Bv9ARM.ch06.html revision 3c9cf7efb97991f9871bc5633e7ed1cae0932a37
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Permission to use, copy, modify, and/or distribute this software for any
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - purpose with or without fee is hereby granted, provided that the above
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - copyright notice and this permission notice appear in all copies.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - PERFORMANCE OF THIS SOFTWARE.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<!-- $Id: Bv9ARM.ch06.html,v 1.303 2012/01/16 01:14:57 tbox Exp $ -->
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<title>Chapter�6.�BIND 9 Configuration Reference</title>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574468">Comment Syntax</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575196"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575386"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575746"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575763"><span><strong class="command">include</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575786"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575810"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575969"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576163"><span><strong class="command">logging</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578121"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578263"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578327"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578371"><span><strong class="command">masters</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578392"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590137"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590277"><span><strong class="command">trusted-keys</strong></span> Statement Definition
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590324"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590749"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592429"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595995">Zone File</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598226">Discussion of MX Records</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598841">Inverse Mapping in IPv4</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598968">Other Zone File Directives</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync of configuration, such as views. <acronym class="acronym">BIND</acronym>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync 9, although more complex configurations should be reviewed to check
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if they can be more efficiently implemented using the new features
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync found in <acronym class="acronym">BIND</acronym> 9.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <acronym class="acronym">BIND</acronym> 4 configuration files can be
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync converted to the new format
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync using the shell script
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync file documentation:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The name of an <code class="varname">address_match_list</code> as
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defined by the <span><strong class="command">acl</strong></span> statement.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A list of one or more
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync or <code class="varname">acl_name</code> elements, see
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A named list of one or more <code class="varname">ip_addr</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync with optional <code class="varname">key_id</code> and/or
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A <code class="varname">masters_list</code> may include other
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A quoted string which will be used as
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a DNS name, for example "<code class="literal">my.test.domain</code>".
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A list of one or more <code class="varname">domain_name</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync One to four integers valued 0 through
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An IPv4 address with exactly four elements
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in <code class="varname">dotted_decimal</code> notation.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPv6 scoped addresses that have ambiguity on their
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync scope zones must be disambiguated by an appropriate
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync zone ID with the percent character (`%') as
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync delimiter. It is strongly recommended to use
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync string zone names rather than numeric identifiers,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in order to be robust against system configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync changes. However, since there is no standard
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync mapping for such names and identifier values,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync currently only interface names as link identifiers
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync are supported, assuming one-to-one mapping between
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync interfaces and links. For example, a link-local
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync address <span><strong class="command">fe80::1</strong></span> on the link
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync attached to the interface <span><strong class="command">ne0</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Note that on most systems link-local addresses
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync always have the ambiguity, and need to be
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync disambiguated.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <code class="varname">number</code> is limited to 0
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync through 65535, with values
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync below 1024 typically restricted to use by processes running
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync In some cases, an asterisk (`*') character can be used as a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync placeholder to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync select a random high-numbered port.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An IP network specified as an <code class="varname">ip_addr</code>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync followed by a slash (`/') and then the number of bits in the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Trailing zeros in a <code class="varname">ip_addr</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync may omitted.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync For example, <span><strong class="command">127/8</strong></span> is the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync network <span><strong class="command">127.0.0.0</strong></span> with
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When specifying a prefix involving a IPv6 scoped address
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the scope may be omitted. In that case the prefix will
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync match packets from any scope.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A <code class="varname">domain_name</code> representing
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the name of a shared key, to be used for transaction
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A list of one or more
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync separated by semicolons and ending with a semicolon.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A non-negative 32-bit integer
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (i.e., a number between 0 and 4294967295, inclusive).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Its acceptable value might further
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be limited by the context in which it is used.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A quoted string which will be used as
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A list of an <code class="varname">ip_port</code> or a port
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A port range is specified in the form of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>range</code></strong> followed by
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="varname">port_high</code>, which represents
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync port numbers from <code class="varname">port_low</code> through
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="varname">port_low</code> must not be larger than
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync For example,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>range 1024 65535</code></strong> represents
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ports from 1024 through 65535.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync In either case an asterisk (`*') character is not
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync allowed as a valid <code class="varname">ip_port</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A number, the word <strong class="userinput"><code>unlimited</code></strong>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync or the word <strong class="userinput"><code>default</code></strong>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the limit that was in force when the server was started.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A <code class="varname">number</code> can optionally be
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync followed by a scaling factor:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync for kilobytes,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync for megabytes, and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync which scale by 1024, 1024*1024, and 1024*1024*1024
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync respectively.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The value must be representable as a 64-bit unsigned integer
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (0 to 18446744073709551615, inclusive).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Using <code class="varname">unlimited</code> is the best
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to safely set a really large number.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and <strong class="userinput"><code>0</code></strong>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync One of <strong class="userinput"><code>yes</code></strong>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>passive</code></strong>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync are restricted to slave and stub zones.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2574302"></a>Syntax</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [<span class="optional"> address_match_list_element; ... </span>]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync key key_id | acl_name | { address_match_list } )
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2574330"></a>Definition and Usage</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Address match lists are primarily used to determine access
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync control for various server operations. They are also used in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statements. The elements which constitute an address match
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync list can be any of the following:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a key ID, as defined by the <span><strong class="command">key</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<li>the name of an address match list defined with
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the <span><strong class="command">acl</strong></span> statement
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<li>a nested address match list enclosed in braces</li>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Elements can be negated with a leading exclamation mark (`!'),
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and the match list names "any", "none", "localhost", and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "localnets" are predefined. More information on those names
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync can be found in the description of the acl statement.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The addition of the key clause made the name of this syntactic
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync element something of a misnomer, since security keys can be used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to validate access without regard to a host or network address.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Nonetheless, the term "address match list" is still used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync throughout the documentation.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When a given IP address or prefix is compared to an address
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync match list, the comparison takes place in approximately O(1)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync time. However, key comparisons require that the list of keys
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be traversed until a matching key is found, and therefore may
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be somewhat slower.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The interpretation of a match depends on whether the list is being
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When used as an access control list, a non-negated match
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync allows access and a negated match denies access. If
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync there is no match, access is denied. The clauses
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-notify</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-recursion</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-recursion-on</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-query</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-query-on</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-query-cache</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-query-cache-on</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-transfer</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-update</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">allow-update-forwarding</strong></span>, and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">blackhole</strong></span> all use address match
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync server to refuse queries on any of the machine's
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync addresses which do not match the list.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Order of insertion is significant. If more than one element
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in an ACL is found to match a given IP address or prefix,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync preference will be given to the one that came
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span class="emphasis"><em>first</em></span> in the ACL definition.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Because of this first-match behavior, an element that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines a subset of another element in the list should
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync come before the broader element, regardless of whether
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync either is negated. For example, in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the 1.2.3.13 element is completely useless because the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that problem by having 1.2.3.13 blocked by the negation, but
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync all other 1.2.3.* hosts fall through.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2574468"></a>Comment Syntax</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync comments to appear
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync file. To appeal to programmers of all kinds, they can be written
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2574551"></a>Syntax</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync# and perl</pre>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2574581"></a>Definition and Usage</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Comments may appear anywhere that whitespace may appear in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a <acronym class="acronym">BIND</acronym> configuration file.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync C-style comments start with the two characters /* (slash,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync star) and end with */ (star, slash). Because they are completely
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync delimited with these characters, they can be used to comment only
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a portion of a line or to span multiple lines.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync C-style comments cannot be nested. For example, the following
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is not valid because the entire comment ends with the first */:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">/* This is the start of a comment.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This is still part of the comment.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync/* This is an incorrect attempt at nesting a comment. */
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This is no longer in any comment. */
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync C++-style comments start with the two characters // (slash,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync slash) and continue to the end of the physical line. They cannot
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be continued across multiple physical lines; to have one logical
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync comment span multiple lines, each line must use the // pair.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync For example:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">// This is the start of a comment. The next line
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync// is a new comment, even though it is logically
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync// part of the previous comment.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Shell-style (or perl-style, if you prefer) comments start
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync with the character <code class="literal">#</code> (number sign)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and continue to the end of the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync physical line, as in C++ comments.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync For example:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"># This is the start of a comment. The next line
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync# is a new comment, even though it is logically
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync# part of the previous comment.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync You cannot use the semicolon (`;') character
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to start a comment such as you would in a zone file. The
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync semicolon indicates the end of a configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<div class="titlepage"><div><div><h2 class="title" style="clear: both">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A <acronym class="acronym">BIND</acronym> 9 configuration consists of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statements and comments.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Statements end with a semicolon. Statements and comments are the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync only elements that can appear without enclosing braces. Many
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statements contain a block of sub-statements, which are also
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync terminated with a semicolon.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The following statements are supported:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">acl</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines a named IP address
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync matching list, for access control and other uses.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">controls</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync declares control channels to be used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync by the <span><strong class="command">rndc</strong></span> utility.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">include</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync includes a file.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">key</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync specifies key information for use in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync authentication and authorization using TSIG.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">logging</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync specifies what the server logs, and where
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the log messages are sent.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">lwres</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync configures <span><strong class="command">named</strong></span> to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">masters</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines a named masters list for
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync inclusion in stub and slave zones'
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">masters</strong></span> or
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">also-notify</strong></span> lists.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">options</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync controls global server configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync options and sets defaults for other statements.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">server</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync sets certain configuration options on
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a per-server basis.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">statistics-channels</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync declares communication channels to get access to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span> statistics.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">trusted-keys</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines trusted DNSSEC keys.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">managed-keys</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync lists DNSSEC keys to be kept up to date
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync using RFC 5011 trust anchor maintenance.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">view</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines a view.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">zone</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defines a zone.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">logging</strong></span> and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">options</strong></span> statements may only occur once
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync configuration.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575196"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync address_match_list
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">acl</strong></span> statement assigns a symbolic
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync name to an address match list. It gets its name from a primary
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync use of address match lists: Access Control Lists (ACLs).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Note that an address match list's name must be defined
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync with <span><strong class="command">acl</strong></span> before it can be used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync elsewhere; no forward references are allowed.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The following ACLs are built-in:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">any</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Matches all hosts.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">none</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Matches no hosts.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">localhost</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Matches the IPv4 and IPv6 addresses of all network
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync interfaces on the system.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">localnets</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Matches any host on an IPv4 or IPv6 network
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync for which the system has an interface.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Some systems do not provide a way to determine the prefix
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync local IPv6 addresses.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync In such a case, <span><strong class="command">localnets</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync only matches the local
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575386"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><span><strong class="command">controls</strong></span> {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ inet ( ip_addr | * ) [ port ip_port ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync allow { <em class="replaceable"><code> address_match_list </code></em> }
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync keys { <em class="replaceable"><code>key_list</code></em> }; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ inet ...; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync keys { <em class="replaceable"><code>key_list</code></em> }; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ unix ...; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">controls</strong></span> statement declares control
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync channels to be used by system administrators to control the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync operation of the name server. These control channels are
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync used by the <span><strong class="command">rndc</strong></span> utility to send
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync commands to and retrieve non-DNS results from a name server.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync An <span><strong class="command">inet</strong></span> control channel is a TCP socket
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync listening at the specified <span><strong class="command">ip_port</strong></span> on the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync interpreted as the IPv4 wildcard address; connections will be
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync accepted on any of the system's IPv4 addresses.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync To listen on the IPv6 wildcard address,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If you will only use <span><strong class="command">rndc</strong></span> on the local host,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync using the loopback address (<code class="literal">127.0.0.1</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync or <code class="literal">::1</code>) is recommended for maximum security.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If no port is specified, port 953 is used. The asterisk
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The ability to issue commands over the control channel is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync restricted by the <span><strong class="command">allow</strong></span> and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">keys</strong></span> clauses.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Connections to the control channel are permitted based on the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">address_match_list</strong></span>. This is for simple
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync IP address based filtering only; any <span><strong class="command">key_id</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync elements of the <span><strong class="command">address_match_list</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync are ignored.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync socket listening at the specified path in the file system.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Note on some platforms (SunOS and Solaris) the permissions
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (<span><strong class="command">perm</strong></span>) are applied to the parent directory
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync as the permissions on the socket itself are ignored.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The primary authorization mechanism of the command
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync channel is the <span><strong class="command">key_list</strong></span>, which
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync contains a list of <span><strong class="command">key_id</strong></span>s.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is authorized to execute commands over the control channel.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync for information about configuring keys in <span><strong class="command">rndc</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If no <span><strong class="command">controls</strong></span> statement is present,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span> will set up a default
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync control channel listening on the loopback address 127.0.0.1
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and its IPv6 counterpart ::1.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync In this case, and also when the <span><strong class="command">controls</strong></span> statement
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is present but does not have a <span><strong class="command">keys</strong></span> clause,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span> will attempt to load the command channel key
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync from the file <code class="filename">rndc.key</code> in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync was specified as when <acronym class="acronym">BIND</acronym> was built).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync To create a <code class="filename">rndc.key</code> file, run
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <strong class="userinput"><code>rndc-confgen -a</code></strong>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <code class="filename">rndc.key</code> feature was created to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync which did not have digital signatures on its command channel
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and still have <span><strong class="command">rndc</strong></span> work the same way
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Since the <code class="filename">rndc.key</code> feature
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is only intended to allow the backward-compatible usage of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <acronym class="acronym">BIND</acronym> 8 configuration files, this
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync feature does not
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync have a high degree of configurability. You cannot easily change
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the key name or the size of the secret, so you should make a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">rndc.conf</code> with your own key if you
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync wish to change
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync those things. The <code class="filename">rndc.key</code> file
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync also has its
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync permissions set such that only the owner of the file (the user that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span> is running as) can access it.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync desire greater flexibility in allowing other users to access
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">rndc</strong></span> commands, then you need to create
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">rndc.conf</code> file and make it group
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync readable by a group
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that contains the users who should have access.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync To disable the command channel, use an empty
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">controls</strong></span> statement:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">controls { };</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575746"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575763"></a><span><strong class="command">include</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">include</strong></span> statement inserts the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync specified file at the point where the <span><strong class="command">include</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statement is encountered. The <span><strong class="command">include</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statement facilitates the administration of configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync by permitting the reading or writing of some things but not
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync others. For example, the statement could include private keys
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that are readable only by the name server.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575786"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync algorithm <em class="replaceable"><code>string</code></em>;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync secret <em class="replaceable"><code>string</code></em>;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575810"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">key</strong></span> statement defines a shared
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync or the command channel
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Usage”</a>).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">key</strong></span> statement can occur at the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync of the configuration file or inside a <span><strong class="command">view</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statement. Keys defined in top-level <span><strong class="command">key</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statements can be used in all views. Keys intended for use in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a <span><strong class="command">controls</strong></span> statement
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Usage”</a>)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync must be defined at the top level.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <em class="replaceable"><code>key_id</code></em>, also known as the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync key name, is a domain name uniquely identifying the key. It can
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be used in a <span><strong class="command">server</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync statement to cause requests sent to that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync server to be signed with this key, or in address match lists to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync verify that incoming requests have been signed with a key
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync matching this name, algorithm, and secret.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <em class="replaceable"><code>algorithm_id</code></em> is a string
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that specifies a security/authentication algorithm. Named
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and <code class="literal">hmac-sha512</code> TSIG authentication.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Truncated hashes are supported by appending the minimum
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync number of required bits preceded by a dash, e.g.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <em class="replaceable"><code>secret_string</code></em> is the secret
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to be used by the algorithm, and is treated as a base-64
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync encoded string.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2575969"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting"><span><strong class="command">logging</strong></span> {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync | <span><strong class="command">stderr</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync | <span><strong class="command">null</strong></span> );
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2576163"></a><span><strong class="command">logging</strong></span> Statement Definition and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">logging</strong></span> statement configures a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync associates output methods, format options and severity levels with
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a name that can then be used with the <span><strong class="command">category</strong></span> phrase
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to select how various classes of messages are logged.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Only one <span><strong class="command">logging</strong></span> statement is used to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the logging configuration will be:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync category default { default_syslog; default_debug; };
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync category unmatched { null; };
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync In <acronym class="acronym">BIND</acronym> 9, the logging configuration
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is only established when
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync established as soon as the <span><strong class="command">logging</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync was parsed. When the server is starting up, all logging messages
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync regarding syntax errors in the configuration file go to the default
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync channels, or to standard error if the "<code class="option">-g</code>" option
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync was specified.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="id2576215"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync you can make as many of them as you want.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Every channel definition must include a destination clause that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync says whether messages selected for the channel go to a file, to a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync particular syslog facility, to the standard error stream, or are
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync discarded. It can optionally also limit the message severity level
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that will be accepted by the channel (the default is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">info</strong></span>), and whether to include a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span>-generated time stamp, the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync category name
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and/or severity level (the default is not to include any).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">null</strong></span> destination clause
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync causes all messages sent to the channel to be discarded;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in that case, other options for the channel are meaningless.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">file</strong></span> destination clause directs
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the channel
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to a disk file. It can include limitations
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync both on how large the file is allowed to become, and how many
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync of the file will be saved each time the file is opened.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If you use the <span><strong class="command">versions</strong></span> log file
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync option, then
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span> will retain that many backup
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync versions of the file by
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync renaming them when opening. For example, if you choose to keep
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync three old versions
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync of the file <code class="filename">lamers.log</code>, then just
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync before it is opened
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">lamers.log.1</code> is renamed to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync renamed to <code class="filename">lamers.log.0</code>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync You can say <span><strong class="command">versions unlimited</strong></span> to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the number of versions.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If a <span><strong class="command">size</strong></span> option is associated with
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the log file,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync then renaming is only done when the file being opened exceeds the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync indicated size. No backup versions are kept by default; any
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync log file is simply appended.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">size</strong></span> option for files is used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to limit log
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync associated with it. If backup versions are kept, the files are
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync described above and a new one begun. If there is no
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">versions</strong></span> option, no more data will
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be written to the log
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync until some out-of-band mechanism removes or truncates the log to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync less than the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync maximum size. The default behavior is not to limit the size of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Example usage of the <span><strong class="command">size</strong></span> and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">versions</strong></span> options:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">channel an_example_channel {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync file "example.log" versions 3 size 20m;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync print-time yes;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync print-category yes;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">syslog</strong></span> destination clause
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync directs the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync channel to the system log. Its argument is a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync syslog facility as described in the <span><strong class="command">syslog</strong></span> man
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">local7</strong></span>, however not all facilities
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync are supported on
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync all operating systems.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync How <span><strong class="command">syslog</strong></span> will handle messages
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync then this clause is silently ignored.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "priorities", except that they can also be used if you are writing
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync straight to a file rather than using <span><strong class="command">syslog</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Messages which are not at least of the severity level given will
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync not be selected for the channel; messages of higher severity
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync will be accepted.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync will also determine what eventually passes through. For example,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync cause messages of severity <span><strong class="command">info</strong></span> and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">notice</strong></span> to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync messages of only <span><strong class="command">warning</strong></span> or higher,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync then <span><strong class="command">syslogd</strong></span> would
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync print all messages it received from the channel.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">stderr</strong></span> destination clause
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync directs the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync channel to the server's standard error stream. This is intended
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync use when the server is running as a foreground process, for
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync when debugging a configuration.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The server can supply extensive debugging information when
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync it is in debugging mode. If the server's global debug level is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync than zero, then debugging mode will be active. The global debug
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync level is set either by starting the <span><strong class="command">named</strong></span> server
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync with the <code class="option">-d</code> flag followed by a positive integer,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync or by running <span><strong class="command">rndc trace</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The global debug level
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsyncnotrace</strong></span>. All debugging messages in the server have a debug
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync level, and higher debug levels give more detailed output. Channels
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that specify a specific debug severity, for example:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">channel specific_debug_level {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync file "foo";
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity debug 3;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync will get debugging output of level 3 or less any time the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync server is in debugging mode, regardless of the global debugging
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync level. Channels with <span><strong class="command">dynamic</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity use the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync server's global debug level to determine what messages to print.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If <span><strong class="command">print-time</strong></span> has been turned on,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the date and time will be logged. <span><strong class="command">print-time</strong></span> may
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be specified for a <span><strong class="command">syslog</strong></span> channel,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync but is usually
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync pointless since <span><strong class="command">syslog</strong></span> also logs
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the date and
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync time. If <span><strong class="command">print-category</strong></span> is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync requested, then the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync be used in any combination, and will always be printed in the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync order: time, category, severity. Here is an example where all
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync three <span><strong class="command">print-</strong></span> options
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync There are four predefined channels that are used for
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <span><strong class="command">named</strong></span>'s default logging as follows.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync How they are
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">channel default_syslog {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // send to syslog's daemon facility
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync syslog daemon;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // only send priority info and higher
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity info;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsyncchannel default_debug {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // write to named.run in the working directory
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // Note: stderr is used instead of "named.run" if
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // the server is started with the '-f' option.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // log at the server's current debug level
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity dynamic;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsyncchannel default_stderr {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // writes to stderr
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // only send priority info and higher
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity info;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsyncchannel null {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync // toss anything sent to this channel
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <span><strong class="command">default_debug</strong></span> channel has the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync property that it only produces output when the server's debug
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync nonzero. It normally writes to a file called <code class="filename">named.run</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in the server's working directory.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync For security reasons, when the "<code class="option">-u</code>"
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync command line option is used, the <code class="filename">named.run</code> file
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync is created only after <span><strong class="command">named</strong></span> has
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync changed to the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync starting up and still running as root is discarded. If you need
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to capture this output, you must run the server with the "<code class="option">-g</code>"
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync option and redirect standard error to a file.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Once a channel is defined, it cannot be redefined. Thus you
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync cannot alter the built-in channels directly, but you can modify
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the default logging by pointing categories at channels you have
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync There are many categories, so you can send the logs you want
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to see wherever you want, without seeing logs you don't want. If
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync you don't specify a list of channels for a category, then log
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in that category will be sent to the <span><strong class="command">default</strong></span> category
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync instead. If you don't specify a default category, the following
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "default default" is used:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">category default { default_syslog; default_debug; };
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync As an example, let's say you want to log security events to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a file, but you also want keep the default logging behavior. You'd
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync specify the following:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">channel my_security_channel {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync file "my_security_file";
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync severity info;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsynccategory security {
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync my_security_channel;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync default_syslog;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync default_debug;
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<pre class="programlisting">category xfer-out { null; };
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsynccategory notify { null; };
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Following are the available categories and brief descriptions
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync of the types of log information they contain. More
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync categories may be added in future <acronym class="acronym">BIND</acronym> releases.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">default</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The default category defines the logging
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync options for those categories where no specific
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync configuration has been
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">general</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The catch-all. Many things still aren't
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync classified into categories, and they all end up here.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">database</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Messages relating to the databases used
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync internally by the name server to store zone and cache
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">security</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Approval and denial of requests.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">config</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Configuration file parsing and processing.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">resolver</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync DNS resolution, such as the recursive
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync lookups performed on behalf of clients by a caching name
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">xfer-in</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Zone transfers the server is receiving.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">xfer-out</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Zone transfers the server is sending.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">notify</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The NOTIFY protocol.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">client</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Processing of client requests.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">unmatched</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Messages that <span><strong class="command">named</strong></span> was unable to determine the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync class of or for which there was no matching <span><strong class="command">view</strong></span>.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync This category is best sent to a file or stderr, by
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync default it is sent to
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the <span><strong class="command">null</strong></span> channel.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">network</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Network operations.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">update</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Dynamic updates.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">update-security</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Approval and denial of update requests.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <p><span><strong class="command">queries</strong></span></p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Specify where queries should be logged to.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync At startup, specifying the category <span><strong class="command">queries</strong></span> will also
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync enable query logging unless <span><strong class="command">querylog</strong></span> option has been
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The query log entry reports the client's IP
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync address and port number, and the query name,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync class and type. Next it reports whether the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Recursion Desired flag was set (+ if set, -
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync if not set), if the query was signed (S),
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync EDNS was in use (E), if TCP was used (T), if
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync DO (DNSSEC Ok) was set (D), or if CD (Checking
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Disabled) was set (C). After this the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync destination address the query was sent to is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (The first part of this log message, showing the
<a name="id2577670"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
<code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
resolution for AAAA records of www.example.com completed
likely com and example.com.
<a name="id2578121"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
<a name="id2578263"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
<a name="id2578327"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
<a name="id2578371"></a><span><strong class="command">masters</strong></span> Statement Definition and
<a name="id2578392"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
[<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
[<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
<em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
[<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em> [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>] ; } ; </span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
Additionally a reverse IP6.ARPA zone will be created for
the prefix to provide a mapping from the IP6.ARPA names
to the corresponding IN-ADDR.ARPA names using synthesized
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
<span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
IPv4 address as in IN-ADDR.ARPA.
representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
as *.example.com is used normally after the astrisk (*)
<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2590137"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2590277"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2590324"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2590749"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <font color="red"><replacable>yes_or_no</replacable></font>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2592429"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2598990"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2599006"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2599067"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2599137"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2599173"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2603719"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>