Bv9ARM.ch06.html revision 3e240d6559605696cadf630668683708b18de871
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
1167fc7904c5f0a472f8df207ac46dd52c7f1ec8Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - purpose with or without fee is hereby granted, provided that the above
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - copyright notice and this permission notice appear in all copies.
cd0aa2d941d1438fabb5337f1f38c49478edf71dAutomatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater - PERFORMANCE OF THIS SOFTWARE.
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>Chapter�6.�BIND 9 Configuration Reference</title>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
831f79c4310a7d38fc3475ccfff531b2b2535641Automatic Updater<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<div class="titlepage"><div><div><h2 class="title">
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573300">Comment Syntax</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574165"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574423"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">include</strong></span> Statement Definition and
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574891"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574915"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575009"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575144"><span><strong class="command">logging</strong></span> Statement Definition and
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577350"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577447"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577611"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577660"><span><strong class="command">masters</strong></span> Statement Definition and
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577682"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592668"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593085"><span><strong class="command">trusted-keys</strong></span> Statement Definition
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593139"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593574"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
b1265b5a06df36d490d4bdf54284fb133a1f5a84Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595590"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2599216">Zone File</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601446">Discussion of MX Records</a></span></dt>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601993">Inverse Mapping in IPv4</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602120">Other Zone File Directives</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602461"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
08e3b6797706a13054bad749dea04e94b514b8e7Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews of configuration, such as views. <acronym class="acronym">BIND</acronym>
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater 9, although more complex configurations should be reviewed to check
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater if they can be more efficiently implemented using the new features
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater found in <acronym class="acronym">BIND</acronym> 9.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <acronym class="acronym">BIND</acronym> 4 configuration files can be
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater converted to the new format
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater using the shell script
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater file documentation:
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater<div class="informaltable"><table border="1">
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater The name of an <code class="varname">address_match_list</code> as
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater defined by the <span><strong class="command">acl</strong></span> statement.
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater <code class="varname">address_match_list</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A list of one or more
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater or <code class="varname">acl_name</code> elements, see
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A named list of one or more <code class="varname">ip_addr</code>
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater with optional <code class="varname">key_id</code> and/or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A <code class="varname">masters_list</code> may include other
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic Updater <code class="varname">masters_lists</code>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews A quoted string which will be used as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a DNS name, for example "<code class="literal">my.test.domain</code>".
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater A list of one or more <code class="varname">domain_name</code>
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater <code class="varname">dotted_decimal</code>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson One to four integers valued 0 through
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater An IPv4 address with exactly four elements
56e7dc0c24b04210dcbffb180a9e35644fb820daAutomatic Updater in <code class="varname">dotted_decimal</code> notation.
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater IPv6 scoped addresses that have ambiguity on their
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews scope zones must be disambiguated by an appropriate
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews zone ID with the percent character (`%') as
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews delimiter. It is strongly recommended to use
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater string zone names rather than numeric identifiers,
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews in order to be robust against system configuration
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews changes. However, since there is no standard
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater mapping for such names and identifier values,
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews currently only interface names as link identifiers
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater are supported, assuming one-to-one mapping between
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater interfaces and links. For example, a link-local
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater address <span><strong class="command">fe80::1</strong></span> on the link
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater attached to the interface <span><strong class="command">ne0</strong></span>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Note that on most systems link-local addresses
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater always have the ambiguity, and need to be
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater disambiguated.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A <code class="varname">number</code> between 0 and 63, used
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater to select a differentiated services code point (DSCP)
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater value for use with outgoing traffic on operating systems
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater that support DSCP.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IP port <code class="varname">number</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <code class="varname">number</code> is limited to 0
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington through 65535, with values
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington below 1024 typically restricted to use by processes running
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In some cases, an asterisk (`*') character can be used as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington placeholder to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington select a random high-numbered port.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IP network specified as an <code class="varname">ip_addr</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington followed by a slash (`/') and then the number of bits in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Trailing zeros in a <code class="varname">ip_addr</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For example, <span><strong class="command">127/8</strong></span> is the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network <span><strong class="command">127.0.0.0</strong></span> with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When specifying a prefix involving a IPv6 scoped address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the scope may be omitted. In that case the prefix will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington match packets from any scope.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A <code class="varname">domain_name</code> representing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the name of a shared key, to be used for transaction
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater A list of one or more
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater separated by semicolons and ending with a semicolon.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews A non-negative 32-bit integer
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews (i.e., a number between 0 and 4294967295, inclusive).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Its acceptable value might further
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be limited by the context in which it is used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A quoted string which will be used as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A list of an <code class="varname">ip_port</code> or a port
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A port range is specified in the form of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>range</code></strong> followed by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_high</code>, which represents
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington port numbers from <code class="varname">port_low</code> through
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_high</code>, inclusive.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_low</code> must not be larger than
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>range 1024 65535</code></strong> represents
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ports from 1024 through 65535.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In either case an asterisk (`*') character is not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allowed as a valid <code class="varname">ip_port</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A 64-bit unsigned integer, or the keywords
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater <strong class="userinput"><code>unlimited</code></strong> or
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <strong class="userinput"><code>default</code></strong>.
a26b22914b7bf25f065afb8cdef983766dcd672bAutomatic Updater Integers may take values
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 0 <= value <= 18446744073709551615, though
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater certain parameters
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater (such as <span><strong class="command">max-journal-size</strong></span>) may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington use a more limited range within these extremes.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater In most cases, setting a value to 0 does not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington literally mean zero; it means "undefined" or
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews "as big as possible", depending on the context.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews See the explanations of particular parameters
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that use <code class="varname">size_spec</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for details on how they interpret its use.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Numeric values can optionally be followed by a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington scaling factor:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for kilobytes,
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for megabytes, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for gigabytes, which scale by 1024, 1024*1024, and
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews 1024*1024*1024 respectively.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">unlimited</code> generally means
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews "as big as possible", and is usually the best
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington way to safely set a very large number.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington uses the limit that was in force when the server was started.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and <strong class="userinput"><code>0</code></strong>.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews One of <strong class="userinput"><code>yes</code></strong>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <strong class="userinput"><code>passive</code></strong>.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews are restricted to slave and stub zones.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2573131"></a>Syntax</h4></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater [<span class="optional"> address_match_list_element; ... </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington key key_id | acl_name | { address_match_list } )
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater<div class="titlepage"><div><div><h4 class="title">
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater<a name="id2573159"></a>Definition and Usage</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Address match lists are primarily used to determine access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater control for various server operations. They are also used in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater statements. The elements which constitute an address match
b0d566a2ce0f5a67f537ee7f8233f82f2584cc61Automatic Updater list can be any of the following:
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater a key ID, as defined by the <span><strong class="command">key</strong></span>
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater<li>the name of an address match list defined with
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater the <span><strong class="command">acl</strong></span> statement
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater<li>a nested address match list enclosed in braces</li>
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater Elements can be negated with a leading exclamation mark (`!'),
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater and the match list names "any", "none", "localhost", and
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater "localnets" are predefined. More information on those names
e8c17c74535be290abaaa160a434ed80bf0ad2feMark Andrews can be found in the description of the acl statement.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater The addition of the key clause made the name of this syntactic
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater element something of a misnomer, since security keys can be used
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater to validate access without regard to a host or network address.
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater Nonetheless, the term "address match list" is still used
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater throughout the documentation.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater When a given IP address or prefix is compared to an address
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater match list, the comparison takes place in approximately O(1)
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater time. However, key comparisons require that the list of keys
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater be traversed until a matching key is found, and therefore may
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater be somewhat slower.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater The interpretation of a match depends on whether the list is being
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater When used as an access control list, a non-negated match
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater allows access and a negated match denies access. If
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater there is no match, access is denied. The clauses
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-notify</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-recursion</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-recursion-on</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-query</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-query-on</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-query-cache</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-query-cache-on</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-transfer</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-update</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">allow-update-forwarding</strong></span>,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">blackhole</strong></span>, and
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">keep-response-order</strong></span> all use address match
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater server to refuse queries on any of the machine's
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater addresses which do not match the list.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Order of insertion is significant. If more than one element
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater in an ACL is found to match a given IP address or prefix,
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater preference will be given to the one that came
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span class="emphasis"><em>first</em></span> in the ACL definition.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater Because of this first-match behavior, an element that
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater defines a subset of another element in the list should
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater come before the broader element, regardless of whether
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater either is negated. For example, in
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the 1.2.3.13 element is completely useless because the
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater that problem by having 1.2.3.13 blocked by the negation, but
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater all other 1.2.3.* hosts fall through.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews<a name="id2573300"></a>Comment Syntax</h3></div></div></div>
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews comments to appear
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater file. To appeal to programmers of all kinds, they can be written
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h4 class="title">
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<a name="id2573383"></a>Syntax</h4></div></div></div>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater# and perl</pre>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<div class="titlepage"><div><div><h4 class="title">
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater<a name="id2573413"></a>Definition and Usage</h4></div></div></div>
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater Comments may appear anywhere that whitespace may appear in
19dbf2e20df03f2b81ed1f347e27718084374059Automatic Updater a <acronym class="acronym">BIND</acronym> configuration file.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater C-style comments start with the two characters /* (slash,
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater star) and end with */ (star, slash). Because they are completely
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater delimited with these characters, they can be used to comment only
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater a portion of a line or to span multiple lines.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater C-style comments cannot be nested. For example, the following
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater is not valid because the entire comment ends with the first */:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">/* This is the start of a comment.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington This is still part of the comment.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington/* This is an incorrect attempt at nesting a comment. */
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington This is no longer in any comment. */
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater C++-style comments start with the two characters // (slash,
0fde13e46fef2ac9d8250adb92263f436425a914Automatic Updater slash) and continue to the end of the physical line. They cannot
0fde13e46fef2ac9d8250adb92263f436425a914Automatic Updater be continued across multiple physical lines; to have one logical
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater comment span multiple lines, each line must use the // pair.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">// This is the start of a comment. The next line
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater// is a new comment, even though it is logically
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater// part of the previous comment.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater Shell-style (or perl-style, if you prefer) comments start
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with the character <code class="literal">#</code> (number sign)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and continue to the end of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater physical line, as in C++ comments.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"># This is the start of a comment. The next line
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater# is a new comment, even though it is logically
d9f94d668f4b9342e9367d80e9fc6e81fab303a0Mark Andrews# part of the previous comment.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington You cannot use the semicolon (`;') character
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to start a comment such as you would in a zone file. The
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater semicolon indicates the end of a configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater A <acronym class="acronym">BIND</acronym> 9 configuration consists of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements and comments.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Statements end with a semicolon. Statements and comments are the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater only elements that can appear without enclosing braces. Many
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements contain a block of sub-statements, which are also
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater terminated with a semicolon.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following statements are supported:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="informaltable"><table border="1">
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater <p><span><strong class="command">acl</strong></span></p>
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater defines a named IP address
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater matching list, for access control and other uses.
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater <p><span><strong class="command">controls</strong></span></p>
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews declares control channels to be used
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews by the <span><strong class="command">rndc</strong></span> utility.
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater <p><span><strong class="command">include</strong></span></p>
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater includes a file.
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont <p><span><strong class="command">key</strong></span></p>
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont specifies key information for use in
4dca64bb8991502db368028aeeba2f832d3b971dAutomatic Updater authentication and authorization using TSIG.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater <p><span><strong class="command">logging</strong></span></p>
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater specifies what the server logs, and where
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater the log messages are sent.
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater <p><span><strong class="command">lwres</strong></span></p>
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater configures <span><strong class="command">named</strong></span> to
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <p><span><strong class="command">masters</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defines a named masters list for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater inclusion in stub and slave zones'
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater <span><strong class="command">masters</strong></span> or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">also-notify</strong></span> lists.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">options</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater controls global server configuration
5acd63107041b5b0bed444e2bc29f4bca0c13e28Automatic Updater options and sets defaults for other statements.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <p><span><strong class="command">server</strong></span></p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater sets certain configuration options on
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater a per-server basis.
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater <p><span><strong class="command">statistics-channels</strong></span></p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater declares communication channels to get access to
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span><strong class="command">named</strong></span> statistics.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">trusted-keys</strong></span></p>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater defines trusted DNSSEC keys.
f8a9a38ee40c139a8d145ac76ecbff3a0f986453Mark Andrews <p><span><strong class="command">managed-keys</strong></span></p>
9d80d23172c30fd63e5046a7e69b8445e564ff31Automatic Updater lists DNSSEC keys to be kept up to date
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater using RFC 5011 trust anchor maintenance.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews <p><span><strong class="command">view</strong></span></p>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews defines a view.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews <p><span><strong class="command">zone</strong></span></p>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews defines a zone.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater The <span><strong class="command">logging</strong></span> and
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <span><strong class="command">options</strong></span> statements may only occur once
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater configuration.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews<a name="id2574165"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater address_match_list
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <span><strong class="command">acl</strong></span> statement assigns a symbolic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater name to an address match list. It gets its name from a primary
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater use of address match lists: Access Control Lists (ACLs).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following ACLs are built-in:
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater<div class="informaltable"><table border="1">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">any</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Matches all hosts.
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater <p><span><strong class="command">none</strong></span></p>
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater Matches no hosts.
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington <p><span><strong class="command">localhost</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Matches the IPv4 and IPv6 addresses of all network
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington interfaces on the system. When addresses are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington added or removed, the <span><strong class="command">localhost</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACL element is updated to reflect the changes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">localnets</strong></span></p>
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater Matches any host on an IPv4 or IPv6 network
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater for which the system has an interface.
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater When addresses are added or removed,
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater the <span><strong class="command">localnets</strong></span>
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater ACL element is updated to reflect the changes.
792b362aef91cab66c7075ad89b86194b6312d8bScott Mann Some systems do not provide a way to determine the prefix
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington local IPv6 addresses.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater In such a case, <span><strong class="command">localnets</strong></span>
f65d2e1c04c806a185bf9f3120e80692f5ccd5e6Automatic Updater only matches the local
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2574423"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"><span><strong class="command">controls</strong></span> {
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater [ inet ( ip_addr | * ) [ port ip_port ]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow { <em class="replaceable"><code> address_match_list </code></em> }
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys { <em class="replaceable"><code>key_list</code></em> }; ]
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater keys { <em class="replaceable"><code>key_list</code></em> }; ]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [ unix ...; ]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater The <span><strong class="command">controls</strong></span> statement declares control
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater channels to be used by system administrators to control the
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater operation of the name server. These control channels are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater used by the <span><strong class="command">rndc</strong></span> utility to send
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater commands to and retrieve non-DNS results from a name server.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater An <span><strong class="command">inet</strong></span> control channel is a TCP socket
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater listening at the specified <span><strong class="command">ip_port</strong></span> on the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater interpreted as the IPv4 wildcard address; connections will be
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater accepted on any of the system's IPv4 addresses.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater To listen on the IPv6 wildcard address,
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater If you will only use <span><strong class="command">rndc</strong></span> on the local host,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater using the loopback address (<code class="literal">127.0.0.1</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington or <code class="literal">::1</code>) is recommended for maximum security.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If no port is specified, port 953 is used. The asterisk
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater The ability to issue commands over the control channel is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater restricted by the <span><strong class="command">allow</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">keys</strong></span> clauses.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater Connections to the control channel are permitted based on the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">address_match_list</strong></span>. This is for simple
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IP address based filtering only; any <span><strong class="command">key_id</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington elements of the <span><strong class="command">address_match_list</strong></span>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington socket listening at the specified path in the file system.
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
47ce374fcf4bac7a56bb69f5dae1d30be5b4376dAutomatic Updater <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note on some platforms (SunOS and Solaris) the permissions
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater (<span><strong class="command">perm</strong></span>) are applied to the parent directory
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater as the permissions on the socket itself are ignored.
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater The primary authorization mechanism of the command
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater channel is the <span><strong class="command">key_list</strong></span>, which
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater contains a list of <span><strong class="command">key_id</strong></span>s.
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is authorized to execute commands over the control channel.
fd8fb4df8499e292daeac765f599ac7c507d9ca3Mark Andrews See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
fd8fb4df8499e292daeac765f599ac7c507d9ca3Mark Andrews for information about configuring keys in <span><strong class="command">rndc</strong></span>.
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater If no <span><strong class="command">controls</strong></span> statement is present,
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater <span><strong class="command">named</strong></span> will set up a default
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater control channel listening on the loopback address 127.0.0.1
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater and its IPv6 counterpart ::1.
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater In this case, and also when the <span><strong class="command">controls</strong></span> statement
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater is present but does not have a <span><strong class="command">keys</strong></span> clause,
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater <span><strong class="command">named</strong></span> will attempt to load the command channel key
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater from the file <code class="filename">rndc.key</code> in
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater was specified as when <acronym class="acronym">BIND</acronym> was built).
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater To create a <code class="filename">rndc.key</code> file, run
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater <strong class="userinput"><code>rndc-confgen -a</code></strong>.
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater The <code class="filename">rndc.key</code> feature was created to
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater which did not have digital signatures on its command channel
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater and still have <span><strong class="command">rndc</strong></span> work the same way
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Since the <code class="filename">rndc.key</code> feature
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater is only intended to allow the backward-compatible usage of
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <acronym class="acronym">BIND</acronym> 8 configuration files, this
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater feature does not
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater have a high degree of configurability. You cannot easily change
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater the key name or the size of the secret, so you should make a
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <code class="filename">rndc.conf</code> with your own key if you
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater wish to change
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater those things. The <code class="filename">rndc.key</code> file
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater permissions set such that only the owner of the file (the user that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">named</strong></span> is running as) can access it.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington desire greater flexibility in allowing other users to access
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">rndc</strong></span> commands, then you need to create
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">rndc.conf</code> file and make it group
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater readable by a group
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater that contains the users who should have access.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To disable the command channel, use an empty
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">controls</strong></span> statement:
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <span><strong class="command">controls { };</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington<a name="id2574782"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
19dbf2e20df03f2b81ed1f347e27718084374059Automatic Updater<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<div class="titlepage"><div><div><h3 class="title">
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington<a name="id2574800"></a><span><strong class="command">include</strong></span> Statement Definition and
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater The <span><strong class="command">include</strong></span> statement inserts the
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater specified file at the point where the <span><strong class="command">include</strong></span>
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater statement is encountered. The <span><strong class="command">include</strong></span>
a6e1f63f50af688610ebd2521ba7f028767b51f3Mark Andrews statement facilitates the administration of configuration
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater by permitting the reading or writing of some things but not
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater others. For example, the statement could include private keys
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater that are readable only by the name server.
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<div class="titlepage"><div><div><h3 class="title">
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater<a name="id2574891"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater algorithm <em class="replaceable"><code>string</code></em>;
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater secret <em class="replaceable"><code>string</code></em>;
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater<div class="titlepage"><div><div><h3 class="title">
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater<a name="id2574915"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater The <span><strong class="command">key</strong></span> statement defines a shared
2f76b9339e44a89cc5195e9c18ea6b01d71c85deAutomatic Updater secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater or the command channel
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater Usage”</a>).
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater The <span><strong class="command">key</strong></span> statement can occur at the
bde1625cbc0256920625797a2cd4f05312f02ffaMark Andrews of the configuration file or inside a <span><strong class="command">view</strong></span>
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater statement. Keys defined in top-level <span><strong class="command">key</strong></span>
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater statements can be used in all views. Keys intended for use in
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater a <span><strong class="command">controls</strong></span> statement
5645e0c82a55b05abb975bd91b9566823dc5efb0Evan Hunt (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
5645e0c82a55b05abb975bd91b9566823dc5efb0Evan Hunt Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
5645e0c82a55b05abb975bd91b9566823dc5efb0Evan Hunt Usage”</a>)
5645e0c82a55b05abb975bd91b9566823dc5efb0Evan Hunt must be defined at the top level.
af3e516f771c8ba376a8cd954a7233badfce8cdcAutomatic Updater The <em class="replaceable"><code>key_id</code></em>, also known as the
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews key name, is a domain name uniquely identifying the key. It can
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews be used in a <span><strong class="command">server</strong></span>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews statement to cause requests sent to that
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews server to be signed with this key, or in address match lists to
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews verify that incoming requests have been signed with a key
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews matching this name, algorithm, and secret.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The <em class="replaceable"><code>algorithm_id</code></em> is a string
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews that specifies a security/authentication algorithm. The
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <span><strong class="command">named</strong></span> server supports <code class="literal">hmac-md5</code>,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews and <code class="literal">hmac-sha512</code> TSIG authentication.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Truncated hashes are supported by appending the minimum
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews number of required bits preceded by a dash, e.g.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <em class="replaceable"><code>secret_string</code></em> is the secret
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews to be used by the algorithm, and is treated as a base-64
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews encoded string.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="titlepage"><div><div><h3 class="title">
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<a name="id2575009"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"><span><strong class="command">logging</strong></span> {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
af3e516f771c8ba376a8cd954a7233badfce8cdcAutomatic Updater [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater | <span><strong class="command">stderr</strong></span>
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater | <span><strong class="command">null</strong></span> );
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater [ <span><strong class="command">buffered</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater<a name="id2575144"></a><span><strong class="command">logging</strong></span> Statement Definition and
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater The <span><strong class="command">logging</strong></span> statement configures a
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater associates output methods, format options and severity levels with
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater a name that can then be used with the <span><strong class="command">category</strong></span> phrase
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater to select how various classes of messages are logged.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater Only one <span><strong class="command">logging</strong></span> statement is used to
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater the logging configuration will be:
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater category default { default_syslog; default_debug; };
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater category unmatched { null; };
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater If <span><strong class="command">named</strong></span> is started with the
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <code class="option">-L</code> option, it logs to the specified file
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater at startup, instead of using syslog. In this case the logging
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater configuration will be:
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater category default { default_logfile; default_debug; };
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater category unmatched { null; };
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews In <acronym class="acronym">BIND</acronym> 9, the logging configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is only established when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater established as soon as the <span><strong class="command">logging</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater was parsed. When the server is starting up, all logging messages
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington regarding syntax errors in the configuration file go to the default
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater channels, or to standard error if the <code class="option">-g</code> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington was specified.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2575209"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington you can make as many of them as you want.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Every channel definition must include a destination clause that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater says whether messages selected for the channel go to a file, to a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington particular syslog facility, to the standard error stream, or are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater discarded. It can optionally also limit the message severity level
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that will be accepted by the channel (the default is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">info</strong></span>), and whether to include a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span>-generated time stamp, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and/or severity level (the default is not to include any).
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington The <span><strong class="command">null</strong></span> destination clause
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater causes all messages sent to the channel to be discarded;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in that case, other options for the channel are meaningless.
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington The <span><strong class="command">file</strong></span> destination clause directs
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater to a disk file. It can include limitations
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater both on how large the file is allowed to become, and how many
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater of the file will be saved each time the file is opened.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If you use the <span><strong class="command">versions</strong></span> log file
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater <span><strong class="command">named</strong></span> will retain that many backup
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater versions of the file by
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater renaming them when opening. For example, if you choose to keep
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater three old versions
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater of the file <code class="filename">lamers.log</code>, then just
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater before it is opened
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater <code class="filename">lamers.log.1</code> is renamed to
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater renamed to <code class="filename">lamers.log.0</code>.
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater You can say <span><strong class="command">versions unlimited</strong></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the number of versions.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If a <span><strong class="command">size</strong></span> option is associated with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then renaming is only done when the file being opened exceeds the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater indicated size. No backup versions are kept by default; any
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater log file is simply appended.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">size</strong></span> option for files is used
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington associated with it. If backup versions are kept, the files are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington described above and a new one begun. If there is no
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">versions</strong></span> option, no more data will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be written to the log
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater until some out-of-band mechanism removes or truncates the log to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington less than the
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater maximum size. The default behavior is not to limit the size of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Example usage of the <span><strong class="command">size</strong></span> and
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson <span><strong class="command">versions</strong></span> options:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">channel an_example_channel {
8227257b1c0224a7991e04bb79dc5059d5062dfbAndreas Gustafsson file "example.log" versions 3 size 20m;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater print-time yes;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater print-category yes;
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater The <span><strong class="command">syslog</strong></span> destination clause
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington channel to the system log. Its argument is a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater syslog facility as described in the <span><strong class="command">syslog</strong></span> man
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">local7</strong></span>, however not all facilities
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are supported on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington all operating systems.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater How <span><strong class="command">syslog</strong></span> will handle messages
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater then this clause is silently ignored.
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater On Windows machines syslog messages are directed to the EventViewer.
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater "priorities", except that they can also be used if you are writing
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater straight to a file rather than using <span><strong class="command">syslog</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Messages which are not at least of the severity level given will
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater not be selected for the channel; messages of higher severity
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will be accepted.
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater will also determine what eventually passes through. For example,
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
7be29b99f8c13c432db3822102412a32bc1dbaa4Automatic Updater cause messages of severity <span><strong class="command">info</strong></span> and
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater <span><strong class="command">notice</strong></span> to
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater messages of only <span><strong class="command">warning</strong></span> or higher,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington then <span><strong class="command">syslogd</strong></span> would
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater print all messages it received from the channel.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">stderr</strong></span> destination clause
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater channel to the server's standard error stream. This is intended
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater use when the server is running as a foreground process, for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater when debugging a configuration.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The server can supply extensive debugging information when
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater it is in debugging mode. If the server's global debug level is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater than zero, then debugging mode will be active. The global debug
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater level is set either by starting the <span><strong class="command">named</strong></span> server
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater with the <code class="option">-d</code> flag followed by a positive integer,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater or by running <span><strong class="command">rndc trace</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The global debug level
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updaternotrace</strong></span>. All debugging messages in the server have a debug
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater level, and higher debug levels give more detailed output. Channels
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that specify a specific debug severity, for example:
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater<pre class="programlisting">channel specific_debug_level {
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater severity debug 3;
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater will get debugging output of level 3 or less any time the
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater server is in debugging mode, regardless of the global debugging
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater level. Channels with <span><strong class="command">dynamic</strong></span>
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater severity use the
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater server's global debug level to determine what messages to print.
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater If <span><strong class="command">print-time</strong></span> has been turned on,
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater the date and time will be logged. <span><strong class="command">print-time</strong></span> may
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater be specified for a <span><strong class="command">syslog</strong></span> channel,
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater but is usually
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater pointless since <span><strong class="command">syslog</strong></span> also logs
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater time. If <span><strong class="command">print-category</strong></span> is
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater requested, then the
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
de73ef7ecdb9e009155993a6fa8dee5cd1bde319Mark Andrews be used in any combination, and will always be printed in the
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater order: time, category, severity. Here is an example where all
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater three <span><strong class="command">print-</strong></span> options
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater If <span><strong class="command">buffered</strong></span> has been turned on the output
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater to files will not be flushed after each log entry. By default
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater all log messages are flushed.
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater There are four predefined channels that are used for
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater <span><strong class="command">named</strong></span>'s default logging as follows.
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater If <span><strong class="command">named</strong></span> is started with the
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater fifth channel <span><strong class="command">default_logfile</strong></span> is added.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">channel default_syslog {
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington // send to syslog's daemon facility
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington syslog daemon;
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater // only send priority info and higher
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater severity info;
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewschannel default_debug {
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater // write to named.run in the working directory
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater // Note: stderr is used instead of "named.run" if
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews // the server is started with the '-g' option.
4d95e549ed8f84373e5eb7346a0c7ab7f3b0e9a8Automatic Updater // log at the server's current debug level
4d95e549ed8f84373e5eb7346a0c7ab7f3b0e9a8Automatic Updater severity dynamic;
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updaterchannel default_stderr {
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater // writes to stderr
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews // only send priority info and higher
71ba75c604df3604673232828a68bb28c420e698Mark Andrews severity info;
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrewschannel null {
510f19039bcd402dff28c85114551179670f482aAutomatic Updater // toss anything sent to this channel
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updaterchannel default_logfile {
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater // this channel is only present if named is
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater // started with the -L option, whose argument
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater // provides the file name
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt // log at the server's current debug level
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt severity dynamic;
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater The <span><strong class="command">default_debug</strong></span> channel has the
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater property that it only produces output when the server's debug
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater nonzero. It normally writes to a file called <code class="filename">named.run</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in the server's working directory.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson For security reasons, when the <code class="option">-u</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater command line option is used, the <code class="filename">named.run</code> file
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater is created only after <span><strong class="command">named</strong></span> has
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater changed to the
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater starting up and still running as root is discarded. If you need
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to capture this output, you must run the server with the <code class="option">-L</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater option to specify a default logfile, or the <code class="option">-g</code>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson option to log to standard error which you can redirect to a file.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Once a channel is defined, it cannot be redefined. Thus you
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson cannot alter the built-in channels directly, but you can modify
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the default logging by pointing categories at channels you have
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater There are many categories, so you can send the logs you want
b13d89bd89878137c81b36a36596cca3920f27a4Automatic Updater to see wherever you want, without seeing logs you don't want. If
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater you don't specify a list of channels for a category, then log
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in that category will be sent to the <span><strong class="command">default</strong></span> category
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater instead. If you don't specify a default category, the following
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "default default" is used:
0ece47f7c1cf03718726d9dff183b02fa35115e6Mark Andrews<pre class="programlisting">category default { default_syslog; default_debug; };
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews If you start <span><strong class="command">named</strong></span> with the
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews <code class="option">-L</code> option then the default category is:
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<pre class="programlisting">category default { default_logfile; default_debug; };
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater As an example, let's say you want to log security events to
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews a file, but you also want keep the default logging behavior. You'd
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater specify the following:
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<pre class="programlisting">channel my_security_channel {
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews file "my_security_file";
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews severity info;
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrewscategory security {
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater my_security_channel;
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews default_syslog;
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater default_debug;
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater<pre class="programlisting">category xfer-out { null; };
ede7b1df75ac53a9530bbbc9fc9db534cab82f44Automatic Updatercategory notify { null; };
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater Following are the available categories and brief descriptions
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews of the types of log information they contain. More
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews categories may be added in future <acronym class="acronym">BIND</acronym> releases.
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater <p><span><strong class="command">default</strong></span></p>
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater The default category defines the logging
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater options for those categories where no specific
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater configuration has been
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">general</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The catch-all. Many things still aren't
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews classified into categories, and they all end up here.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">database</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Messages relating to the databases used
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews internally by the name server to store zone and cache
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">security</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Approval and denial of requests.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">config</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Configuration file parsing and processing.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">resolver</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DNS resolution, such as the recursive
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews lookups performed on behalf of clients by a caching name
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">xfer-in</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Zone transfers the server is receiving.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">xfer-out</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Zone transfers the server is sending.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">notify</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The NOTIFY protocol.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">client</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Processing of client requests.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">unmatched</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Messages that <span><strong class="command">named</strong></span> was unable to determine the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews class of or for which there was no matching <span><strong class="command">view</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews This category is best sent to a file or stderr, by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews default it is sent to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the <span><strong class="command">null</strong></span> channel.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">network</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Network operations.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">update</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Dynamic updates.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">update-security</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Approval and denial of update requests.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">queries</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Specify where queries should be logged to.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews At startup, specifying the category <span><strong class="command">queries</strong></span> will also
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews enable query logging unless <span><strong class="command">querylog</strong></span> option has been
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The query log entry reports the client's IP
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews address and port number, and the query name,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews class and type. Next it reports whether the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Recursion Desired flag was set (+ if set, -
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews if not set), if the query was signed (S),
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews EDNS was in use (E), if TCP was used (T), if
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews DO (DNSSEC Ok) was set (D), or if CD (Checking
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Disabled) was set (C). After this the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews destination address the query was sent to is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (The first part of this log message, showing the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews repeated in all subsequent log messages related
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews to the same query.)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">query-errors</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Information about queries that resulted in some
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <p><span><strong class="command">dispatch</strong></span></p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Dispatching of incoming packets to the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews server modules where they are to be processed.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <p><span><strong class="command">dnssec</strong></span></p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews DNSSEC and TSIG protocol processing.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <p><span><strong class="command">lame-servers</strong></span></p>
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater Lame servers. These are misconfigurations
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater in remote servers, discovered by BIND 9 when trying to
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater query those servers during resolution.
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater <p><span><strong class="command">delegation-only</strong></span></p>
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater Delegation only. Logs queries that have been
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater forced to NXDOMAIN as the result of a
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater delegation-only zone or a
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater <span><strong class="command">delegation-only</strong></span> in a
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews forward, hint or stub zone declaration.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <p><span><strong class="command">edns-disabled</strong></span></p>
309b912841e8b97bf0b0df0d96c3eaf16990c080Automatic Updater Log queries that have been forced to use plain
94df856897945fe58f130ba78765c57308bc5400Automatic Updater DNS due to timeouts. This is often due to
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews the remote servers not being RFC 1034 compliant
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews (not always returning FORMERR or similar to
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews EDNS queries and other extensions to the DNS
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater when they are not understood). In other words, this is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater targeted at servers that fail to respond to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNS queries that they don't understand.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Note: the log message can also be due to
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews packet loss. Before reporting servers for
da93950363b307b718d156514b95b9df93a63776Mark Andrews non-RFC 1034 compliance they should be re-tested
da93950363b307b718d156514b95b9df93a63776Mark Andrews to determine the nature of the non-compliance.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater This testing should prevent or reduce the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater number of false-positive reports.
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater Note: eventually <span><strong class="command">named</strong></span> will have to stop
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater treating such timeouts as due to RFC 1034 non
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater compliance and start treating it as plain
e23256e740b238bddb4ba41ffac5f81a01c92245Automatic Updater packet loss. Falsely classifying packet
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater loss as due to RFC 1034 non compliance impacts
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater on DNSSEC validation which requires EDNS for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the DNSSEC records to be returned.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <p><span><strong class="command">RPZ</strong></span></p>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Information about errors in response policy zone files,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater rewritten responses, and at the highest
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <span><strong class="command">debug</strong></span> levels, mere rewriting
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <p><span><strong class="command">rate-limit</strong></span></p>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater The start, periodic, and final notices of the
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater rate limiting of a stream of responses are logged at
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <span><strong class="command">info</strong></span> severity in this category.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater These messages include a hash value of the domain name
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater of the response and the name itself,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater except when there is insufficient memory to record
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater the name for the final notice
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater The final notice is normally delayed until about one
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater minute after rate limit stops.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater A lack of memory can hurry the final notice,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater in which case it starts with an asterisk (*).
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Various internal events are logged at debug 1 level
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Rate limiting of individual requests
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater is logged in the <span><strong class="command">query-errors</strong></span> category.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <p><span><strong class="command">cname</strong></span></p>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Logs nameservers that are skipped due to them being
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater a CNAME rather than A / AAAA records.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<div class="titlepage"><div><div><h4 class="title">
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater<a name="id2576830"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater The <span><strong class="command">query-errors</strong></span> category is
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater specifically intended for debugging purposes: To identify
0b580e05aec89f501a9c20cc00ceb42d043d3928Automatic Updater why and how specific queries result in responses which
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater indicate an error.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Messages of this category are therefore only logged
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater with <span><strong class="command">debug</strong></span> levels.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater At the debug levels of 1 or higher, each response with the
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater rcode of SERVFAIL is logged as follows:
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater This means an error resulting in SERVFAIL was
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater detected at line 3880 of source file
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater Log messages of this level will particularly
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater help identify the cause of SERVFAIL for an
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater authoritative server.
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater At the debug levels of 2 or higher, detailed context
0b580e05aec89f501a9c20cc00ceb42d043d3928Automatic Updater information of recursive resolutions that resulted in
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater SERVFAIL is logged.
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater The log message will look like as follows:
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updaterfetch completed at resolver.c:2970 for www.example.com/A
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updaterin 30.000183: timed out/success [domain:example.com,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updaterreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updaterbadresp:1,adberr:0,findfail:0,valfail:0]
f8e61212a1b83e60f521577cc522e8bc1509c8cfAutomatic Updater The first part before the colon shows that a recursive
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater resolution for AAAA records of www.example.com completed
f8e61212a1b83e60f521577cc522e8bc1509c8cfAutomatic Updater in 30.000183 seconds and the final result that led to the
782b50b4ebbd48d570831f66d8ffc550e0db340cAutomatic Updater SERVFAIL was determined at line 2970 of source file
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following part shows the detected final result and the
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews latest result of DNSSEC validation.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater The latter is always success when no validation attempt
db854396212d4195bbbf9de89951d9c2a5770e91Automatic Updater In this example, this query resulted in SERVFAIL probably
db854396212d4195bbbf9de89951d9c2a5770e91Automatic Updater because all name servers are down or unreachable, leading
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater to a timeout in 30 seconds.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater DNSSEC validation was probably not attempted.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater The last part enclosed in square brackets shows statistics
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater information collected for this particular resolution
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater The <code class="varname">domain</code> field shows the deepest zone
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater that the resolver reached;
0429fc942ef48b8ab07a01648b22f98174a2ae6fAutomatic Updater it is the zone where the error was finally detected.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The meaning of the other fields is summarized in the
418cc932318b1d67f88a36904d88d8a5a0a2ba09Automatic Updater following table.
644973f327e9db74779e7c0426db90909173b284Automatic Updater<div class="informaltable"><table border="1">
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater <p><code class="varname">referral</code></p>
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater The number of referrals the resolver received
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater throughout the resolution process.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater In the above example this is 2, which are most
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater <p><code class="varname">restart</code></p>
418cc932318b1d67f88a36904d88d8a5a0a2ba09Automatic Updater The number of cycles that the resolver tried
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews remote servers at the <code class="varname">domain</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews In each cycle the resolver sends one query
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (possibly resending it, depending on the response)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to each known name server of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The number of queries the resolver sent at the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">timeout</code></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The number of timeouts since the resolver
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews received the last response.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The number of lame servers the resolver detected
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews at the <code class="varname">domain</code> zone.
872a5b83f68b8058945298715b0fa53442aad52fAutomatic Updater A server is detected to be lame either by an
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews invalid response or as a result of lookup in
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater BIND9's address database (ADB), where lame
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews servers are cached.
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater <p><code class="varname">neterr</code></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The number of erroneous results that the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington resolver encountered in sending queries
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington at the <code class="varname">domain</code> zone.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington One common case is the remote server is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unreachable and the resolver receives an ICMP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unreachable error message.
cff0e0b52cf0928123bad6f3bccf56e22bbc07f5Automatic Updater <p><code class="varname">badresp</code></p>
644973f327e9db74779e7c0426db90909173b284Automatic Updater The number of unexpected responses (other than
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">lame</code>) to queries sent by the
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews resolver at the <code class="varname">domain</code> zone.
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater Failures in finding remote server addresses
0190c262f99d8afa4cece60e3775d76840826f68Automatic Updater of the <code class="varname">domain</code> zone in the ADB.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater One common case of this is that the remote
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews server's name does not have any address records.
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater <p><code class="varname">findfail</code></p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Failures of resolving remote server addresses.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is a total number of failures throughout
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the resolution process.
02973ab41430678c285ef7ae6d1183003469a3bcAutomatic Updater <p><code class="varname">valfail</code></p>
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews Failures of DNSSEC validation.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Validation failures are counted throughout
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater the resolution process (not limited to
bf46736ab182c4663beb5a08cb2ebf7c364e0aa9Automatic Updater the <code class="varname">domain</code> zone), but should
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater only happen in <code class="varname">domain</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater At the debug levels of 3 or higher, the same messages
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater as those at the debug 1 level are logged for other errors
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater than SERVFAIL.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Note that negative responses such as NXDOMAIN are not
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater regarded as errors here.
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater At the debug levels of 4 or higher, the same messages
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater as those at the debug 2 level are logged for other errors
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater than SERVFAIL.
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater Unlike the above case of level 3, messages are logged for
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater negative responses.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is because any unexpected results can be difficult to
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater debug in the recursion case.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<a name="id2577350"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater This is the grammar of the <span><strong class="command">lwres</strong></span>
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater statement in the <code class="filename">named.conf</code> file:
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater [<span class="optional"> lwres-tasks <em class="replaceable"><code>number</code></em>; </span>]
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater [<span class="optional"> lwres-clients <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="id2577447"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater The <span><strong class="command">lwres</strong></span> statement configures the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server to also act as a lightweight resolver server. (See
478d64f58f5ce7a5e3ea08426d72faca8427c96dAutomatic Updater <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater <span><strong class="command">lwres</strong></span> statements configuring
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater lightweight resolver servers with different properties.
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater The <span><strong class="command">listen-on</strong></span> statement specifies a
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater IPv4 addresses (and ports) that this instance of a lightweight
6ffd34dcf046bdc3f83484bfdc6d951c746147cfAutomatic Updater resolver daemon
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should accept requests on. If no port is specified, port 921 is
3a32066d653b39a3f602b697a0fb98a399b88f88Automatic Updater If this statement is omitted, requests will be accepted on
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater The <span><strong class="command">view</strong></span> statement binds this
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater lightweight resolver daemon to a view in the DNS namespace, so that
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater response will be constructed in the same manner as a normal DNS
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater matching this view. If this statement is omitted, the default view
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater used, and if there is no default view, an error is triggered.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">search</strong></span> statement is equivalent to
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater <span><strong class="command">search</strong></span> statement in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/etc/resolv.conf</code>. It provides a
3f802a977eb8ac127c1d6d0d76b8e38d032403daAutomatic Updater list of domains
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater which are appended to relative names in queries.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">ndots</strong></span> statement is equivalent to
233f603cc1e6dd17b8912796f3fff5cfbbb76c90Automatic Updater <span><strong class="command">ndots</strong></span> statement in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/etc/resolv.conf</code>. It indicates the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater number of dots in a relative domain name that should result in an
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater exact match lookup before search path elements are appended.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <code class="option">lwres-tasks</code> statement specifies the number
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater of worker threads the lightweight resolver will dedicate to serving
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater clients. By default the number is the same as the number of CPUs on
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater the system; this can be overridden using the <code class="option">-n</code>
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater command line option when starting the server.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater The <code class="option">lwres-clients</code> specifies
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater the number of client objects per thread the lightweight
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater resolver should create to serve client queries.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater By default, if the lightweight resolver runs as a part
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of <span><strong class="command">named</strong></span>, 256 client objects are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater created for each task; if it runs as <span><strong class="command">lwresd</strong></span>,
572cb2c1c931f6bc6a4a019c103ae88239b0eb96Automatic Updater 1024 client objects are created for each thread. The maximum
da24e725ff982595d74da7e75e9fbd6a696367ccAutomatic Updater value is 32768; higher values will be silently ignored and
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater the maximum will be used instead.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Note that setting too high a value may overconsume
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater system resources.
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater The maximum number of client queries that the lightweight
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater resolver can handle at any one time equals
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <code class="option">lwres-tasks</code> times <code class="option">lwres-clients</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater<a name="id2577611"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
f4029eb7463e99df00618de89f0bee5ac062a237Automatic Updater<a name="id2577660"></a><span><strong class="command">masters</strong></span> Statement Definition and
59edd79b878b51ce5572cb2c6efe38b82242f108Automatic Updater<p><span><strong class="command">masters</strong></span>
3e79333aa37d3b88959372431a02af8a3eb7cfd9Automatic Updater lists allow for a common set of masters to be easily used by
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater or <span><strong class="command">also-notify</strong></span> lists.
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<div class="titlepage"><div><div><h3 class="title">
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater<a name="id2577682"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater This is the grammar of the <span><strong class="command">options</strong></span>
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater statement in the <code class="filename">named.conf</code> file:
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater<pre class="programlisting"><span><strong class="command">options</strong></span> {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> geoip-directory <em class="replaceable"><code>path_name</code></em>; </span>]
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
59b277af9d9aac08d16be63aed5ae60ac9eef0d5Automatic Updater [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> request-sit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> sit-secret <em class="replaceable"><code>secret_string</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <em class="replaceable"><code>no</code></em> |
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ... }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1b670d35282f1b9352692ad212be3c0aa97b0689Automatic Updater [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> automatic-interface-scan { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> geoip-use-ecs <em class="replaceable"><code>yes_or_no</code></em>;</span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2188d48d2dc0ed15bce6260f2125981a69898141Francis Dupont [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
2188d48d2dc0ed15bce6260f2125981a69898141Francis Dupont{ <em class="replaceable"><code>address_match_list</code></em> }; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> notify-rate <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> startup-notify-rate <em class="replaceable"><code>number</code></em>; </span>]
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
3c761103e8d2f80fb50c95af18cb0d5dd81ce005Automatic Updater [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
2178b22c8f4a20a0dfc17c93f67789d58530b6e6Automatic Updater [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> servfail-ttl <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em>; </span>]
361ef0a3e2983a5a3497a3aa7d19d31e21c9e93cAutomatic Updater [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
361ef0a3e2983a5a3497a3aa7d19d31e21c9e93cAutomatic Updater [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
572cb2c1c931f6bc6a4a019c103ae88239b0eb96Automatic Updater [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
da24e725ff982595d74da7e75e9fbd6a696367ccAutomatic Updater [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater [<span class="optional"> nta-lifetime <em class="replaceable"><code>duration</code></em> ; </span>]
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater [<span class="optional"> nta-recheck <em class="replaceable"><code>duration</code></em> ; </span>]
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater [<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
765c97d56ccddc9d7904c7d9ff2e2d825d9687e4Automatic Updater [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
e6a6028987f9b57473bb321be55304c7dbf19d8bAutomatic Updater [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> suffix IPv6-address; </span>]
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
8a507eb20351ee478e8c05620c6899f0a04c1853Automatic Updater [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>;
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
8a507eb20351ee478e8c05620c6899f0a04c1853Automatic Updater [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> masterfile-format
47ff70af9e842bf0f69d209433995216f560fe4aAutomatic Updater (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater (<code class="constant">relative</code>|<code class="constant">full</code>) ; </span>]
06f5acb11f1c32228d93eefd1eb841dbfb1c7f4dAutomatic Updater [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
8a507eb20351ee478e8c05620c6899f0a04c1853Automatic Updater [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
06f5acb11f1c32228d93eefd1eb841dbfb1c7f4dAutomatic Updater [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
06f5acb11f1c32228d93eefd1eb841dbfb1c7f4dAutomatic Updater [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> prefetch <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
7fc3b88c3a6e18f8a085406c36fddc2af63619efMark Andrews [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> response-policy {
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater zone <em class="replaceable"><code>zone_name</code></em>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru | drop |
da24e725ff982595d74da7e75e9fbd6a696367ccAutomatic Updater tcp-only | nxdomain | nodata | cname domain</code></em>) </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
5a28dc400e0e85382e83a479ca60ca3054e6cfccAutomatic Updater [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater The <span><strong class="command">options</strong></span> statement sets up global
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater to be used by <acronym class="acronym">BIND</acronym>. This statement
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater may appear only
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater once in a configuration file. If there is no <span><strong class="command">options</strong></span>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater statement, an options block with each option set to its default will
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Allows multiple views to share a single cache
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Each view has its own cache database by default, but
603cf17f33da24d460616389ec40d6f2a6e110a0Automatic Updater if multiple views have the same operational policy
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater for name resolution and caching, those views can
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater share a single cache to save memory and possibly
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater improve resolution efficiency by using this option.
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater The <span><strong class="command">attach-cache</strong></span> option
55aec75784a22e9d06d52b2b8a7d5aa42d31dc00Automatic Updater may also be specified in <span><strong class="command">view</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements, in which case it overrides the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater global <span><strong class="command">attach-cache</strong></span> option.
93bd88e172a36b549938bce1731df7c10a8f3fb5Automatic Updater The <em class="replaceable"><code>cache_name</code></em> specifies
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the cache to be shared.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When the <span><strong class="command">named</strong></span> server configures
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater views which are supposed to share a cache, it
db5b7e2cdf150c46e8242d3e2e3ad3f5c7300258Automatic Updater creates a cache with the specified name for the
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater first view of these sharing views.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The rest of the views will simply refer to the
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater already created cache.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater One common configuration to share a cache would be to
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater allow all views to share a single cache.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater This can be done by specifying
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater the <span><strong class="command">attach-cache</strong></span> as a global
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater option with an arbitrary name.
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews Another possible operation is to allow a subset of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater all views to share a cache while the others to
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews retain their own caches.
0429fc942ef48b8ab07a01648b22f98174a2ae6fAutomatic Updater For example, if there are three views A, B, and C,
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater and only A and B should share a cache, specify the
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater <span><strong class="command">attach-cache</strong></span> option as a view A (or
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater B)'s option, referring to the other view name:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // this view has its own cache
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // this view refers to A's cache
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater attach-cache "A";
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // this view has its own cache
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Views that share a cache must have the same policy
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater on configurable parameters that may affect caching.
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater The current implementation requires the following
b4cebdb6ccde66a8f3e397a1b90b0cf788519d69Automatic Updater configurable options be consistent among these
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">check-names</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">cleaning-interval</strong></span>,
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <span><strong class="command">dnssec-accept-expired</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dnssec-validation</strong></span>,
83d29eff2912ef967596eb5ed148de7668b35564Automatic Updater <span><strong class="command">max-cache-ttl</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">max-ncache-ttl</strong></span>,
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span><strong class="command">max-cache-size</strong></span>, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">zero-no-soa-ttl</strong></span>.
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater Note that there may be other parameters that may
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater cause confusion if they are inconsistent for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater different views that share a single cache.
098097efb95046a4a5285b6dae95dea3e3b70853Automatic Updater For example, if these views define different sets of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater forwarders that can return different answers for the
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater same question, sharing the answer does not make
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater sense or could even be harmful.
78bc8fdc2488c92d7228e8de19827e2c114c56caAutomatic Updater It is administrator's responsibility to ensure
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configuration differences in different views do
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater not cause disruption with a shared cache.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The working directory of the server.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater Any non-absolute pathnames in the configuration file will be
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater as relative to this directory. The default location for most
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater output files (e.g. <code class="filename">named.run</code>)
e705db6d5d886dc14f4a75a2046a075c0750e7eeAutomatic Updater is this directory.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater If a directory is not specified, the working directory
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater defaults to `<code class="filename">.</code>', the directory from
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater which the server
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater was started. The directory specified should be an absolute
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater<dt><span class="term"><span><strong class="command">geoip-directory</strong></span></span></dt>
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater Specifies the directory containing GeoIP
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">.dat</code> database files for GeoIP
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater initialization. By default, this option is unset
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and the GeoIP support will use libGeoIP's
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater built-in directory.
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater (For details, see <a href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Usage">the section called “<span><strong class="command">acl</strong></span> Statement Definition and
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater Usage”</a> about the
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater <span><strong class="command">geoip</strong></span> ACL.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater When performing dynamic update of secure zones, the
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater directory where the public and private DNSSEC key files
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should be found, if different than the current working
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater directory. (Note that this option has no effect on the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater paths for files containing non-DNSSEC keys such as
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater <code class="filename">session.key</code>.)
129090f0f6f91753b4a085ab635e28549fd018adAutomatic Updater<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Specifies the directory in which to store the files that
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater track managed DNSSEC keys. By default, this is the working
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">named</strong></span> is not configured to use views,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then managed keys for the server will be tracked in a single
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater file called <code class="filename">managed-keys.bind</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Otherwise, managed keys will be tracked in separate files,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington one file per view; each file name will be the view name
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater (or, if it contains characters that are incompatible with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater use as a file name, the SHA256 hash of the view name),
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater followed by the extension
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater (Note: in previous releases, file names for views
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater always used the SHA256 hash of the view name. To ensure
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater compatibility after upgrade, if a file using the old
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington name format is found to exist, it will be used instead
8a507eb20351ee478e8c05620c6899f0a04c1853Automatic Updater of the new format.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="emphasis"><em>This option is obsolete.</em></span> It
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater was used in <acronym class="acronym">BIND</acronym> 8 to specify
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the pathname to the <span><strong class="command">named-xfer</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater program. In <acronym class="acronym">BIND</acronym> 9, no separate
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named-xfer</strong></span> program is needed;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater its functionality is built into the name server.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
681beefc668253b3e469a1de282fbc33a3752422Automatic Updater The KRB5 keytab file to use for GSS-TSIG updates. If
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater this option is set and tkey-gssapi-credential is not
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater set, then updates will be allowed with any key
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater matching a principal in the specified keytab.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
aa620c4f3a002a87e8d2076b6909cfeda81d71ddAutomatic Updater The security credential with which the server should
b16e2045ac28229c31f1ea3ebad15cbcb13e1d24Automatic Updater authenticate keys requested by the GSS-TSIG protocol.
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews Currently only Kerberos 5 authentication is available
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater and the credential is a Kerberos principal which the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server can acquire through the default system key
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews file, normally <code class="filename">/etc/krb5.keytab</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The location keytab file can be overridden using the
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews tkey-gssapi-keytab option. Normally this principal is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater also be set if a specific keytab is not set with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater tkey-gssapi-keytab.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The domain appended to the names of all shared keys
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater generated with <span><strong class="command">TKEY</strong></span>. When a
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater client requests a <span><strong class="command">TKEY</strong></span> exchange,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater it may or may not specify the desired name for the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater key. If present, the name of the shared key will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be <code class="varname">client specified part</code> +
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <code class="varname">tkey-domain</code>. Otherwise, the
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater name of the shared key will be <code class="varname">random hex
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater digits</code> + <code class="varname">tkey-domain</code>.
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater In most cases, the <span><strong class="command">domainname</strong></span>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater should be the server's domain name, or an otherwise
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater non-existent subdomain like
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater "_tkey.<code class="varname">domainname</code>". If you are
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater using GSS-TSIG, this variable must be defined, unless
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater you specify a specific keytab using tkey-gssapi-keytab.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater The Diffie-Hellman key used by the server
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to generate shared keys with clients using the Diffie-Hellman
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater of <span><strong class="command">TKEY</strong></span>. The server must be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater able to load the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater public and private keys from files in the working directory.
415827fa645306ee54b7c5480f52c19217035103Automatic Updater most cases, the keyname should be the server's host name.
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater This is for testing only. Do not use.
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater The pathname of the file the server dumps
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater the database to when instructed to do so with
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater <span><strong class="command">rndc dumpdb</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If not specified, the default is <code class="filename">named_dump.db</code>.
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
78d7186253dfed549ec0ce2d7c2b08a7978ede9cAutomatic Updater The pathname of the file the server writes memory
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater usage statistics to on exit. If not specified,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the default is <code class="filename">named.memstats</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The pathname of the file the server writes its process ID
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in. If not specified, the default is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/var/run/named/named.pid</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The PID file is used by programs that want to send signals to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater use of a PID file — no file will be written and any
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater existing one will be removed. Note that <span><strong class="command">none</strong></span>
4dca64bb8991502db368028aeeba2f832d3b971dAutomatic Updater is a keyword, not a filename, and therefore is not enclosed
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater double quotes.
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updater<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The pathname of the file the server dumps
681beefc668253b3e469a1de282fbc33a3752422Automatic Updater the queries that are currently recursing when instructed
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to do so with <span><strong class="command">rndc recursing</strong></span>.
ce0fd07045292942bfa3e755d9ce596941528a63Automatic Updater If not specified, the default is <code class="filename">named.recursing</code>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The pathname of the file the server appends statistics
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If not specified, the default is <code class="filename">named.stats</code> in the
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater server's current directory. The format of the file is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater The pathname of a file to override the built-in trusted
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater keys provided by <span><strong class="command">named</strong></span>.
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
6a6965084d061016f7ba44637c7c50e096cac36aAutomatic Updater and <span><strong class="command">dnssec-validation</strong></span> for details.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If not specified, the default is
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater <code class="filename">/etc/bind.keys</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The pathname of the file the server dumps
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater security roots to when instructed to do so with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">rndc secroots</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If not specified, the default is
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater <code class="filename">named.secroots</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The pathname of the file into which to write a TSIG
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater session key generated by <span><strong class="command">named</strong></span> for use by
0c42fc3acc95ea284cf1bfdf6869d1836756ebb9Automatic Updater <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater default is <code class="filename">/var/run/named/session.key</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater particular the discussion of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">update-policy</strong></span> statement's
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>local</code></strong> option for more
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater information about this feature.)
4dca64bb8991502db368028aeeba2f832d3b971dAutomatic Updater<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The key name to use for the TSIG session key.
98215f712033f868cc65cc2e54894bf770517883Automatic Updater If not specified, the default is "local-ddns".
78bc8fdc2488c92d7228e8de19827e2c114c56caAutomatic Updater<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The algorithm to use for the TSIG session key.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater hmac-sha384, hmac-sha512 and hmac-md5. If not
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater specified, the default is hmac-sha256.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
9f0225ba7e69a36e546ef40107d86c1ba04f10dbAutomatic Updater The UDP/TCP port number the server uses for
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater receiving and sending DNS protocol traffic.
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater The default is 53. This option is mainly intended for server
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater a server using a port other than 53 will not be able to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater communicate with
e705db6d5d886dc14f4a75a2046a075c0750e7eeAutomatic Updater the global DNS.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">dscp</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The global Differentiated Services Code Point (DSCP)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater value to classify outgoing DNS traffic on operating
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater systems that support DSCP. Valid values are 0 through 63.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater It is not configured by default.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The source of entropy to be used by the server. Entropy is
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater primarily needed
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater for DNSSEC operations, such as TKEY transactions and dynamic
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater update of signed
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater zones. This options specifies the device (or file) from which
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater entropy. If this is a file, operations requiring entropy will
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater file has been exhausted. If not specified, the default value
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater (or equivalent) when present, and none otherwise. The
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater <span><strong class="command">random-device</strong></span> option takes
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater the initial configuration load at server startup time and
1d92d8a2456b23842a649b6104c60a9d6ea25333Brian Wellington is ignored on subsequent reloads.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If specified, the listed type (A or AAAA) will be emitted
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater before other glue
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in the additional section of a query response.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington The default is not to prefer any type (NONE).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Turn on enforcement of delegation-only in TLDs
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (top level domains) and root zones with an optional
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DS queries are expected to be made to and be answered by
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater delegation only zones. Such queries and responses are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater treated as an exception to delegation-only processing
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and are not converted to NXDOMAIN responses provided
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a CNAME is not discovered at the query name.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If a delegation only zone server also serves a child
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater zone it is not always possible to determine whether
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater an answer comes from the delegation only zone or the
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater child zone. SOA NS and DNSKEY records are apex
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson only records and a matching response that contains
02973ab41430678c285ef7ae6d1183003469a3bcAutomatic Updater these records or DS is treated as coming from a
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson child zone. RRSIG records are also examined to see
02973ab41430678c285ef7ae6d1183003469a3bcAutomatic Updater if they are signed by a child zone or not. The
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater authority section is also examined to see if there
be7f27304337afbf078e8bd8db0f951a33abe33bAndreas Gustafsson is evidence that the answer is from the child zone.
22efac94468806d25459fa9d4faa6b1eb16c30a8Automatic Updater Answers that are determined to be from a child zone
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater are not converted to NXDOMAIN responses. Despite
3f616e6f846be57b1717c6beaba0f74de9d5a7c6Automatic Updater all these checks there is still a possibility of
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater false negatives when a child zone is being served.
11ba7973f989b3657cbb27447bdcdd976c71ac56Brian Wellington Similarly false positives can arise from empty nodes
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (no records at the name) in the delegation only zone
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater when the query type is not ANY.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater Note some TLDs are not delegation only (e.g. "DE", "LV",
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater "US" and "MUSEUM"). This list is not exhaustive.
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
02973ab41430678c285ef7ae6d1183003469a3bcAutomatic Updater Disable the specified DNSSEC algorithms at and below the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified name.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Multiple <span><strong class="command">disable-algorithms</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements are allowed.
5a28dc400e0e85382e83a479ca60ca3054e6cfccAutomatic Updater Only the best match <span><strong class="command">disable-algorithms</strong></span>
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater clause will be used to determine which algorithms are used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If all supported algorithms are disabled, the zones covered
a9638b6e8997c3c96a23a7df973aa126061ff34fAutomatic Updater by the <span><strong class="command">disable-algorithms</strong></span> will be treated
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">disable-ds-digests</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Disable the specified DS/DLV digest types at and below the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specified name.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Multiple <span><strong class="command">disable-ds-digests</strong></span>
a900e4f99ff134b567b6df5ac2c841c7d0c551d3Automatic Updater statements are allowed.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Only the best match <span><strong class="command">disable-ds-digests</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater clause will be used to determine which digest types are used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If all supported digest types are disabled, the zones covered
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater by the <span><strong class="command">disable-ds-digests</strong></span> will be treated
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater validator with an alternate method to validate DNSKEY
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater records at the top of a zone. When a DNSKEY is at or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater below a domain specified by the deepest
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater validation has left the key untrusted, the trust-anchor
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will be appended to the key name and a DLV record will be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater looked up to see if it can validate the key. If the DLV
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater record validates a DNSKEY (similarly to the way a DS
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater record does) the DNSKEY RRset is deemed to be trusted.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">dnssec-lookaside</strong></span> is set to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <strong class="userinput"><code>auto</code></strong>, then built-in default
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews values for the DLV domain and trust anchor will be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews used, along with a built-in key for validation.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If <span><strong class="command">dnssec-lookaside</strong></span> is set to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews is not used.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews The default DLV key is stored in the file
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">named</strong></span> will load that key at
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="constant">auto</code>. A copy of the file is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews installed along with <acronym class="acronym">BIND</acronym> 9, and is
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews current as of the release date. If the DLV key expires, a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews new copy of <code class="filename">bind.keys</code> can be downloaded
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews (To prevent problems if <code class="filename">bind.keys</code> is
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews not found, the current key is also compiled in to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">named</strong></span>. Relying on this is not
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews recommended, however, as it requires <span><strong class="command">named</strong></span>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews to be recompiled with a new key when the DLV key expires.)
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews NOTE: <span><strong class="command">named</strong></span> only loads certain specific
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews keys from <code class="filename">bind.keys</code>: those for the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews DLV zone and for the DNS root zone. The file cannot be
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews used to store keys for other zones.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Specify hierarchies which must be or may not be secure
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews then <span><strong class="command">named</strong></span> will only accept answers if
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews DNSSEC validation applies allowing for insecure answers to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews be accepted. The specified domain must be under a
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">trusted-keys</strong></span> or
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <span><strong class="command">managed-keys</strong></span> statement, or
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">dnssec-lookaside</strong></span> must be active.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews This directive instructs <span><strong class="command">named</strong></span> to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews return mapped IPv4 addresses to AAAA queries when
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater there are no AAAA records. It is intended to be
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater used in conjunction with a NAT64. Each
e23256e740b238bddb4ba41ffac5f81a01c92245Automatic Updater <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Multiple DNS64 prefixes can be defined.
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 64 and 96 as per RFC 6052.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Additionally a reverse IP6.ARPA zone will be created for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the prefix to provide a mapping from the IP6.ARPA names
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson to the corresponding IN-ADDR.ARPA names using synthesized
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater CNAMEs. <span><strong class="command">dns64-server</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dns64-contact</strong></span> can be used to specify
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson the name of the server and contact for the zones. These
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are settable at the view / options level. These are
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson not settable on a per-prefix basis.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Each <span><strong class="command">dns64</strong></span> supports an optional
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">clients</strong></span> ACL that determines which
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater clients are affected by this directive. If not defined,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson it defaults to <strong class="userinput"><code>any;</code></strong>.
02973ab41430678c285ef7ae6d1183003469a3bcAutomatic Updater Each <span><strong class="command">dns64</strong></span> supports an optional
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater <span><strong class="command">mapped</strong></span> ACL that selects which
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater IPv4 addresses are to be mapped in the corresponding
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A RRset. If not defined it defaults to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>any;</code></strong>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Normally, DNS64 won't apply to a domain name that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater owns one or more AAAA records; these records will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington simply be returned. The optional
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">exclude</strong></span> ACL allows specification
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater of a list of IPv6 addresses that will be ignored
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater if they appear in a domain name's AAAA records, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNS64 will be applied to any A records the domain
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson name owns. If not defined, <span><strong class="command">exclude</strong></span>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson defaults to none.
2fd97723b2ec7fc1975672780ab0c1c9a8c369d6Automatic Updater A optional <span><strong class="command">suffix</strong></span> can also
2fd97723b2ec7fc1975672780ab0c1c9a8c369d6Automatic Updater be defined to set the bits trailing the mapped
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews IPv4 address bits. By default these bits are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater set to <strong class="userinput"><code>::</code></strong>. The bits
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater matching the prefix and mapped IPv4 address
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews must be zero.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <span><strong class="command">recursive-only</strong></span> is set to
990743075cd7b0ee4bc0c8bf013bb1d9662a3167Mark Andrews <span><strong class="command">yes</strong></span> the DNS64 synthesis will
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews only happen for recursive queries. The default
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews is <span><strong class="command">no</strong></span>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <span><strong class="command">break-dnssec</strong></span> is set to
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">yes</strong></span> the DNS64 synthesis will
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews happen even if the result, if validated, would
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews cause a DNSSEC validation failure. If this option
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews is set to <span><strong class="command">no</strong></span> (the default), the DO
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews is set on the incoming query, and there are RRSIGs on
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews the applicable records, then synthesis will not happen.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater dns64 64:FF9B::/96 {
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater clients { any; };
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater mapped { !rfc1918; any; };
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If this option is set to its default value of
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="literal">maintain</code> in a zone of type
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="literal">master</code> which is DNSSEC-signed
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews and configured to allow dynamic updates (see
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews if <span><strong class="command">named</strong></span> has access to the
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews private signing key(s) for the zone, then
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">named</strong></span> will automatically sign all new
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews or changed records and maintain signatures for the zone
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews by regenerating RRSIG records whenever they approach
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews their expiration date.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If the option is changed to <code class="literal">no-resign</code>,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews then <span><strong class="command">named</strong></span> will sign all new or
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews changed records, but scheduled maintenance of
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater signatures is disabled.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater With either of these settings, <span><strong class="command">named</strong></span>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater will reject updates to a DNSSEC-signed zone when the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater signing keys are inactive or unavailable to
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">named</strong></span>. (A planned third option,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="literal">external</code>, will disable all automatic
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater signing and allow DNSSEC data to be submitted into a zone
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater via dynamic update; this is not yet implemented.)
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<dt><span class="term"><span><strong class="command">nta-lifetime</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Species the default lifetime, in seconds,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews that will be used for negative trust anchors added
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater via <span><strong class="command">rndc nta</strong></span>.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater A negative trust anchor selectively disables
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater DNSSEC validation for zones that are known to be
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater failing because of misconfiguration rather than
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater an attack. When data to be validated is
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater at or below an active NTA (and above any other
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater configured trust anchors), <span><strong class="command">named</strong></span> will
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater abort the DNSSEC validation process and treat the data as
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater insecure rather than bogus. This continues until the
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews NTA's lifetime is elapsed. NTAs persist
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews across <span><strong class="command">named</strong></span> restarts.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews For convenience, TTL-style time unit suffixes can be
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater used to specify the NTA lifetime in seconds, minutes
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews or hours. <code class="option">nta-lifetime</code> defaults to
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater one hour. It cannot exceed one week.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">nta-recheck</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Species how often to check whether negative
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews trust anchors added via <span><strong class="command">rndc nta</strong></span>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews are still necessary.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews A negative trust anchor is normally used when a
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews domain has stopped validating due to operator error;
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews it temporarily disables DNSSEC validation for that
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews domain. In the interest of ensuring that DNSSEC
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews validation is turned back on as soon as possible,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">named</strong></span> will periodically send a
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews query to the domain, ignoring negative trust anchors,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews to find out whether it can now be validated. If so,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews the negative trust anchor is allowed to expire early.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Validity checks can be disabled for an individual
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews NTA by using <span><strong class="command">rndc nta -f</strong></span>, or
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews for all NTAs by setting <code class="option">nta-recheck</code>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews For convenience, TTL-style time unit suffixes can be
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews used to specify the NTA recheck interval in seconds,
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater minutes or hours. The default is five minutes. It
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews cannot be longer than <code class="option">nta-lifetime</code>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews (which cannot be longer than a week).
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Specifies a maximum permissible TTL value.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews When loading a zone file using a
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="option">masterfile-format</code> of
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="constant">text</code> or <code class="constant">raw</code>,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews any record encountered with a TTL higher than
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <code class="option">max-zone-ttl</code> will cause the zone to
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews be rejected.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews This is useful in DNSSEC-signed zones because when
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews rolling to a new DNSKEY, the old key needs to remain
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater available until RRSIG records have expired from
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater caches. The<code class="option">max-zone-ttl</code> option guarantees
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater that the largest TTL in the zone will be no higher
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater the set value.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews (NOTE: Because <code class="constant">map</code>-format files
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews load directly into memory, this option cannot be
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews used with them.)
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <strong class="userinput"><code>full</code></strong>, the server will collect
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews statistical data on all zones (unless specifically
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews turned off on a per-zone basis by specifying
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">zone-statistics terse</strong></span> or
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">zone-statistics none</strong></span>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews in the <span><strong class="command">zone</strong></span> statement).
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The default is <strong class="userinput"><code>terse</code></strong>, providing
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews minimal statistics on zones (including name and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews current serial number, but not query type
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews These statistics may be accessed via the
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">statistics-channel</strong></span> or
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews using <span><strong class="command">rndc stats</strong></span>, which
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews will dump them to the file listed
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews in the <span><strong class="command">statistics-file</strong></span>. See
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater For backward compatibility with earlier versions
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews option can also accept <strong class="userinput"><code>yes</code></strong>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews has the same meaning as <strong class="userinput"><code>full</code></strong>.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater As of <acronym class="acronym">BIND</acronym> 9.10,
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <strong class="userinput"><code>no</code></strong> has the same meaning
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater as <strong class="userinput"><code>none</code></strong>; previously, it
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater was the same as <strong class="userinput"><code>terse</code></strong>.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<div class="titlepage"><div><div><h4 class="title">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews automatically rescan network interfaces when the interface
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews addresses are added or removed. The default is
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <strong class="userinput"><code>yes</code></strong>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Currently the OS needs to support routing sockets for
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">automatic-interface-scan</strong></span> to be
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater If <strong class="userinput"><code>yes</code></strong>, then zones can be
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews added at runtime via <span><strong class="command">rndc addzone</strong></span>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The default is <strong class="userinput"><code>no</code></strong>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews is always set on NXDOMAIN responses, even if the server is
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater authoritative. The default is <strong class="userinput"><code>no</code></strong>;
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater a change from <acronym class="acronym">BIND</acronym> 8. If you
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater are using very old DNS software, you
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews may need to set it to <strong class="userinput"><code>yes</code></strong>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews This option was used in <acronym class="acronym">BIND</acronym>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater 8 to enable checking
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Write memory statistics to the file specified by
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">memstatistics-file</strong></span> at exit.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The default is <strong class="userinput"><code>no</code></strong> unless
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews '-m record' is specified on the command line in
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews which case it is <strong class="userinput"><code>yes</code></strong>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <strong class="userinput"><code>yes</code></strong>, then the
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews server treats all zones as if they are doing zone transfers
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater a dial-on-demand dialup link, which can be brought up by
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews originating from this server. This has different effects
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews to zone type and concentrates the zone maintenance so that
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater hopefully during the one call. It also suppresses some of
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The <span><strong class="command">dialup</strong></span> option
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater may also be specified in the <span><strong class="command">view</strong></span> and
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <span><strong class="command">zone</strong></span> statements,
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater in which case it overrides the global <span><strong class="command">dialup</strong></span>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater If the zone is a master zone, then the server will send out a
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews request to all the slaves (default). This should trigger the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater number check in the slave (providing it supports NOTIFY)
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater allowing the slave
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater to verify the zone while the connection is active.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The set of servers to which NOTIFY is sent can be controlled
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews zone is a slave or stub zone, then the server will suppress
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews "zone up to date" (refresh) queries and only perform them
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">heartbeat-interval</strong></span> expires in
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews addition to sending
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews NOTIFY requests.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Finer control can be achieved by using
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews messages and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews which suppresses normal refresh processing and sends refresh
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews when the <span><strong class="command">heartbeat-interval</strong></span>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews expires, and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <strong class="userinput"><code>passive</code></strong> which just disables normal
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington normal refresh
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater heart-beat refresh
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater heart-beat notify
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">no</strong></span> (default)</p>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater <p><span><strong class="command">yes</strong></span></p>
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
<span><strong class="command">geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">keep-response-order</strong></span></span></dt>
a response contains the names "example.com" and
(i.e., records of type NS, MX, CNAME, etc) will always
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">startup-notify-rate</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
a zone-signing process, i.e., whether it is still active
<span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
IPv4 address as in IN-ADDR.ARPA.
but reversed as in IN-ADDR.ARPA.
wildcard such as *.example.com.
<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span>
<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME . ; NXDOMAIN policy
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
112.zz.2001.rpz-client-ip CNAME rpz-drop.
8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
; force some DNS clients and responses in the example.com zone to TCP
16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
example.com CNAME rpz-tcp-only.
*.example.com CNAME rpz-tcp-only.
<span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
This controls flooding using random.wild.example.com.
<span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
<span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
<span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2592668"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
<a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
<a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2593085"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2593139"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2593574"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2595590"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
zone example.com {
file "example-external.db";
zone example.com {
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2602142"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2602158"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2602356"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2602425"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2602461"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2607076"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>