see
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A named list of one or more <code class="varname">ip_addr</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with optional <code class="varname">key_id</code> and/or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A <code class="varname">masters_list</code> may include other
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A quoted string which will be used as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a DNS name, for example "<code class="literal">my.test.domain</code>".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A list of one or more <code class="varname">domain_name</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One to four integers valued 0 through
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An IPv4 address with exactly four elements
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in <code class="varname">dotted_decimal</code> notation.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IPv6 scoped addresses that have ambiguity on their
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews scope zones must be disambiguated by an appropriate
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone ID with the percent character (`%') as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delimiter. It is strongly recommended to use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews string zone names rather than numeric identifiers,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in order to be robust against system configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews changes. However, since there is no standard
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews mapping for such names and identifier values,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews currently only interface names as link identifiers
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are supported, assuming one-to-one mapping between
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interfaces and links. For example, a link-local
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address <span><strong class="command">fe80::1</strong></span> on the link
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews attached to the interface <span><strong class="command">ne0</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that on most systems link-local addresses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews always have the ambiguity, and need to be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews disambiguated.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An IP port <code class="varname">number</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="varname">number</code> is limited to 0
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews through 65535, with values
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews below 1024 typically restricted to use by processes running
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In some cases, an asterisk (`*') character can be used as a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews placeholder to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews select a random high-numbered port.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An IP network specified as an <code class="varname">ip_addr</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews followed by a slash (`/') and then the number of bits in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Trailing zeros in a <code class="varname">ip_addr</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may omitted.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, <span><strong class="command">127/8</strong></span> is the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews network <span><strong class="command">127.0.0.0</strong></span> with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When specifying a prefix involving a IPv6 scoped address
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the scope may be omitted. In that case the prefix will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews match packets from any scope.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A <code class="varname">domain_name</code> representing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the name of a shared key, to be used for transaction
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A list of one or more
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews separated by semicolons and ending with a semicolon.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A non-negative 32-bit integer
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (i.e., a number between 0 and 4294967295, inclusive).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Its acceptable value might further
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be limited by the context in which it is used.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A quoted string which will be used as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A list of an <code class="varname">ip_port</code> or a port
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A port range is specified in the form of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>range</code></strong> followed by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">port_high</code>, which represents
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews port numbers from <code class="varname">port_low</code> through
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">port_high</code>, inclusive.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">port_low</code> must not be larger than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>range 1024 65535</code></strong> represents
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ports from 1024 through 65535.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In either case an asterisk (`*') character is not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allowed as a valid <code class="varname">ip_port</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A number, the word <strong class="userinput"><code>unlimited</code></strong>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or the word <strong class="userinput"><code>default</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the limit that was in force when the server was started.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A <code class="varname">number</code> can optionally be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews followed by a scaling factor:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for kilobytes,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for megabytes, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which scale by 1024, 1024*1024, and 1024*1024*1024
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews respectively.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The value must be representable as a 64-bit unsigned integer
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (0 to 18446744073709551615, inclusive).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Using <code class="varname">unlimited</code> is the best
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to safely set a really large number.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <strong class="userinput"><code>0</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One of <strong class="userinput"><code>yes</code></strong>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>passive</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are restricted to slave and stub zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2573710"></a>Syntax</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> address_match_list_element; ... </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key key_id | acl_name | { address_match_list } )
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2573738"></a>Definition and Usage</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Address match lists are primarily used to determine access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews control for various server operations. They are also used in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statements. The elements which constitute an address match
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews list can be any of the following:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a key ID, as defined by the <span><strong class="command">key</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<li>the name of an address match list defined with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">acl</strong></span> statement
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<li>a nested address match list enclosed in braces</li>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Elements can be negated with a leading exclamation mark (`!'),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and the match list names "any", "none", "localhost", and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "localnets" are predefined. More information on those names
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be found in the description of the acl statement.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The addition of the key clause made the name of this syntactic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews element something of a misnomer, since security keys can be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to validate access without regard to a host or network address.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Nonetheless, the term "address match list" is still used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews throughout the documentation.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When a given IP address or prefix is compared to an address
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews match list, the comparison takes place in approximately O(1)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time. However, key comparisons require that the list of keys
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be traversed until a matching key is found, and therefore may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be somewhat slower.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The interpretation of a match depends on whether the list is being
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When used as an access control list, a non-negated match
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allows access and a negated match denies access. If
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews there is no match, access is denied. The clauses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-notify</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-recursion</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-recursion-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query-cache</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query-cache-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-transfer</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-update</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-update-forwarding</strong></span>, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">blackhole</strong></span> all use address match
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server to refuse queries on any of the machine's
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews addresses which do not match the list.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Order of insertion is significant. If more than one element
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in an ACL is found to match a given IP address or prefix,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews preference will be given to the one that came
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>first</em></span> in the ACL definition.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Because of this first-match behavior, an element that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines a subset of another element in the list should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews come before the broader element, regardless of whether
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews either is negated. For example, in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the 1.2.3.13 element is completely useless because the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that problem by having 1.2.3.13 blocked by the negation, but
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all other 1.2.3.* hosts fall through.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2573876"></a>Comment Syntax</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews comments to appear
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file. To appeal to programmers of all kinds, they can be written
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2573891"></a>Syntax</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews# and perl</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2573921"></a>Definition and Usage</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Comments may appear anywhere that whitespace may appear in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a <acronym class="acronym">BIND</acronym> configuration file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews C-style comments start with the two characters /* (slash,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews star) and end with */ (star, slash). Because they are completely
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delimited with these characters, they can be used to comment only
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a portion of a line or to span multiple lines.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews C-style comments cannot be nested. For example, the following
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is not valid because the entire comment ends with the first */:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">/* This is the start of a comment.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is still part of the comment.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews/* This is an incorrect attempt at nesting a comment. */
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is no longer in any comment. */
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews C++-style comments start with the two characters // (slash,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews slash) and continue to the end of the physical line. They cannot
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be continued across multiple physical lines; to have one logical
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews comment span multiple lines, each line must use the // pair.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">// This is the start of a comment. The next line
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// is a new comment, even though it is logically
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// part of the previous comment.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Shell-style (or perl-style, if you prefer) comments start
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the character <code class="literal">#</code> (number sign)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and continue to the end of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews physical line, as in C++ comments.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"># This is the start of a comment. The next line
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews# is a new comment, even though it is logically
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews# part of the previous comment.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews You cannot use the semicolon (`;') character
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to start a comment such as you would in a zone file. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews semicolon indicates the end of a configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A <acronym class="acronym">BIND</acronym> 9 configuration consists of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statements and comments.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Statements end with a semicolon. Statements and comments are the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only elements that can appear without enclosing braces. Many
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statements contain a block of sub-statements, which are also
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews terminated with a semicolon.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The following statements are supported:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">acl</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines a named IP address
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews matching list, for access control and other uses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">controls</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews declares control channels to be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by the <span><strong class="command">rndc</strong></span> utility.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">include</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews includes a file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">key</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specifies key information for use in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authentication and authorization using TSIG.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">logging</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specifies what the server logs, and where
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the log messages are sent.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">lwres</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configures <span><strong class="command">named</strong></span> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">masters</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines a named masters list for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews inclusion in stub and slave zone masters clauses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">options</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews controls global server configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews options and sets defaults for other statements.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">server</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews sets certain configuration options on
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a per-server basis.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">statistics-channels</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews declares communication channels to get access to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span> statistics.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">trusted-keys</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines trusted DNSSEC keys.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">managed-keys</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lists DNSSEC keys to be kept up to date
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using RFC 5011 trust anchor maintenance.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">view</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines a view.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">zone</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defines a zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">logging</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">options</strong></span> statements may only occur once
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2574598"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address_match_list
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">acl</strong></span> statement assigns a symbolic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews name to an address match list. It gets its name from a primary
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use of address match lists: Access Control Lists (ACLs).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that an address match list's name must be defined
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with <span><strong class="command">acl</strong></span> before it can be used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews elsewhere; no forward references are allowed.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The following ACLs are built-in:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">any</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Matches all hosts.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">none</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Matches no hosts.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">localhost</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Matches the IPv4 and IPv6 addresses of all network
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interfaces on the system.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">localnets</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Matches any host on an IPv4 or IPv6 network
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for which the system has an interface.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Some systems do not provide a way to determine the prefix
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews local IPv6 addresses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In such a case, <span><strong class="command">localnets</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only matches the local
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2574788"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">controls</strong></span> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ inet ( ip_addr | * ) [ port ip_port ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow { <em class="replaceable"><code> address_match_list </code></em> }
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ inet ...; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ unix ...; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">controls</strong></span> statement declares control
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews channels to be used by system administrators to control the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews operation of the name server. These control channels are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used by the <span><strong class="command">rndc</strong></span> utility to send
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews commands to and retrieve non-DNS results from a name server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews An <span><strong class="command">inet</strong></span> control channel is a TCP socket
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews listening at the specified <span><strong class="command">ip_port</strong></span> on the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews interpreted as the IPv4 wildcard address; connections will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews accepted on any of the system's IPv4 addresses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To listen on the IPv6 wildcard address,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you will only use <span><strong class="command">rndc</strong></span> on the local host,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using the loopback address (<code class="literal">127.0.0.1</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or <code class="literal">::1</code>) is recommended for maximum security.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If no port is specified, port 953 is used. The asterisk
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The ability to issue commands over the control channel is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews restricted by the <span><strong class="command">allow</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">keys</strong></span> clauses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Connections to the control channel are permitted based on the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">address_match_list</strong></span>. This is for simple
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews IP address based filtering only; any <span><strong class="command">key_id</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews elements of the <span><strong class="command">address_match_list</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are ignored.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews socket listening at the specified path in the file system.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note on some platforms (SunOS and Solaris) the permissions
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (<span><strong class="command">perm</strong></span>) are applied to the parent directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as the permissions on the socket itself are ignored.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The primary authorization mechanism of the command
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews channel is the <span><strong class="command">key_list</strong></span>, which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews contains a list of <span><strong class="command">key_id</strong></span>s.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is authorized to execute commands over the control channel.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for information about configuring keys in <span><strong class="command">rndc</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If no <span><strong class="command">controls</strong></span> statement is present,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span> will set up a default
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews control channel listening on the loopback address 127.0.0.1
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and its IPv6 counterpart ::1.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In this case, and also when the <span><strong class="command">controls</strong></span> statement
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is present but does not have a <span><strong class="command">keys</strong></span> clause,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span> will attempt to load the command channel key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews from the file <code class="filename">rndc.key</code> in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews was specified as when <acronym class="acronym">BIND</acronym> was built).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To create a <code class="filename">rndc.key</code> file, run
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>rndc-confgen -a</code></strong>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="filename">rndc.key</code> feature was created to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which did not have digital signatures on its command channel
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and still have <span><strong class="command">rndc</strong></span> work the same way
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Since the <code class="filename">rndc.key</code> feature
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is only intended to allow the backward-compatible usage of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> 8 configuration files, this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews feature does not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews have a high degree of configurability. You cannot easily change
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the key name or the size of the secret, so you should make a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">rndc.conf</code> with your own key if you
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews wish to change
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews those things. The <code class="filename">rndc.key</code> file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews also has its
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews permissions set such that only the owner of the file (the user that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span> is running as) can access it.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews desire greater flexibility in allowing other users to access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">rndc</strong></span> commands, then you need to create
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">rndc.conf</code> file and make it group
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews readable by a group
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that contains the users who should have access.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To disable the command channel, use an empty
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">controls</strong></span> statement:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">controls { };</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575216"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575233"></a><span><strong class="command">include</strong></span> Statement Definition and
1bb2f53b9f74a8ca9812cbe9243ef41190b4da14Evan Hunt The <span><strong class="command">include</strong></span> statement inserts the
1bb2f53b9f74a8ca9812cbe9243ef41190b4da14Evan Hunt specified file at the point where the <span><strong class="command">include</strong></span>
1bb2f53b9f74a8ca9812cbe9243ef41190b4da14Evan Hunt statement is encountered. The <span><strong class="command">include</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement facilitates the administration of configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews by permitting the reading or writing of some things but not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews others. For example, the statement could include private keys
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that are readable only by the name server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575256"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews algorithm <em class="replaceable"><code>string</code></em>;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secret <em class="replaceable"><code>string</code></em>;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575280"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">key</strong></span> statement defines a shared
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or the command channel
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Usage”</a>).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">key</strong></span> statement can occur at the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the configuration file or inside a <span><strong class="command">view</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement. Keys defined in top-level <span><strong class="command">key</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statements can be used in all views. Keys intended for use in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a <span><strong class="command">controls</strong></span> statement
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Usage”</a>)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must be defined at the top level.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <em class="replaceable"><code>key_id</code></em>, also known as the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key name, is a domain name uniquely identifying the key. It can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be used in a <span><strong class="command">server</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement to cause requests sent to that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server to be signed with this key, or in address match lists to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews verify that incoming requests have been signed with a key
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews matching this name, algorithm, and secret.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <em class="replaceable"><code>algorithm_id</code></em> is a string
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that specifies a security/authentication algorithm. Named
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews supports <code class="literal">hmac-md5</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and <code class="literal">hmac-sha512</code> TSIG authentication.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Truncated hashes are supported by appending the minimum
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews number of required bits preceded by a dash, e.g.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>secret_string</code></em> is the secret
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to be used by the algorithm, and is treated as a base-64
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews encoded string.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575370"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">logging</strong></span> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews | <span><strong class="command">stderr</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews | <span><strong class="command">null</strong></span> );
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575496"></a><span><strong class="command">logging</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">logging</strong></span> statement configures a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews associates output methods, format options and severity levels with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a name that can then be used with the <span><strong class="command">category</strong></span> phrase
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to select how various classes of messages are logged.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Only one <span><strong class="command">logging</strong></span> statement is used to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the logging configuration will be:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews category default { default_syslog; default_debug; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews category unmatched { null; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In <acronym class="acronym">BIND</acronym> 9, the logging configuration
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is only established when
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews established as soon as the <span><strong class="command">logging</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews was parsed. When the server is starting up, all logging messages
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews regarding syntax errors in the configuration file go to the default
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews channels, or to standard error if the "<code class="option">-g</code>" option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews was specified.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2575548"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you can make as many of them as you want.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Every channel definition must include a destination clause that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews says whether messages selected for the channel go to a file, to a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews particular syslog facility, to the standard error stream, or are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews discarded. It can optionally also limit the message severity level
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that will be accepted by the channel (the default is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">info</strong></span>), and whether to include a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span>-generated time stamp, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews category name
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and/or severity level (the default is not to include any).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">null</strong></span> destination clause
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews causes all messages sent to the channel to be discarded;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in that case, other options for the channel are meaningless.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">file</strong></span> destination clause directs
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to a disk file. It can include limitations
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews both on how large the file is allowed to become, and how many
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the file will be saved each time the file is opened.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you use the <span><strong class="command">versions</strong></span> log file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option, then
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span> will retain that many backup
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews versions of the file by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews renaming them when opening. For example, if you choose to keep
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews three old versions
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the file <code class="filename">lamers.log</code>, then just
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews before it is opened
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">lamers.log.1</code> is renamed to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews renamed to <code class="filename">lamers.log.0</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews You can say <span><strong class="command">versions unlimited</strong></span> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the number of versions.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a <span><strong class="command">size</strong></span> option is associated with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the log file,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then renaming is only done when the file being opened exceeds the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews indicated size. No backup versions are kept by default; any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews log file is simply appended.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">size</strong></span> option for files is used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to limit log
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews associated with it. If backup versions are kept, the files are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews described above and a new one begun. If there is no
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">versions</strong></span> option, no more data will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be written to the log
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews until some out-of-band mechanism removes or truncates the log to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews less than the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews maximum size. The default behavior is not to limit the size of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Example usage of the <span><strong class="command">size</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">versions</strong></span> options:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">channel an_example_channel {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file "example.log" versions 3 size 20m;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews print-time yes;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews print-category yes;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">syslog</strong></span> destination clause
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews channel to the system log. Its argument is a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews syslog facility as described in the <span><strong class="command">syslog</strong></span> man
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">local7</strong></span>, however not all facilities
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are supported on
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all operating systems.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews How <span><strong class="command">syslog</strong></span> will handle messages
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then this clause is silently ignored.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "priorities", except that they can also be used if you are writing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews straight to a file rather than using <span><strong class="command">syslog</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Messages which are not at least of the severity level given will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews not be selected for the channel; messages of higher severity
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will be accepted.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will also determine what eventually passes through. For example,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cause messages of severity <span><strong class="command">info</strong></span> and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">notice</strong></span> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews messages of only <span><strong class="command">warning</strong></span> or higher,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews then <span><strong class="command">syslogd</strong></span> would
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews print all messages it received from the channel.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">stderr</strong></span> destination clause
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews channel to the server's standard error stream. This is intended
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use when the server is running as a foreground process, for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when debugging a configuration.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The server can supply extensive debugging information when
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it is in debugging mode. If the server's global debug level is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews than zero, then debugging mode will be active. The global debug
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews level is set either by starting the <span><strong class="command">named</strong></span> server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with the <code class="option">-d</code> flag followed by a positive integer,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or by running <span><strong class="command">rndc trace</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The global debug level
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsnotrace</strong></span>. All debugging messages in the server have a debug
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews level, and higher debug levels give more detailed output. Channels
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that specify a specific debug severity, for example:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">channel specific_debug_level {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity debug 3;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews will get debugging output of level 3 or less any time the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server is in debugging mode, regardless of the global debugging
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews level. Channels with <span><strong class="command">dynamic</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity use the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server's global debug level to determine what messages to print.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If <span><strong class="command">print-time</strong></span> has been turned on,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the date and time will be logged. <span><strong class="command">print-time</strong></span> may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be specified for a <span><strong class="command">syslog</strong></span> channel,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews but is usually
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews pointless since <span><strong class="command">syslog</strong></span> also logs
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the date and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews time. If <span><strong class="command">print-category</strong></span> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews requested, then the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be used in any combination, and will always be printed in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews order: time, category, severity. Here is an example where all
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews three <span><strong class="command">print-</strong></span> options
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There are four predefined channels that are used for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named</strong></span>'s default logging as follows.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews How they are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">channel default_syslog {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // send to syslog's daemon facility
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews syslog daemon;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // only send priority info and higher
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity info;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewschannel default_debug {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // write to named.run in the working directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // Note: stderr is used instead of "named.run" if
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // the server is started with the '-f' option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // log at the server's current debug level
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity dynamic;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewschannel default_stderr {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // writes to stderr
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // only send priority info and higher
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity info;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewschannel null {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // toss anything sent to this channel
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">default_debug</strong></span> channel has the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews property that it only produces output when the server's debug
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews nonzero. It normally writes to a file called <code class="filename">named.run</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the server's working directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For security reasons, when the "<code class="option">-u</code>"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews command line option is used, the <code class="filename">named.run</code> file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is created only after <span><strong class="command">named</strong></span> has
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews changed to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews starting up and still running as root is discarded. If you need
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to capture this output, you must run the server with the "<code class="option">-g</code>"
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option and redirect standard error to a file.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Once a channel is defined, it cannot be redefined. Thus you
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cannot alter the built-in channels directly, but you can modify
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the default logging by pointing categories at channels you have
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews There are many categories, so you can send the logs you want
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to see wherever you want, without seeing logs you don't want. If
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you don't specify a list of channels for a category, then log
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in that category will be sent to the <span><strong class="command">default</strong></span> category
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews instead. If you don't specify a default category, the following
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "default default" is used:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">category default { default_syslog; default_debug; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews As an example, let's say you want to log security events to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a file, but you also want keep the default logging behavior. You'd
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specify the following:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">channel my_security_channel {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file "my_security_file";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews severity info;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewscategory security {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews my_security_channel;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default_syslog;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default_debug;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">category xfer-out { null; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewscategory notify { null; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Following are the available categories and brief descriptions
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the types of log information they contain. More
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews categories may be added in future <acronym class="acronym">BIND</acronym> releases.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">default</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The default category defines the logging
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews options for those categories where no specific
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration has been
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">general</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The catch-all. Many things still aren't
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews classified into categories, and they all end up here.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">database</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Messages relating to the databases used
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews internally by the name server to store zone and cache
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">security</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Approval and denial of requests.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">config</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Configuration file parsing and processing.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">resolver</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNS resolution, such as the recursive
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lookups performed on behalf of clients by a caching name
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">xfer-in</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Zone transfers the server is receiving.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">xfer-out</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Zone transfers the server is sending.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">notify</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The NOTIFY protocol.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">client</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Processing of client requests.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">unmatched</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Messages that <span><strong class="command">named</strong></span> was unable to determine the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews class of or for which there was no matching <span><strong class="command">view</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This category is best sent to a file or stderr, by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default it is sent to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">null</strong></span> channel.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">network</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Network operations.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">update</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Dynamic updates.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">update-security</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Approval and denial of update requests.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">queries</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Specify where queries should be logged to.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews At startup, specifying the category <span><strong class="command">queries</strong></span> will also
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews enable query logging unless <span><strong class="command">querylog</strong></span> option has been
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The query log entry reports the client's IP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address and port number, and the query name,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews class and type. Next it reports whether the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Recursion Desired flag was set (+ if set, -
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if not set), if the query was signed (S),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews EDNS was in use (E), if DO (DNSSEC Ok) was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews set (D), or if CD (Checking Disabled) was set
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (C). After this the destination address the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews query was sent to is reported.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">query-errors</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Information about queries that resulted in some
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">dispatch</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Dispatching of incoming packets to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server modules where they are to be processed.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">dnssec</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNSSEC and TSIG protocol processing.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">lame-servers</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Lame servers. These are misconfigurations
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in remote servers, discovered by BIND 9 when trying to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews query those servers during resolution.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">delegation-only</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Delegation only. Logs queries that have been
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forced to NXDOMAIN as the result of a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delegation-only zone or a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">delegation-only</strong></span> in a hint
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or stub zone declaration.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <p><span><strong class="command">edns-disabled</strong></span></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Log queries that have been forced to use plain
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNS due to timeouts. This is often due to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the remote servers not being RFC 1034 compliant
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (not always returning FORMERR or similar to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews EDNS queries and other extensions to the DNS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when they are not understood). In other words, this is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews targeted at servers that fail to respond to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNS queries that they don't understand.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note: the log message can also be due to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews packet loss. Before reporting servers for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews non-RFC 1034 compliance they should be re-tested
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to determine the nature of the non-compliance.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This testing should prevent or reduce the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews number of false-positive reports.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note: eventually <span><strong class="command">named</strong></span> will have to stop
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews treating such timeouts as due to RFC 1034 non
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews compliance and start treating it as plain
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews packet loss. Falsely classifying packet
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews loss as due to RFC 1034 non compliance impacts
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews on DNSSEC validation which requires EDNS for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the DNSSEC records to be returned.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h4 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2576976"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">query-errors</strong></span> category is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specifically intended for debugging purposes: To identify
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews why and how specific queries result in responses which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews indicate an error.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Messages of this category are therefore only logged
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews with <span><strong class="command">debug</strong></span> levels.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews At the debug levels of 1 or higher, each response with the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews rcode of SERVFAIL is logged as follows:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This means an error resulting in SERVFAIL was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews detected at line 3880 of source file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Log messages of this level will particularly
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews help identify the cause of SERVFAIL for an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authoritative server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews At the debug levels of 2 or higher, detailed context
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information of recursive resolutions that resulted in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SERVFAIL is logged.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The log message will look like as follows:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsfetch completed at resolver.c:2970 for www.example.com/A
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsin 30.000183: timed out/success [domain:example.com,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsbadresp:1,adberr:0,findfail:0,valfail:0]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The first part before the colon shows that a recursive
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resolution for AAAA records of www.example.com completed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in 30.000183 seconds and the final result that led to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews SERVFAIL was determined at line 2970 of source file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The following part shows the detected final result and the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews latest result of DNSSEC validation.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The latter is always success when no validation attempt
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In this example, this query resulted in SERVFAIL probably
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews because all name servers are down or unreachable, leading
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to a timeout in 30 seconds.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DNSSEC validation was probably not attempted.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The last part enclosed in square brackets shows statistics
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information collected for this particular resolution
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <code class="varname">domain</code> field shows the deepest zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews that the resolver reached;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it is the zone where the error was finally detected.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The meaning of the other fields is summarized in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews following table.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of referrals the resolver received
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews throughout the resolution process.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In the above example this is 2, which are most
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews likely com and example.com.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of cycles that the resolver tried
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews remote servers at the <code class="varname">domain</code>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In each cycle the resolver sends one query
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (possibly resending it, depending on the response)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to each known name server of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of queries the resolver sent at the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of timeouts since the resolver
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews received the last response.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of lame servers the resolver detected
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews at the <code class="varname">domain</code> zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews A server is detected to be lame either by an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews invalid response or as a result of lookup in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews BIND9's address database (ADB), where lame
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews servers are cached.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of erroneous results that the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resolver encountered in sending queries
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews at the <code class="varname">domain</code> zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One common case is the remote server is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unreachable and the resolver receives an ICMP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unreachable error message.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The number of unexpected responses (other than
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">lame</code>) to queries sent by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews resolver at the <code class="varname">domain</code> zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Failures in finding remote server addresses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of the <code class="varname">domain</code> zone in the ADB.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One common case of this is that the remote
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server's name does not have any address records.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Failures of resolving remote server addresses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is a total number of failures throughout
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the resolution process.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Failures of DNSSEC validation.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Validation failures are counted throughout
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the resolution process (not limited to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <code class="varname">domain</code> zone), but should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only happen in <code class="varname">domain</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews At the debug levels of 3 or higher, the same messages
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as those at the debug 1 level are logged for other errors
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews than SERVFAIL.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that negative responses such as NXDOMAIN are not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews regarded as errors here.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews At the debug levels of 4 or higher, the same messages
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as those at the debug 2 level are logged for other errors
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews than SERVFAIL.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Unlike the above case of level 3, messages are logged for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews negative responses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is because any unexpected results can be difficult to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews debug in the recursion case.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2577495"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is the grammar of the <span><strong class="command">lwres</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in the <code class="filename">named.conf</code> file:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2577569"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">lwres</strong></span> statement configures the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server to also act as a lightweight resolver server. (See
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">lwres</strong></span> statements configuring
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lightweight resolver servers with different properties.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">listen-on</strong></span> statement specifies a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews addresses (and ports) that this instance of a lightweight resolver
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should accept requests on. If no port is specified, port 921 is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If this statement is omitted, requests will be accepted on
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">view</strong></span> statement binds this
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews instance of a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lightweight resolver daemon to a view in the DNS namespace, so that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews response will be constructed in the same manner as a normal DNS
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews matching this view. If this statement is omitted, the default view
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews used, and if there is no default view, an error is triggered.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">search</strong></span> statement is equivalent to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">search</strong></span> statement in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/etc/resolv.conf</code>. It provides a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews list of domains
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which are appended to relative names in queries.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">ndots</strong></span> statement is equivalent to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">ndots</strong></span> statement in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/etc/resolv.conf</code>. It indicates the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews number of dots in a relative domain name that should result in an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews exact match lookup before search path elements are appended.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2577633"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2577676"></a><span><strong class="command">masters</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><span><strong class="command">masters</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lists allow for a common set of masters to be easily used by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews multiple stub and slave zones.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2577691"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is the grammar of the <span><strong class="command">options</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement in the <code class="filename">named.conf</code> file:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting"><span><strong class="command">options</strong></span> {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ... }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">options</strong></span> statement sets up global
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to be used by <acronym class="acronym">BIND</acronym>. This statement
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may appear only
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews once in a configuration file. If there is no <span><strong class="command">options</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement, an options block with each option set to its default will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Allows multiple views to share a single cache
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Each view has its own cache database by default, but
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if multiple views have the same operational policy
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for name resolution and caching, those views can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews share a single cache to save memory and possibly
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews improve resolution efficiency by using this option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <span><strong class="command">attach-cache</strong></span> option
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews may also be specified in <span><strong class="command">view</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statements, in which case it overrides the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews global <span><strong class="command">attach-cache</strong></span> option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The <em class="replaceable"><code>cache_name</code></em> specifies
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the cache to be shared.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When the <span><strong class="command">named</strong></span> server configures
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews views which are supposed to share a cache, it
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews creates a cache with the specified name for the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews first view of these sharing views.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The rest of the views will simply refer to the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews already created cache.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews One common configuration to share a cache would be to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow all views to share a single cache.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This can be done by specifying
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">attach-cache</strong></span> as a global
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option with an arbitrary name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Another possible operation is to allow a subset of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all views to share a cache while the others to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews retain their own caches.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, if there are three views A, B, and C,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and only A and B should share a cache, specify the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">attach-cache</strong></span> option as a view A (or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews B)'s option, referring to the other view name:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // this view has its own cache
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // this view refers to A's cache
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews attach-cache "A";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews // this view has its own cache
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Views that share a cache must have the same policy
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews on configurable parameters that may affect caching.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The current implementation requires the following
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configurable options be consistent among these
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">check-names</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">cleaning-interval</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-accept-expired</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-validation</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">max-cache-ttl</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">max-ncache-ttl</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">max-cache-size</strong></span>, and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">zero-no-soa-ttl</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that there may be other parameters that may
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cause confusion if they are inconsistent for
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews different views that share a single cache.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For example, if these views define different sets of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forwarders that can return different answers for the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews same question, sharing the answer does not make
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews sense or could even be harmful.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It is administrator's responsibility to ensure
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews configuration differences in different views do
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews not cause disruption with a shared cache.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The working directory of the server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Any non-absolute pathnames in the configuration file will be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews as relative to this directory. The default location for most
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews output files (e.g. <code class="filename">named.run</code>)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is this directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a directory is not specified, the working directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews defaults to `<code class="filename">.</code>', the directory from
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews which the server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews was started. The directory specified should be an absolute
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews When performing dynamic update of secure zones, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews directory where the public and private DNSSEC key files
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should be found, if different than the current working
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews directory. The directory specified must be an absolute
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews path. (Note that this option has no effect on the paths
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for files containing non-DNSSEC keys such as
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>This option is obsolete.</em></span> It
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews was used in <acronym class="acronym">BIND</acronym> 8 to specify
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the pathname to the <span><strong class="command">named-xfer</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews program. In <acronym class="acronym">BIND</acronym> 9, no separate
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">named-xfer</strong></span> program is needed;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews its functionality is built into the name server.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The security credential with which the server should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authenticate keys requested by the GSS-TSIG protocol.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Currently only Kerberos 5 authentication is available
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and the credential is a Kerberos principal which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the server can acquire through the default system
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key file, normally <code class="filename">/etc/krb5.keytab</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Normally this principal is of the form
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews must also be set.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The domain appended to the names of all shared keys
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews generated with <span><strong class="command">TKEY</strong></span>. When a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews client requests a <span><strong class="command">TKEY</strong></span> exchange,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews it may or may not specify the desired name for the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key. If present, the name of the shared key will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be <code class="varname">client specified part</code> +
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="varname">tkey-domain</code>. Otherwise, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews name of the shared key will be <code class="varname">random hex
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews digits</code> + <code class="varname">tkey-domain</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In most cases, the <span><strong class="command">domainname</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews should be the server's domain name, or an otherwise
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews non-existent subdomain like
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "_tkey.<code class="varname">domainname</code>". If you are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews using GSS-TSIG, this variable must be defined.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The Diffie-Hellman key used by the server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to generate shared keys with clients using the Diffie-Hellman
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of <span><strong class="command">TKEY</strong></span>. The server must be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews able to load the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews public and private keys from files in the working directory.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews most cases, the keyname should be the server's host name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This is for testing only. Do not use.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file the server dumps
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the database to when instructed to do so with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">rndc dumpdb</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, the default is <code class="filename">named_dump.db</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file the server writes memory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews usage statistics to on exit. If not specified,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the default is <code class="filename">named.memstats</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file the server writes its process ID
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in. If not specified, the default is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/var/run/named/named.pid</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The PID file is used by programs that want to send signals to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use of a PID file — no file will be written and any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews existing one will be removed. Note that <span><strong class="command">none</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is a keyword, not a filename, and therefore is not enclosed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews double quotes.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file the server dumps
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the queries that are currently recursing when instructed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to do so with <span><strong class="command">rndc recursing</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, the default is <code class="filename">named.recursing</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file the server appends statistics
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, the default is <code class="filename">named.stats</code> in the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server's current directory. The format of the file is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of a file to override the built-in trusted
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews keys provided by named. See the discussion of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">dnssec-lookaside</strong></span> for details.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, the default is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file into which to write a TSIG
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews session key generated by <span><strong class="command">named</strong></span> for use by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews default is <code class="filename">/var/run/named/session.key</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews particular the discussion of the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">update-policy</strong></span> statement's
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>local</code></strong> option for more
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews information about this feature.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The key name to use for the TSIG session key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If not specified, the default is "local-ddns".
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The algorithm to use for the TSIG session key.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews hmac-sha384, hmac-sha512 and hmac-md5. If not
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews specified, the default is hmac-sha256.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The pathname of the file into which to write a session TSIG
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews key for use by <span><strong class="command">nsupdate -l</strong></span>. (See the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews discussion of the <span><strong class="command">update-policy</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statement's <strong class="userinput"><code>local</code></strong> option for more
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews details on this feature.)
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews receiving and sending DNS protocol traffic.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The default is 53. This option is mainly intended for server
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a server using a port other than 53 will not be able to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews communicate with
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the global DNS.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The source of entropy to be used by the server. Entropy is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews primarily needed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for DNSSEC operations, such as TKEY transactions and dynamic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews update of signed
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zones. This options specifies the device (or file) from which
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews entropy. If this is a file, operations requiring entropy will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews fail when the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file has been exhausted. If not specified, the default value
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (or equivalent) when present, and none otherwise. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">random-device</strong></span> option takes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews effect during
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the initial configuration load at server startup time and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is ignored on subsequent reloads.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If specified, the listed type (A or AAAA) will be emitted
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews before other glue
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in the additional section of a query response.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews The default is not to prefer any type (NONE).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Turn on enforcement of delegation-only in TLDs
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (top level domains) and root zones with an optional
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews exclude list.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews DS queries are expected to be made to and be answered by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews delegation only zones. Such queries and responses are
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews treated as an exception to delegation-only processing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews and are not converted to NXDOMAIN responses provided
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews a CNAME is not discovered at the query name.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews If a delegation only zone server also serves a child
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone it is not always possible to determine whether
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews an answer comes from the delegation only zone or the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews child zone. SOA NS and DNSKEY records are apex
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews only records and a matching response that contains
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews these records or DS is treated as coming from a
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews child zone. RRSIG records are also examined to see
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews if they are signed by a child zone or not. The
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews authority section is also examined to see if there
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is evidence that the answer is from the child zone.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Answers that are determined to be from a child zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews are not converted to NXDOMAIN responses. Despite
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all these checks there is still a possibility of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews false negatives when a child zone is being served.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Similarly false positives can arise from empty nodes
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (no records at the name) in the delegation only zone
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews when the query type is not ANY.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note some TLDs are not delegation only (e.g. "DE", "LV",
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews "US" and "MUSEUM"). This list is not exhaustive.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Setting this option to "yes" leaves <span><strong class="command">named</strong></span> vulnerable to replay attacks.
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
<span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2587559"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
<a name="id2587645"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2587765"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2587812"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2587931"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2588149"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2589693"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2595323"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2595339"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2595468"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2595538"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2595574"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2600052"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>