doc/arm/Bv9ARM.ch06.html

	Bv9ARM.ch06.html revision 6bf6622b7b9053dc52527478473b572f042c4b5b
d657c51f14601d0235434ffb78cf6ac0f27cc83cLennart Poettering<!--
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - Copyright (C) 2000-2003 Internet Software Consortium.
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek -
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - Permission to use, copy, modify, and distribute this software for any
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - purpose with or without fee is hereby granted, provided that the above
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - copyright notice and this permission notice appear in all copies.
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek -
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering - PERFORMANCE OF THIS SOFTWARE.
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek-->
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<!-- $Id: Bv9ARM.ch06.html,v 1.138 2006/06/04 23:38:17 marka Exp $ -->
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<html>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<head>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<title>Chapter�6.�BIND 9 Configuration Reference</title>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</head>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<div class="navheader">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<table width="100%" summary="Navigation header">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<tr><th colspan="3" align="center">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</th></tr>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<tr>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<td width="20%" align="left">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<th width="60%" align="center">�</th>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</td>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</tr>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</table>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<hr>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</div>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<div class="chapter" lang="en">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<div class="titlepage"><div><div><h2 class="title">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<a name="Bv9ARM.ch06"></a>Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference</h2></div></div></div>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<div class="toc">
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<p><b>Table of Contents</b></p>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dl>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dd><dl>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554338">Comment Syntax</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek</dl></dd>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dd><dl>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554882"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek          Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555072"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering          Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555432"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555447"><span><strong class="command">include</strong></span> Statement Definition and
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek          Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555470"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555492"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555651"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2555845"><span><strong class="command">logging</strong></span> Statement Definition and
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek          Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557195"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557269"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557333"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557445"><span><strong class="command">masters</strong></span> Statement Definition and
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek          Usage</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2557460"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
b62a309a47dd11e11729616767421397b6ca7053Zbigniew Jędrzejewski-Szmek          Usage</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt            Usage</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565882"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565931"><span><strong class="command">trusted-keys</strong></span> Statement Definition
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt            and Usage</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566011"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt            Statement Grammar</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2567457"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
e6c253e363dee77ef7e5c5f44c4ca55cded3fd47Michal Schmidt</dl></dd>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2569739">Zone File</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dd><dl>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2571556">Discussion of MX Records</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572244">Inverse Mapping in IPv4</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572371">Other Zone File Directives</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2572696"><span class="acronym">BIND</span> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering</dl></dd>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering</dl>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering</div>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering<p>
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering      <span class="acronym">BIND</span> 9 configuration is broadly similar
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering      to <span class="acronym">BIND</span> 8; however, there are a few new
4bdc60cb6fab336d455abbbd269e5bfccf760c91Lennart Poettering      areas
b72ddf0f4f552dd53d6404b6ddbc9f17d02b8e12Kay Sievers      of configuration, such as views. <span class="acronym">BIND</span>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      8 configuration files should work with few alterations in <span class="acronym">BIND</span>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      9, although more complex configurations should be reviewed to check
b72ddf0f4f552dd53d6404b6ddbc9f17d02b8e12Kay Sievers      if they can be more efficiently implemented using the new features
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      found in <span class="acronym">BIND</span> 9.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering    </p>
b72ddf0f4f552dd53d6404b6ddbc9f17d02b8e12Kay Sievers<p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      <span class="acronym">BIND</span> 4 configuration files can be
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      converted to the new format
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      using the shell script
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering    </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<div class="sect1" lang="en">
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering        Following is a list of elements used throughout the <span class="acronym">BIND</span> configuration
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering        file documentation:
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering      </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<div class="informaltable"><table border="1">
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<colgroup>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<col>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<col>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</colgroup>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tbody>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
5f02e26ca7c039837dbaea63f3d3664fe45c26b9Thomas Hindoe Paaboel Andersen<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">acl_name</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  The name of an <code class="varname">address_match_list</code> as
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  defined by the <span><strong class="command">acl</strong></span> statement.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">address_match_list</code>
daa05349dfefb12638c96e034c11be613bdc39b7Ansgar Burchardt                </p>
daa05349dfefb12638c96e034c11be613bdc39b7Ansgar Burchardt              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  A list of one or more
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip_addr</code>,
5f02e26ca7c039837dbaea63f3d3664fe45c26b9Thomas Hindoe Paaboel Andersen                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  or <code class="varname">acl_name</code> elements, see
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
a1a4a25e7f6b515d0c8c25257714299853f261aaDaniel Mack              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">masters_list</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  A named list of one or more <code class="varname">ip_addr</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  with optional <code class="varname">key_id</code> and / or
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip_port</code>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  A <code class="varname">masters_list</code> may include other
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">masters_lists</code>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
5f02e26ca7c039837dbaea63f3d3664fe45c26b9Thomas Hindoe Paaboel Andersen              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">domain_name</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  A quoted string which will be used as
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  a DNS name, for example "<code class="literal">my.test.domain</code>".
a1a4a25e7f6b515d0c8c25257714299853f261aaDaniel Mack                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">dotted_decimal</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  One to four integers valued 0 through
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip4_addr</code>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                </p>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering              </td>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  An IPv4 address with exactly four elements
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  in <code class="varname">dotted_decimal</code> notation.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip6_addr</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  IPv6 scoped addresses that have ambiguity on their scope
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  zones must be
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  disambiguated by an appropriate zone ID with the percent
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  character
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  (`%') as delimiter.
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  It is strongly recommended to use string zone names rather
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  than
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  numeric identifiers, in order to be robust against system
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  configuration changes.
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  However, since there is no standard mapping for such names
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  and
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  identifier values, currently only interface names as link
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  identifiers
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  are supported, assuming one-to-one mapping between
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  interfaces and links.
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
265684034fac5f2674723ab7ace55b2485a1b29fTom Gundersen                  link attached to the interface <span><strong class="command">ne0</strong></span>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  Note that on most systems link-local addresses always have
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  the
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  ambiguity, and need to be disambiguated.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip_addr</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
5f02e26ca7c039837dbaea63f3d3664fe45c26b9Thomas Hindoe Paaboel Andersen                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">ip_port</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  An IP port <code class="varname">number</code>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">number</code> is limited to 0
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  through 65535, with values
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  below 1024 typically restricted to use by processes running
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  as root.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  In some cases an asterisk (`*') character can be used as a
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  placeholder to
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  select a random high-numbered port.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
a1a4a25e7f6b515d0c8c25257714299853f261aaDaniel Mack</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                  <code class="varname">ip_prefix</code>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                </p>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering              </td>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering<td>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                <p>
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                  An IP network specified as an <code class="varname">ip_addr</code>,
01da80b1aa0e21f8785d467afc295e37fd00ffa1Lennart Poettering                  followed by a slash (`/') and then the number of bits in the
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  netmask.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  Trailing zeros in a <code class="varname">ip_addr</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  may omitted.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  For example, <span><strong class="command">127/8</strong></span> is the
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  network <span><strong class="command">127.0.0.0</strong></span> with
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering</tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<tr>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                <p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                  <code class="varname">key_id</code>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering                </p>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering              </td>
b2ca0d63277b10c9382d5bcfcdf320dbb712511bLennart Poettering<td>
b72ddf0f4f552dd53d6404b6ddbc9f17d02b8e12Kay Sievers                <p>
3dff3e00e044e2d53c76fa842b9a4759d4a50e69Kay Sievers                  A <code class="varname">domain_name</code> representing
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  the name of a shared key, to be used for transaction
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  security.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">key_list</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  A list of one or more
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">key_id</code>s,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  separated by semicolons and ending with a semicolon.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">number</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  A non-negative 32 bit integer
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  (i.e., a number between 0 and 4294967295, inclusive).
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  Its acceptable value might further
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  be limited by the context in which it is used.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
ce1dde29b92d1399ce502e0f7db790a99d14841fThomas Hindoe Paaboel Andersen                  <code class="varname">path_name</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  A quoted string which will be used as
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
3dff3e00e044e2d53c76fa842b9a4759d4a50e69Kay Sievers              </td>
3dff3e00e044e2d53c76fa842b9a4759d4a50e69Kay Sievers</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">size_spec</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering                <p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering                  A number, the word <strong class="userinput"><code>unlimited</code></strong>,
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering                  or the word <strong class="userinput"><code>default</code></strong>.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering                <p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering                  An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  the limit that was in force when the server was started.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  A <code class="varname">number</code> can optionally be
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  followed by a scaling factor:
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  for kilobytes,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  for megabytes, and
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  which scale by 1024, 1024*1024, and 1024*1024*1024
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  respectively.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  The value must be representable as a 64-bit unsigned integer
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  (0 to 18446744073709551615, inclusive).
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  Using <code class="varname">unlimited</code> is the best
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  way
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  to safely set a really large number.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">yes_or_no</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
ce1dde29b92d1399ce502e0f7db790a99d14841fThomas Hindoe Paaboel Andersen                  and <strong class="userinput"><code>0</code></strong>.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <code class="varname">dialup_option</code>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                <p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  One of <strong class="userinput"><code>yes</code></strong>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
ce1dde29b92d1399ce502e0f7db790a99d14841fThomas Hindoe Paaboel Andersen                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>passive</code></strong>.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                  are restricted to slave and stub zones.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </td>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tr>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</tbody>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</table></div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="sect2" lang="en">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="titlepage"><div><div><h3 class="title">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="sect3" lang="en">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="titlepage"><div><div><h4 class="title">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<a name="id2554067"></a>Syntax</h4></div></div></div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering  [<span class="optional"> address_match_list_element; ... </span>]
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering   key key_id | acl_name | { address_match_list } )
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</pre>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering</div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="sect3" lang="en">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="titlepage"><div><div><h4 class="title">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<a name="id2554094"></a>Definition and Usage</h4></div></div></div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            Address match lists are primarily used to determine access
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            control for various server operations. They are also used in
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            statements. The elements
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            which constitute an address match list can be any of the
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            following:
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering          </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<div class="itemizedlist"><ul type="disc">
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<li>an IP address (IPv4 or IPv6)</li>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<li>an IP prefix (in `/' notation)</li>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<li>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                a key ID, as defined by the <span><strong class="command">key</strong></span>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                statement
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </li>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<li>the name of an address match list defined with
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering                the <span><strong class="command">acl</strong></span> statement
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering              </li>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<li>a nested address match list enclosed in braces</li>
ce1dde29b92d1399ce502e0f7db790a99d14841fThomas Hindoe Paaboel Andersen</ul></div>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            Elements can be negated with a leading exclamation mark (`!'),
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            and the match list names "any", "none", "localhost", and
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            "localnets"
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            are predefined. More information on those names can be found in
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            the description of the acl statement.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering          </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            The addition of the key clause made the name of this syntactic
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            element something of a misnomer, since security keys can be used
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            to validate access without regard to a host or network address.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            Nonetheless,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            the term "address match list" is still used throughout the
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            documentation.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering          </p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering<p>
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            When a given IP address or prefix is compared to an address
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            match list, the list is traversed in order until an element
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            matches.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            The interpretation of a match depends on whether the list is being
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            used
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            for access control, defining listen-on ports, or in a sortlist,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            and whether the element was negated.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering          </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            When used as an access control list, a non-negated match
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            allows access and a negated match denies access. If
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            there is no match, access is denied. The clauses
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-notify</strong></span>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-query</strong></span>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-query-cache</strong></span>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-transfer</strong></span>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-update</strong></span>,
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">allow-update-forwarding</strong></span>, and
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            <span><strong class="command">blackhole</strong></span> all use address match
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            lists.  Similarly, the listen-on option will cause the
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            server to not accept queries on any of the machine's
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering            addresses which do not match the list.
24a2bf4c9b0917231dd4f9b4289eabd46c382d3fLennart Poettering          </p>
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo<p>
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo            Because of the first-match aspect of the algorithm, an element
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo            that defines a subset of another element in the list should come
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo            before the broader element, regardless of whether either is
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo            negated. For
3058e017fced6d5c8712e10c8c1477421bc1e960Thadeu Lima de Souza Cascardo            example, in
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            element is
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            completely useless because the algorithm will match any lookup for
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            1.2.3.13 to the 1.2.3/24 element.
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            that problem by having 1.2.3.13 blocked by the negation but all
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            other 1.2.3.* hosts fall through.
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering</div>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering</div>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<div class="sect2" lang="en">
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<a name="id2554338"></a>Comment Syntax</h3></div></div></div>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          The <span class="acronym">BIND</span> 9 comment syntax allows for
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          comments to appear
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          anywhere that white space may appear in a <span class="acronym">BIND</span> configuration
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          file. To appeal to programmers of all kinds, they can be written
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          in the C, C++, or shell/perl style.
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering        </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<div class="sect3" lang="en">
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<a name="id2554353"></a>Syntax</h4></div></div></div>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<pre class="programlisting">/* This is a <span class="acronym">BIND</span> comment as in C */</pre>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<pre class="programlisting">// This is a <span class="acronym">BIND</span> comment as in C++</pre>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering            </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<pre class="programlisting"># This is a <span class="acronym">BIND</span> comment as in common UNIX shells and perl</pre>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering<p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering          </p>
c7435cc9115f5c8166433fd5ece028c06360ecd1Lennart Poettering</div>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<div class="sect3" lang="en">
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<div class="titlepage"><div><div><h4 class="title">
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<a name="id2554382"></a>Definition and Usage</h4></div></div></div>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<p>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            Comments may appear anywhere that white space may appear in
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            a <span class="acronym">BIND</span> configuration file.
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers          </p>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<p>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            C-style comments start with the two characters /* (slash,
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            star) and end with */ (star, slash). Because they are completely
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            delimited with these characters, they can be used to comment only
71449cafa1f3aecad6fc755ae5e571eddf0bbd02Kay Sievers            a portion of a line or to span multiple lines.
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt          </p>
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers<p>
45df8656ebb1b0559a75993d1508fc61c2d39829Jan Engelhardt            C-style comments cannot be nested. For example, the following
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers            is not valid because the entire comment ends with the first */:
4196a3ead3cfb823670d225eefcb3e60e34c7d95Kay Sievers          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<pre class="programlisting">/* This is the start of a comment.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering   This is still part of the comment.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering/* This is an incorrect attempt at nesting a comment. */
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering   This is no longer in any comment. */
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt</pre>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            C++-style comments start with the two characters // (slash,
71449cafa1f3aecad6fc755ae5e571eddf0bbd02Kay Sievers            slash) and continue to the end of the physical line. They cannot
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            be continued across multiple physical lines; to have one logical
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            comment span multiple lines, each line must use the // pair.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            For example:
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<pre class="programlisting">// This is the start of a comment.  The next line
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering// is a new comment, even though it is logically
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering// part of the previous comment.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</pre>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            Shell-style (or perl-style, if you prefer) comments start
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt            with the character <code class="literal">#</code> (number sign)
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            and continue to the end of the
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            physical line, as in C++ comments.
c54bed5d515771c21250b8e0c052cb6600e21d37Mantas Mikulėnas          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
cd14eda3212f9109c98a77cd5fee4168010d80daLennart Poettering            For example:
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt          </p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt<p>
cd14eda3212f9109c98a77cd5fee4168010d80daLennart Poettering
ef392da6c56cdfff35265403192f051af257b3f8Ansgar Burchardt</p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt<pre class="programlisting"># This is the start of a comment.  The next line
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering# is a new comment, even though it is logically
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering# part of the previous comment.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</pre>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering          </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<h3 class="title">Warning</h3>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              You cannot use the semicolon (`;') character
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              to start a comment such as you would in a zone file. The
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt              semicolon indicates the end of a configuration
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              statement.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering            </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</div>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</div>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</div>
45df8656ebb1b0559a75993d1508fc61c2d39829Jan Engelhardt</div>
71449cafa1f3aecad6fc755ae5e571eddf0bbd02Kay Sievers<div class="sect1" lang="en">
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<div class="titlepage"><div><div><h2 class="title" style="clear: both">
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        A <span class="acronym">BIND</span> 9 configuration consists of
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        statements and comments.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        Statements end with a semicolon. Statements and comments are the
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        only elements that can appear without enclosing braces. Many
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        statements contain a block of sub-statements, which are also
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        terminated with a semicolon.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering      </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering        The following statements are supported:
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering      </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<div class="informaltable"><table border="1">
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<colgroup>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<col>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<col>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</colgroup>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tbody>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">acl</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                  defines a named IP address
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  matching list, for access control and other uses.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">controls</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  declares control channels to be used
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  by the <span><strong class="command">rndc</strong></span> utility.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">include</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  includes a file.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">key</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  specifies key information for use in
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  authentication and authorization using TSIG.
71449cafa1f3aecad6fc755ae5e571eddf0bbd02Kay Sievers                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">logging</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt<td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                <p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                  specifies what the server logs, and where
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  the log messages are sent.
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                <p><span><strong class="command">lwres</strong></span></p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                <p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  configures <span><strong class="command">named</strong></span> to
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">masters</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                  defines a named masters list for
daa05349dfefb12638c96e034c11be613bdc39b7Ansgar Burchardt                  inclusion in stub and slave zone masters clauses.
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                </p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering</tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<tr>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering                <p><span><strong class="command">options</strong></span></p>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering              </td>
04e91da2cfdfb7153218be7a77c885f1c23d3fd7Lennart Poettering<td>
4c0d13bdd5ef971a3003899064af1717c8960beeLennart Poettering                <p>
4c0d13bdd5ef971a3003899064af1717c8960beeLennart Poettering                  controls global server configuration
4c0d13bdd5ef971a3003899064af1717c8960beeLennart Poettering                  options and sets defaults for other statements.
4c0d13bdd5ef971a3003899064af1717c8960beeLennart Poettering                </p>
4c0d13bdd5ef971a3003899064af1717c8960beeLennart Poettering              </td>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering</tr>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering<tr>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering<td>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering                <p><span><strong class="command">server</strong></span></p>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering              </td>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering<td>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering                <p>
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering                  sets certain configuration options on
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering                  a per-server basis.
dc1d6c02fcf55bb7dac918d0ed3bd3e2a3d67525Lennart Poettering                </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering              </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tr>
69beda1f75070b36d0562e4050cd567bf2da5a87Kay Sievers<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                <p><span><strong class="command">trusted-keys</strong></span></p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt              </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
c9679c652b3c31f2510e8805d81630680ebc7e95Lennart Poettering                <p>
c9679c652b3c31f2510e8805d81630680ebc7e95Lennart Poettering                  defines trusted DNSSEC keys.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </p>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt              </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                <p><span><strong class="command">view</strong></span></p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering              </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
69beda1f75070b36d0562e4050cd567bf2da5a87Kay Sievers                <p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  defines a view.
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt                </p>
c9679c652b3c31f2510e8805d81630680ebc7e95Lennart Poettering              </td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt</tr>
c9679c652b3c31f2510e8805d81630680ebc7e95Lennart Poettering<tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
69beda1f75070b36d0562e4050cd567bf2da5a87Kay Sievers                <p><span><strong class="command">zone</strong></span></p>
69beda1f75070b36d0562e4050cd567bf2da5a87Kay Sievers              </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                <p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  defines a zone.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering              </td>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek</tr>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek</tbody>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</table></div>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        The <span><strong class="command">logging</strong></span> and
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek        <span><strong class="command">options</strong></span> statements may only occur once
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        per
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        configuration.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering      </p>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek<div class="sect2" lang="en">
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt<div class="titlepage"><div><div><h3 class="title">
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<a name="id2554882"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering    address_match_list
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering};
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek</pre>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek</div>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek<div class="sect2" lang="en">
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek<div class="titlepage"><div><div><h3 class="title">
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          Usage</h3></div></div></div>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          The <span><strong class="command">acl</strong></span> statement assigns a symbolic
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          name to an address match list. It gets its name from a primary
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          use of address match lists: Access Control Lists (ACLs).
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          Note that an address match list's name must be defined
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          with <span><strong class="command">acl</strong></span> before it can be used
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          elsewhere; no
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          forward references are allowed.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering          The following ACLs are built-in:
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering        </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<div class="informaltable"><table border="1">
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<colgroup>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<col>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<col>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</colgroup>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tbody>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  <p><span><strong class="command">any</strong></span></p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  <p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    Matches all hosts.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  <p><span><strong class="command">none</strong></span></p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  <p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    Matches no hosts.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen<tr>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen<td>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen                  <p><span><strong class="command">localhost</strong></span></p>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen                </td>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen<td>
68dd0956ef9d607e6ff9aea15883a2c290a33c2aTom Gundersen                  <p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    Matches the IPv4 and IPv6 addresses of all network
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek                    interfaces on the system.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  </p>
69beda1f75070b36d0562e4050cd567bf2da5a87Kay Sievers                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering<tr>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering<td>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                  <p><span><strong class="command">localnets</strong></span></p>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                </td>
8d0e0ddda6501479eb69164687c83c1a7667b33aJan Engelhardt<td>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                  <p>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                    Matches any host on an IPv4 or IPv6 network
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                    for which the system has an interface.
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                    Some systems do not provide a way to determine the prefix
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering                    lengths of
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    local IPv6 addresses.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    In such a case, <span><strong class="command">localnets</strong></span>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    only matches the local
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                    IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                  </p>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                </td>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tr>
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering</tbody>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering</table></div>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering</div>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering<div class="sect2" lang="en">
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering<a name="id2555072"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering<pre class="programlisting"><span><strong class="command">controls</strong></span> {
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering   [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering                keys { <em class="replaceable"><code>key_list</code></em> }; ]
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering   [ inet ...; ]
8e7acf67b278e47cff0f849780365f8b1a824189Lennart Poettering   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
6936cd8926b6935364874b3701e86fe823e8c4ceLennart Poettering   [ unix ...; ]
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering};
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</pre>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="sect2" lang="en">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="titlepage"><div><div><h3 class="title">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Usage</h3></div></div></div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          The <span><strong class="command">controls</strong></span> statement declares control
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          channels to be used by system administrators to control the
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          operation of the name server. These control channels are
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          used by the <span><strong class="command">rndc</strong></span> utility to send
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          commands to and retrieve non-DNS results from a name server.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          An <span><strong class="command">inet</strong></span> control channel is a TCP socket
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek          listening at the specified <span><strong class="command">ip_port</strong></span> on the
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          interpreted as the IPv4 wildcard address; connections will be
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          accepted on any of the system's IPv4 addresses.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          To listen on the IPv6 wildcard address,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          If you will only use <span><strong class="command">rndc</strong></span> on the local host,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          using the loopback address (<code class="literal">127.0.0.1</code>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          or <code class="literal">::1</code>) is recommended for maximum security.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          If no port is specified, port 953 is used. The asterisk
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          The ability to issue commands over the control channel is
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          restricted by the <span><strong class="command">allow</strong></span> and
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">keys</strong></span> clauses.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Connections to the control channel are permitted based on the
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">address_match_list</strong></span>.  This is for simple
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          IP address based filtering only; any <span><strong class="command">key_id</strong></span>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          elements of the <span><strong class="command">address_match_list</strong></span>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          are ignored.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          socket listening at the specified path in the file system.
70a44afee385c4afadaab9a002b3f9dd44aedf4aJan Engelhardt          Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Note on some platforms (SunOS and Solaris) the permissions
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          (<span><strong class="command">perm</strong></span>) are applied to the parent directory
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          as the permissions on the socket itself are ignored.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          The primary authorization mechanism of the command
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          channel is the <span><strong class="command">key_list</strong></span>, which
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          contains a list of <span><strong class="command">key_id</strong></span>s.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          is authorized to execute commands over the control channel.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          for information about configuring keys in <span><strong class="command">rndc</strong></span>.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          If no <span><strong class="command">controls</strong></span> statement is present,
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          <span><strong class="command">named</strong></span> will set up a default
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          control channel listening on the loopback address 127.0.0.1
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          and its IPv6 counterpart ::1.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          In this case, and also when the <span><strong class="command">controls</strong></span> statement
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          is present but does not have a <span><strong class="command">keys</strong></span> clause,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">named</strong></span> will attempt to load the command channel key
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          from the file <code class="filename">rndc.key</code> in
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          was specified as when <span class="acronym">BIND</span> was built).
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          To create a <code class="filename">rndc.key</code> file, run
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          The <code class="filename">rndc.key</code> feature was created to
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          ease the transition of systems from <span class="acronym">BIND</span> 8,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          which did not have digital signatures on its command channel
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          It makes it possible to use an existing <span class="acronym">BIND</span> 8
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          configuration file in <span class="acronym">BIND</span> 9 unchanged,
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          and still have <span><strong class="command">rndc</strong></span> work the same way
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          installed.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Since the <code class="filename">rndc.key</code> feature
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          is only intended to allow the backward-compatible usage of
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span class="acronym">BIND</span> 8 configuration files, this
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          feature does not
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          have a high degree of configurability.  You cannot easily change
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          the key name or the size of the secret, so you should make a
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <code class="filename">rndc.conf</code> with your own key if you
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          wish to change
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          those things.  The <code class="filename">rndc.key</code> file
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          also has its
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          permissions set such that only the owner of the file (the user that
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">named</strong></span> is running as) can access it.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          If you
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          desire greater flexibility in allowing other users to access
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">rndc</strong></span> commands then you need to create
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          an
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <code class="filename">rndc.conf</code> and make it group
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          readable by a group
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          that contains the users who should have access.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          To disable the command channel, use an empty
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">controls</strong></span> statement:
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          <span><strong class="command">controls { };</strong></span>.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="sect2" lang="en">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="titlepage"><div><div><h3 class="title">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<a name="id2555432"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</div>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt<div class="sect2" lang="en">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="titlepage"><div><div><h3 class="title">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<a name="id2555447"></a><span><strong class="command">include</strong></span> Statement Definition and
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          Usage</h3></div></div></div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          The <span><strong class="command">include</strong></span> statement inserts the
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          specified file at the point where the <span><strong class="command">include</strong></span>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          statement is encountered. The <span><strong class="command">include</strong></span>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering                statement facilitates the administration of configuration
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt          files
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt          by permitting the reading or writing of some things but not
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          others. For example, the statement could include private keys
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          that are readable only by the name server.
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering        </p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="sect2" lang="en">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="titlepage"><div><div><h3 class="title">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<a name="id2555470"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering    algorithm <em class="replaceable"><code>string</code></em>;
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering    secret <em class="replaceable"><code>string</code></em>;
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering};
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</pre>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering</div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="sect2" lang="en">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<div class="titlepage"><div><div><h3 class="title">
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<a name="id2555492"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering<p>
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          The <span><strong class="command">key</strong></span> statement defines a shared
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
51c61cda1a542c9e999bfdc6aab4a029c0ae7f5aLennart Poettering          or the command channel
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          Usage&#8221;</a>).
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          The <span><strong class="command">key</strong></span> statement can occur at the
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          top level
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          of the configuration file or inside a <span><strong class="command">view</strong></span>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          statements can be used in all views.  Keys intended for use in
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          a <span><strong class="command">controls</strong></span> statement
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          Usage&#8221;</a>)
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          must be defined at the top level.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
f1721625e7145977ba705e169580f2eb0002600cNis Martensen          The <em class="replaceable"><code>key_id</code></em>, also known as the
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          key name, is a domain name uniquely identifying the key. It can
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          be used in a <span><strong class="command">server</strong></span>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          statement to cause requests sent to that
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          server to be signed with this key, or in address match lists to
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          verify that incoming requests have been signed with a key
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          matching this name, algorithm, and secret.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
22e7062d749c69d7edfcd52ef7cc6ec005e862d5David Herrmann          The <em class="replaceable"><code>algorithm_id</code></em> is a string
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          that specifies a security/authentication algorithm.  Named
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          supports <code class="literal">hmac-md5</code>,
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          and <code class="literal">hmac-sha512</code> TSIG authentication.
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          Truncated hashes are supported by appending the minimum
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          number of required bits preceeded by a dash, e.g.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          <code class="literal">hmac-sha1-80</code>.  The
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          <em class="replaceable"><code>secret_string</code></em> is the secret
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          to be used by the algorithm, and is treated as a base-64
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          encoded string.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering</div>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="sect2" lang="en">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<a name="id2555651"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<pre class="programlisting"><span><strong class="command">logging</strong></span> {
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering   [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering         [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering       | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering       | <span><strong class="command">stderr</strong></span>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek       | <span><strong class="command">null</strong></span> );
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering                 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering   }; ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering   [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering   }; ]
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering   ...
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering};
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering</pre>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering</div>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="sect2" lang="en">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<a name="id2555845"></a><span><strong class="command">logging</strong></span> Statement Definition and
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          Usage</h3></div></div></div>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
4ef6e535e30c67d4ff34b2ca785e555dbaeac14eKay Sievers          The <span><strong class="command">logging</strong></span> statement configures a
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          wide
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          associates output methods, format options and severity levels with
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          a name that can then be used with the <span><strong class="command">category</strong></span> phrase
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          to select how various classes of messages are logged.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
4ef6e535e30c67d4ff34b2ca785e555dbaeac14eKay Sievers          Only one <span><strong class="command">logging</strong></span> statement is used to
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          define
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          the logging configuration will be:
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<pre class="programlisting">logging {
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     category default { default_syslog; default_debug; };
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering     category unmatched { null; };
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering};
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering</pre>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          In <span class="acronym">BIND</span> 9, the logging configuration
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          is only established when
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          the entire configuration file has been parsed.  In <span class="acronym">BIND</span> 8, it was
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          established as soon as the <span><strong class="command">logging</strong></span>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          statement
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          was parsed. When the server is starting up, all logging messages
4ef6e535e30c67d4ff34b2ca785e555dbaeac14eKay Sievers          regarding syntax errors in the configuration file go to the default
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          channels, or to standard error if the "<code class="option">-g</code>" option
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          was specified.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering        </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="sect3" lang="en">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<a name="id2555897"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            you can make as many of them as you want.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            Every channel definition must include a destination clause that
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            says whether messages selected for the channel go to a file, to a
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            particular syslog facility, to the standard error stream, or are
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            discarded. It can optionally also limit the message severity level
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            that will be accepted by the channel (the default is
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            <span><strong class="command">info</strong></span>), and whether to include a
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            <span><strong class="command">named</strong></span>-generated time stamp, the
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            category name
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            and/or severity level (the default is not to include any).
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            The <span><strong class="command">null</strong></span> destination clause
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            causes all messages sent to the channel to be discarded;
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            in that case, other options for the channel are meaningless.
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering          </p>
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering<p>
13b28d822462e9a0a7130ad40bed08cb380082f0Lennart Poettering            The <span><strong class="command">file</strong></span> destination clause directs
699b6b3491dc265ead79602404ad67ccdacae302Lennart Poettering            the channel
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            to a disk file.  It can include limitations
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            both on how large the file is allowed to become, and how many
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            versions
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            of the file will be saved each time the file is opened.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
67dd87c51b1ba254dc6a0eeae41762aace40addaLennart Poettering<p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            If you use the <span><strong class="command">versions</strong></span> log file
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            option, then
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">named</strong></span> will retain that many backup
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            versions of the file by
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            renaming them when opening.  For example, if you choose to keep 3
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            old versions
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            of the file <code class="filename">lamers.log</code> then just
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            before it is opened
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <code class="filename">lamers.log.1</code> is renamed to
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
ed28905eecf631916f03edd0a7dfad8b0a177990Kay Sievers            to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            renamed to <code class="filename">lamers.log.0</code>.
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            You can say <span><strong class="command">versions unlimited</strong></span> to
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            not limit
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            the number of versions.
ed28905eecf631916f03edd0a7dfad8b0a177990Kay Sievers            If a <span><strong class="command">size</strong></span> option is associated with
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            the log file,
ed28905eecf631916f03edd0a7dfad8b0a177990Kay Sievers            then renaming is only done when the file being opened exceeds the
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            indicated size.  No backup versions are kept by default; any
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            existing
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            log file is simply appended.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering<p>
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            The <span><strong class="command">size</strong></span> option for files is used
949138ccc3417748b0978980e4a1c67955dd4ba4Ansgar Burchardt            to limit log
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            associated with it.  If backup versions are kept, the files are
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            rolled as
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            described above and a new one begun.  If there is no
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">versions</strong></span> option, no more data will
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            be written to the log
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            until some out-of-band mechanism removes or truncates the log to
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            less than the
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            maximum size.  The default behavior is not to limit the size of
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            the
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            file.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering<p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            Example usage of the <span><strong class="command">size</strong></span> and
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">versions</strong></span> options:
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering<pre class="programlisting">channel an_example_channel {
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering    file "example.log" versions 3 size 20m;
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering    print-time yes;
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering    print-category yes;
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering};
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering</pre>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering<p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            The <span><strong class="command">syslog</strong></span> destination clause
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            directs the
ed28905eecf631916f03edd0a7dfad8b0a177990Kay Sievers            channel to the system log.  Its argument is a
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            syslog facility as described in the <span><strong class="command">syslog</strong></span> man
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            <span><strong class="command">local7</strong></span>, however not all facilities
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            are supported on
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            all operating systems.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            How <span><strong class="command">syslog</strong></span> will handle messages
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            sent to
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            then this clause is silently ignored.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt<p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            "priorities", except that they can also be used if you are writing
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            straight to a file rather than using <span><strong class="command">syslog</strong></span>.
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            Messages which are not at least of the severity level given will
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            not be selected for the channel; messages of higher severity
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            levels
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            will be accepted.
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering          </p>
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering<p>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt            If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            will also determine what eventually passes through. For example,
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt            only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
ed28905eecf631916f03edd0a7dfad8b0a177990Kay Sievers            cause messages of severity <span><strong class="command">info</strong></span> and
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            <span><strong class="command">notice</strong></span> to
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
d27893efdf652c6d85ea590fa0b7c2b88f817083Lennart Poettering            messages of only <span><strong class="command">warning</strong></span> or higher,
13b28d822462e9a0a7130ad40bed08cb380082f0Lennart Poettering            then <span><strong class="command">syslogd</strong></span> would
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            print all messages it received from the channel.
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering          </p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering<p>
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            The <span><strong class="command">stderr</strong></span> destination clause
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            directs the
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            channel to the server's standard error stream.  This is intended
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            for
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            use when the server is running as a foreground process, for
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            example
43c71255b3db02916f4f70afa18bab196c6f4a45Lennart Poettering            when debugging a configuration.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            The server can supply extensive debugging information when
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            it is in debugging mode. If the server's global debug level is
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            greater
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            than zero, then debugging mode will be active. The global debug
4670e9d5f23fc39360c086fb58eadf8b157ee205Jan Engelhardt            level is set either by starting the <span><strong class="command">named</strong></span> server
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            with the <code class="option">-d</code> flag followed by a positive integer,
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            or by running <span><strong class="command">rndc trace</strong></span>.
4670e9d5f23fc39360c086fb58eadf8b157ee205Jan Engelhardt            The global debug level
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek            can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
4670e9d5f23fc39360c086fb58eadf8b157ee205Jan Engelhardtnotrace</strong></span>. All debugging messages in the server have a debug
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek            level, and higher debug levels give more detailed output. Channels
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek            that specify a specific debug severity, for example:
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting">channel specific_debug_level {
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt    file "foo";
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    severity debug 3;
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt</pre>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            will get debugging output of level 3 or less any time the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            server is in debugging mode, regardless of the global debugging
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            level. Channels with <span><strong class="command">dynamic</strong></span>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            severity use the
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            server's global debug level to determine what messages to print.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            If <span><strong class="command">print-time</strong></span> has been turned on,
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt            then
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            the date and time will be logged. <span><strong class="command">print-time</strong></span> may
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            be specified for a <span><strong class="command">syslog</strong></span> channel,
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            but is usually
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            pointless since <span><strong class="command">syslog</strong></span> also prints
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            the date and
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt            time. If <span><strong class="command">print-category</strong></span> is
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            requested, then the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            be used in any combination, and will always be printed in the
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            following
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            order: time, category, severity. Here is an example where all
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            three <span><strong class="command">print-</strong></span> options
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            are on:
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek          </p>
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek<p>
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek          </p>
dfb08b058401d56c395f4f2d20ff214d31a277e5Zbigniew Jędrzejewski-Szmek<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            There are four predefined channels that are used for
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt            <span><strong class="command">named</strong></span>'s default logging as follows.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            How they are
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting">channel default_syslog {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    syslog daemon;                      // send to syslog's daemon
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // facility
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt    severity info;                      // only send priority info
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // and higher
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poetteringchannel default_debug {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    file "named.run";                   // write to named.run in
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // the working directory
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // Note: stderr is used instead
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // of "named.run"
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // if the server is started
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // with the '-f' option.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    severity dynamic;                   // log at the server's
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                                        // current debug level
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poetteringchannel default_stderr {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    stderr;                             // writes to stderr
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    severity info;                      // only send priority info
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // and higher
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poetteringchannel null {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering   null;                                // toss anything sent to
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                                        // this channel
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</pre>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            The <span><strong class="command">default_debug</strong></span> channel has the
b97610038a122ff30e60b1996369ca4b979d8b19Kay Sievers            special
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            property that it only produces output when the server's debug
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            level is
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            in the server's working directory.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            For security reasons, when the "<code class="option">-u</code>"
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            command line option is used, the <code class="filename">named.run</code> file
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            is created only after <span><strong class="command">named</strong></span> has
7e95eda5b36f4a5259e1e86989b5aee824d83d03Patrik Flykt            changed to the
7e95eda5b36f4a5259e1e86989b5aee824d83d03Patrik Flykt            new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            starting up and still running as root is discarded.  If you need
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            to capture this output, you must run the server with the "<code class="option">-g</code>"
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt            option and redirect standard error to a file.
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John          </p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            Once a channel is defined, it cannot be redefined. Thus you
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            cannot alter the built-in channels directly, but you can modify
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            the default logging by pointing categories at channels you have
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            defined.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</div>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="sect3" lang="en">
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            There are many categories, so you can send the logs you want
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            to see wherever you want, without seeing logs you don't want. If
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            you don't specify a list of channels for a category, then log
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            messages
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            in that category will be sent to the <span><strong class="command">default</strong></span> category
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            instead. If you don't specify a default category, the following
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            "default default" is used:
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting">category default { default_syslog; default_debug; };
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt</pre>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            As an example, let's say you want to log security events to
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            a file, but you also want keep the default logging behavior. You'd
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            specify the following:
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting">channel my_security_channel {
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering    file "my_security_file";
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    severity info;
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poetteringcategory security {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    my_security_channel;
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    default_syslog;
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    default_debug;
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};</pre>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting">category xfer-out { null; };
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poetteringcategory notify { null; };
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</pre>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            Following are the available categories and brief descriptions
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering            of the types of log information they contain. More
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John            categories may be added in future <span class="acronym">BIND</span> releases.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="informaltable"><table border="1">
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<colgroup>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<col>
b97610038a122ff30e60b1996369ca4b979d8b19Kay Sievers<col>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</colgroup>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tbody>
270f1624022039b370b9db311f9d33492833ad24Lennart Poettering<tr>
270f1624022039b370b9db311f9d33492833ad24Lennart Poettering<td>
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering                    <p><span><strong class="command">default</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
4670e9d5f23fc39360c086fb58eadf8b157ee205Jan Engelhardt<td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    <p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      The default category defines the logging
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      options for those categories where no specific
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      configuration has been
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      defined.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">general</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      The catch-all. Many things still aren't
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      classified into categories, and they all end up here.
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek<td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    <p><span><strong class="command">database</strong></span></p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Messages relating to the databases used
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      internally by the name server to store zone and cache
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                      data.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">security</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Approval and denial of requests.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">config</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering<td>
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Configuration file parsing and processing.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">resolver</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      DNS resolution, such as the recursive
4670e9d5f23fc39360c086fb58eadf8b157ee205Jan Engelhardt                      lookups performed on behalf of clients by a caching name
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      server.
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    </p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                  </td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
c0c5af00bec95567435bdfb818c69b2b669adfedDaniel Buch<td>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    <p><span><strong class="command">xfer-in</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt<td>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    <p>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                      Zone transfers the server is receiving.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                    <p><span><strong class="command">xfer-out</strong></span></p>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                  </td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<td>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                    <p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                      Zone transfers the server is sending.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  </td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering</tr>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<tr>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                    <p><span><strong class="command">notify</strong></span></p>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                  </td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                    <p>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                      The NOTIFY protocol.
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                    </p>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering                  </td>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering</tr>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<tr>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">client</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Processing of client requests.
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                    </p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                  </td>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John</tr>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">unmatched</strong></span></p>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                    <p>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                      Messages that named was unable to determine the
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                      class of or for which there was no matching <span><strong class="command">view</strong></span>.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                      This category is best sent to a file or stderr, by
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                      default it is sent to
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                      the <span><strong class="command">null</strong></span> channel.
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John</tr>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers<tr>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<td>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                    <p><span><strong class="command">network</strong></span></p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                  </td>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers<td>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                    <p>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                      Network operations.
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                    </p>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers                  </td>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers</tr>
ad42cf7308c45fb8a77c15b313f45361c5ea8fb5Kay Sievers<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    <p><span><strong class="command">update</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Dynamic updates.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt<tr>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">update-security</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Approval and denial of update requests.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">queries</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    <p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      Specify where queries should be logged to.
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      At startup, specifying the category <span><strong class="command">queries</strong></span> will also
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      enable query logging unless <span><strong class="command">querylog</strong></span> option has been
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      specified.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      The query log entry reports the client's IP address and
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering                      port number.  The
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      query name, class and type.  It also reports whether the
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      Recursion Desired
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      flag was set (+ if set, - if not set), EDNS was in use
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      (E) or if the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      query was signed (S).
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering                      <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                      <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">dispatch</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Dispatching of incoming packets to the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      server modules where they are to be processed.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<td>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                    <p><span><strong class="command">dnssec</strong></span></p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      DNSSEC and TSIG protocol processing.
b97610038a122ff30e60b1996369ca4b979d8b19Kay Sievers                    </p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
b97610038a122ff30e60b1996369ca4b979d8b19Kay Sievers                    <p><span><strong class="command">lame-servers</strong></span></p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Lame servers.  These are misconfigurations
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      in remote servers, discovered by BIND 9 when trying to
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      query
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      those servers during resolution.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<tr>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p><span><strong class="command">delegation-only</strong></span></p>
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                  </td>
8e420494bc59d8b9d43e6d34d8ec8bb765946c74Lennart Poettering<td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    <p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      Delegation only.  Logs queries that have have
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      been forced to NXDOMAIN as the result of a
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John                      delegation-only zone or
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                      a <span><strong class="command">delegation-only</strong></span> in a
1e190502e78cea1f8bcb62e6d390305c89e41e6aZbigniew Jędrzejewski-Szmek                      hint or stub zone declaration.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                    </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering                  </td>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</tr>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt</tbody>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John</table></div>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John</div>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John</div>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="sect2" lang="en">
6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering<div class="titlepage"><div><div><h3 class="title">
6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering<a name="id2557195"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
70a44afee385c4afadaab9a002b3f9dd44aedf4aJan Engelhardt<p>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt           This is the grammar of the <span><strong class="command">lwres</strong></span>
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          statement in the <code class="filename">named.conf</code> file:
6afc95b73605833e6e966af1c466b5c08feb953fLennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering    [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering};
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</pre>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</div>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="sect2" lang="en">
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<a name="id2557269"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John<p>
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John          The <span><strong class="command">lwres</strong></span> statement configures the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          name
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          server to also act as a lightweight resolver server. (See
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be be multiple
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <span><strong class="command">lwres</strong></span> statements configuring
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          lightweight resolver servers with different properties.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt          The <span><strong class="command">listen-on</strong></span> statement specifies a
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John          list of
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          addresses (and ports) that this instance of a lightweight resolver
b8bde11658366290521e3d03316378b482600323Jan Engelhardt          daemon
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          should accept requests on.  If no port is specified, port 921 is
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          used.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          If this statement is omitted, requests will be accepted on
4c2413bffa7861bd3c4b3589c821ab7e0ac51c83Jan Engelhardt          127.0.0.1,
8b7d0494a3fe35209d4db0d1b9e065e7e5cc9875Jason St. John          port 921.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
210054d76cf4d294533aa09256d375e33b52569fKay Sievers          The <span><strong class="command">view</strong></span> statement binds this
210054d76cf4d294533aa09256d375e33b52569fKay Sievers          instance of a
210054d76cf4d294533aa09256d375e33b52569fKay Sievers          lightweight resolver daemon to a view in the DNS namespace, so that
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          response will be constructed in the same manner as a normal DNS
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          query
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          matching this view.  If this statement is omitted, the default view
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          is
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          used, and if there is no default view, an error is triggered.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          The <span><strong class="command">search</strong></span> statement is equivalent to
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <span><strong class="command">search</strong></span> statement in
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <code class="filename">/etc/resolv.conf</code>.  It provides a
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          list of domains
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          which are appended to relative names in queries.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          The <span><strong class="command">ndots</strong></span> statement is equivalent to
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <span><strong class="command">ndots</strong></span> statement in
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          <code class="filename">/etc/resolv.conf</code>.  It indicates the
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          minimum
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          number of dots in a relative domain name that should result in an
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering          exact match lookup before search path elements are appended.
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering        </p>
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering</div>
6300b3eca9e5261b73bd7f1bb9735992b127cd80Lennart Poettering<div class="sect2" lang="en">
e49b5aada0df13c9e8fce7338ae34e075dd7ccd1Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<a name="id2557333"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<pre class="programlisting">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering</pre>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering</div>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<div class="sect2" lang="en">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<a name="id2557445"></a><span><strong class="command">masters</strong></span> Statement Definition and
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          Usage</h3></div></div></div>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<p><span><strong class="command">masters</strong></span>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          lists allow for a common set of masters to be easily used by
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          multiple stub and slave zones.
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        </p>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering</div>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<div class="sect2" lang="en">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<div class="titlepage"><div><div><h3 class="title">
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<a name="id2557460"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
06b643e7f5a3b79005dd57497897ab7255fe3659Ruben Kerkhof<p>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          This is the grammar of the <span><strong class="command">options</strong></span>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          statement in the <code class="filename">named.conf</code> file:
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        </p>
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering<pre class="programlisting">options {
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt    [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt    [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering          <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        ... }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering    [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
cd4010b37349413db1e553e213e62e654ca28113Lennart Poettering        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering        [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
f3a165b05d117b9a9657076fed6b265eb40d5ba3Kay Sievers        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering        [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt    [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
f3a165b05d117b9a9657076fed6b265eb40d5ba3Kay Sievers    [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
f3a165b05d117b9a9657076fed6b265eb40d5ba3Kay Sievers    [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
f3a165b05d117b9a9657076fed6b265eb40d5ba3Kay Sievers    [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
f3a165b05d117b9a9657076fed6b265eb40d5ba3Kay Sievers    [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
387abf80ad40e4a6c2f4725c8eff4d66bf110d1fLennart Poettering    [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
04bf3c1a60d82791e0320381e9268f727708f776Kay Sievers    [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering    [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering};
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering</pre>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering</div>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<div class="sect2" lang="en">
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<div class="titlepage"><div><div><h3 class="title">
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          Usage</h3></div></div></div>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<p>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          The <span><strong class="command">options</strong></span> statement sets up global
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          options
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          to be used by <span class="acronym">BIND</span>. This statement
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          may appear only
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          once in a configuration file. If there is no <span><strong class="command">options</strong></span>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          statement, an options block with each option set to its default will
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering          be used.
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering        </p>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<div class="variablelist"><dl>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering<dd><p>
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                The working directory of the server.
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                Any non-absolute pathnames in the configuration file will be
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                taken
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                as relative to this directory. The default location for most
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                server
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                output files (e.g. <code class="filename">named.run</code>)
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                is this directory.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                If a directory is not specified, the working directory
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                defaults to `<code class="filename">.</code>', the directory from
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                which the server
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                was started. The directory specified should be an absolute
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                path.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dd><p>
33b521be152f67cd722695ba9a2966eda5ee6765Maciej Wereski                When performing dynamic update of secure zones, the
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                directory where the public and private key files should be
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                found,
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                if different than the current working directory.  The
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                directory specified
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                must be an absolute path.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dd><p>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                <span class="emphasis"><em>This option is obsolete.</em></span>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                It was used in <span class="acronym">BIND</span> 8 to
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                In <span class="acronym">BIND</span> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                needed; its functionality is built into the name server.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dd><p>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                The domain appended to the names of all
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                shared keys generated with
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                <span><strong class="command">TKEY</strong></span>. When a client
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                requests a <span><strong class="command">TKEY</strong></span> exchange, it
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                may or may not specify
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                the desired name for the key. If present, the name of the
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                shared
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                key will be "<code class="varname">client specified part</code>" +
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                "<code class="varname">tkey-domain</code>".
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                Otherwise, the name of the shared key will be "<code class="varname">random hex
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poetteringdigits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                the <span><strong class="command">domainname</strong></span> should be the
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                server's domain
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                name.
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering              </p></dd>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dd><p>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                The Diffie-Hellman key used by the server
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                to generate shared keys with clients using the Diffie-Hellman
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                mode
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                of <span><strong class="command">TKEY</strong></span>. The server must be
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                able to load the
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                public and private keys from files in the working directory.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                In
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                most cases, the keyname should be the server's host name.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dd><p>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                The pathname of the file the server dumps
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                the database to when instructed to do so with
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                <span><strong class="command">rndc dumpdb</strong></span>.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                If not specified, the default is <code class="filename">named_dump.db</code>.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dd><p>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                The pathname of the file the server writes memory
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                usage statistics to on exit. If not specified,
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                the default is
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                <code class="filename">named.memstats</code>.
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering              </p></dd>
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
28f5c779e5513ab1301ac103471009711b0961e0Kay Sievers<dd><p>
28f5c779e5513ab1301ac103471009711b0961e0Kay Sievers                The pathname of the file the server writes its process ID
28f5c779e5513ab1301ac103471009711b0961e0Kay Sievers                in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
28f5c779e5513ab1301ac103471009711b0961e0Kay Sievers                The pid-file is used by programs that want to send signals to
408f281bc7d65c86563f46e99e07efd1a1d9e03aLennart Poettering                the running
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                use of a PID file &#8212; no file will be written and any
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                existing one will be removed.  Note that <span><strong class="command">none</strong></span>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                is a keyword, not a file name, and therefore is not enclosed
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                in
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                double quotes.
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering              </p></dd>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dd><p>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                The pathname of the file the server appends statistics
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                If not specified, the default is <code class="filename">named.stats</code> in the
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                server's current directory.  The format of the file is
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                described
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering              </p></dd>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering<dd><p>
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                The UDP/TCP port number the server uses for
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                receiving and sending DNS protocol traffic.
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                The default is 53.  This option is mainly intended for server
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                testing;
251cc8194228ac86c9a7a4c75a54a94cea2095c7Lennart Poettering                a server using a port other than 53 will not be able to
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                communicate with
4f0be680b5323e037314cfbd3dba34f03e637c8fLennart Poettering                the global DNS.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                The source of entropy to be used by the server.  Entropy is
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                primarily needed
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                for DNSSEC operations, such as TKEY transactions and dynamic
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                update of signed
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                zones.  This options specifies the device (or file) from which
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                to read
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                entropy.  If this is a file, operations requiring entropy will
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                fail when the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                file has been exhausted.  If not specified, the default value
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                is
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                <code class="filename">/dev/random</code>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                (or equivalent) when present, and none otherwise.  The
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                <span><strong class="command">random-device</strong></span> option takes
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                effect during
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                the initial configuration load at server startup time and
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                is ignored on subsequent reloads.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                If specified the listed type (A or AAAA) will be emitted
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                before other glue
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                in the additional section of a query response.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                The default is not to preference any type (NONE).
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                with an optional
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                exclude list.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US"
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                and "MUSEUM").
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<pre class="programlisting">
00aa832b948a27507c33e2157e46963852cffc85Lennart Poetteringoptions {
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering};
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering</pre>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering</dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Disable the specified DNSSEC algorithms at and below the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                specified name.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Multiple <span><strong class="command">disable-algorithms</strong></span>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                statements are allowed.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Only the most specific will be applied.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                When set <span><strong class="command">dnssec-lookaside</strong></span>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                provides the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                validator with an alternate method to validate DNSKEY records
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                at the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                top of a zone.  When a DNSKEY is at or below a domain
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                specified by the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                the normal dnssec validation
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                has left the key untrusted, the trust-anchor will be append to
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                the key
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                name and a DLV record will be looked up to see if it can
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                validate the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                key.  If the DLV record validates a DNSKEY (similarly to the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                way a DS
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                record does) the DNSKEY RRset is deemed to be trusted.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering              </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                Specify hierarchies which must / may not be secure (signed and
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                validated).
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                If <strong class="userinput"><code>yes</code></strong> then named will only accept
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                answers if they
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                are secure.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                If <strong class="userinput"><code>no</code></strong> then normal dnssec validation
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                applies
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                allowing for insecure answers to be accepted.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                <span><strong class="command">dnssec-lookaside</strong></span> must be
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek                active.
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek              </p></dd>
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek</dl></div>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<div class="sect3" lang="en">
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<div class="variablelist"><dl>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd><p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  is always set on NXDOMAIN responses, even if the server is
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek                  not actually
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  this is
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  a change from <span class="acronym">BIND</span> 8. If you
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  are using very old DNS software, you
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                </p></dd>
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek<dd><p>
1fda0ab5fc9cf7454c8da32941e433dc38ba9991Zbigniew Jędrzejewski-Szmek                  This option was used in <span class="acronym">BIND</span>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  8 to enable checking
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  for memory leaks on exit. <span class="acronym">BIND</span> 9 ignores the option and always performs
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  the checks.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                </p></dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<dd>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, then the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  server treats all zones as if they are doing zone transfers
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  across
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  a dial on demand dialup link, which can be brought up by
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  traffic
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  originating from this server. This has different effects
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  according
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  to zone type and concentrates the zone maintenance so that
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  it all
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  hopefully during the one call. It also suppresses some of
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  the normal
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                </p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  The <span><strong class="command">dialup</strong></span> option
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  may also be specified in the <span><strong class="command">view</strong></span> and
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  <span><strong class="command">zone</strong></span> statements,
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  in which case it overrides the global <span><strong class="command">dialup</strong></span>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  option.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                </p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering<p>
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  If the zone is a master zone then the server will send out a
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  NOTIFY
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  request to all the slaves (default). This should trigger the
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  zone serial
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  number check in the slave (providing it supports NOTIFY)
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  allowing the slave
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  to verify the zone while the connection is active.
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  The set of servers to which NOTIFY is sent can be controlled
00aa832b948a27507c33e2157e46963852cffc85Lennart Poettering                  by
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                </p>
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering<p>
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  If the
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  zone is a slave or stub zone, then the server will suppress
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  the regular
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  "zone up to date" (refresh) queries and only perform them
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  when the
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  <span><strong class="command">heartbeat-interval</strong></span> expires in
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  addition to sending
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                  NOTIFY requests.
606c24e3bd41207c395f24a56bcfcad791e265a5Lennart Poettering                </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  Finer control can be achieved by using
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  messages,
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  messages and
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  which suppresses normal refresh processing and sends refresh
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  queries
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  when the <span><strong class="command">heartbeat-interval</strong></span>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  expires, and
b82eed9af95668ab38cac33c7996e4d665f8709aLennart Poettering                  <strong class="userinput"><code>passive</code></strong> which just disables normal
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  refresh
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                  processing.
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<div class="informaltable"><table border="1">
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<colgroup>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<col>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<col>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<col>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<col>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering</colgroup>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<tbody>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<tr>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            dialup mode
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            normal refresh
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            heart-beat refresh
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            heart-beat notify
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering</tr>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<tr>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p><span><strong class="command">no</strong></span> (default)</p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            yes
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            no
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            no
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering</tr>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<tr>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p><span><strong class="command">yes</strong></span></p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            no
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            yes
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          </p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                        </td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering<td>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                          <p>
2f3fcf85c5fa6c9c483b31823a0efdd28914c756Lennart Poettering                            yes
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering</tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p><span><strong class="command">notify</strong></span></p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            yes
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            no
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            yes
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering</tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p><span><strong class="command">refresh</strong></span></p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            no
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
7c04ad2da1cf08ebf53b9aa9671c8c1dc9577135Lennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            yes
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                            no
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering</tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p><span><strong class="command">passive</strong></span></p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p>
7c04ad2da1cf08ebf53b9aa9671c8c1dc9577135Lennart Poettering                            no
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                          <p>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                            no
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                          </p>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                        </td>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek<td>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                          <p>
cbeabcfbc5a5fa27385e5794780e8f034e090606Zbigniew Jędrzejewski-Szmek                            no
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          </p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering</tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<tr>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering<td>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                          <p><span><strong class="command">notify-passive</strong></span></p>
ef3b5246879094e29cc99c4d24cbfeb19b7da49bLennart Poettering                        </td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          <p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                            no
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          </p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                        </td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          <p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                            no
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          </p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                        </td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          <p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                            yes
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                          </p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                        </td>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering</tr>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering</tbody>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering</table></div>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  Note that normal NOTIFY processing is not affected by
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  <span><strong class="command">dialup</strong></span>.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering</dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dd><p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  In <span class="acronym">BIND</span> 8, this option
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  enabled simulating the obsolete DNS query type
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  IQUERY. <span class="acronym">BIND</span> 9 never does
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  IQUERY simulation.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p></dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dd><p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  This option is obsolete.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  caused the server to attempt to fetch glue resource records
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  it
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  didn't have when constructing the additional
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  data section of a response.  This is now considered a bad
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  idea
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  and BIND 9 never does it.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p></dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dd><p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  When the nameserver exits due receiving SIGTERM,
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  flush or do not flush any pending zone writes.  The default
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  is
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p></dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dd><p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  This option was incorrectly implemented
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  in <span class="acronym">BIND</span> 8, and is ignored by <span class="acronym">BIND</span> 9.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  To achieve the intended effect
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  of
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p></dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dd><p>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  In BIND 8, this enables keeping of
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  statistics for every host that the name server interacts
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  with.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                  Not implemented in BIND 9.
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering                </p></dd>
d3a86981d1ae4c1d668e18868c3e6c9d2f23c144Lennart Poettering<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering<dd><p>
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  <span class="emphasis"><em>This option is obsolete</em></span>.
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  It was used in <span class="acronym">BIND</span> 8 to
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  determine whether a transaction log was
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  kept for Incremental Zone Transfer. <span class="acronym">BIND</span> 9 maintains a transaction
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  log whenever possible.  If you need to disable outgoing
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  incremental zone
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                </p></dd>
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering<dd><p>
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, then when generating
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  responses the server will only add records to the authority
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  and additional data sections when they are required (e.g.
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  delegations, negative responses).  This may improve the
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  performance of the server.
9ca3c17f207121b3c19a44217558b056a7585944Lennart Poettering                  The default is <strong class="userinput"><code>no</code></strong>.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p></dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dd><p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  This option was used in <span class="acronym">BIND</span> 8 to allow
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  a domain name to have multiple CNAME records in violation of
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  the DNS standards.  <span class="acronym">BIND</span> 9.2 onwards
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  always strictly enforces the CNAME rules both in master
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  files and dynamic updates.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p></dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong> (the default),
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  DNS NOTIFY messages are sent when a zone the server is
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  authoritative for
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  sent to the
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  servers listed in the zone's NS records (except the master
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  server identified
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  in the SOA MNAME field), and to any servers listed in the
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  <span><strong class="command">also-notify</strong></span> option.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  sent
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  for master zones.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  to
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<p>
c20d8298029a39cc3e9602b30a4d23b951e11df8Kay Sievers                  The <span><strong class="command">notify</strong></span> option may also be
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  specified in the <span><strong class="command">zone</strong></span>
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  statement,
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  It would only be necessary to turn off this option if it
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  caused slaves
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  to crash.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering</dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dd><p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, and a
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  DNS query requests recursion, then the server will attempt
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  to do
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  all the work required to answer the query. If recursion is
6a7d3d68bf1ae9bcdaa3a17bc76f72bb7b988ec4Lennart Poettering                  off
6a7d3d68bf1ae9bcdaa3a17bc76f72bb7b988ec4Lennart Poettering                  and the server does not already know the answer, it will
6a7d3d68bf1ae9bcdaa3a17bc76f72bb7b988ec4Lennart Poettering                  return a
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  referral response. The default is
a87197f5a22688626dc9bead29ddc1c572b074b9Zbigniew Jędrzejewski-Szmek                  <strong class="userinput"><code>yes</code></strong>.
c20d8298029a39cc3e9602b30a4d23b951e11df8Kay Sievers                  Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
ab06eef8101866dd1337c4759002f7360a9db416Anatol Pomozov                  clients from getting data from the server's cache; it only
c20d8298029a39cc3e9602b30a4d23b951e11df8Kay Sievers                  prevents new data from being cached as an effect of client
c20d8298029a39cc3e9602b30a4d23b951e11df8Kay Sievers                  queries.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  Caching may still occur as an effect the server's internal
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  operation, such as NOTIFY address lookups.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  See also <span><strong class="command">fetch-glue</strong></span> above.
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                </p></dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<dd>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering<p>
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  Setting this to <strong class="userinput"><code>yes</code></strong> will
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  cause the server to send NS records along with the SOA
35911459410714a0e9108b35da78f96919b65ee7Lennart Poettering                  record for negative
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  answers. The default is <strong class="userinput"><code>no</code></strong>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<h3 class="title">Note</h3>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                    Not yet implemented in <span class="acronym">BIND</span>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                    9.
ad88e758d1b08a21d25971b074e119c167757109Zbigniew Jędrzejewski-Szmek                  </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering</div>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering</dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers<dd><p>
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  <span class="emphasis"><em>This option is obsolete</em></span>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span class="acronym">BIND</span> 9 always allocates query
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  IDs from a pool.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
fd86897568f7a1aed7ffe4c54ace6c158ddbdf7dKay Sievers<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, the server will collect
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  statistical data on all zones (unless specifically turned
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  off
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  in the <span><strong class="command">zone</strong></span> statement).
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  These statistics may be accessed
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  using <span><strong class="command">rndc stats</strong></span>, which will
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  dump them to the file listed
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  in the <span><strong class="command">statistics-file</strong></span>.  See
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
156f7d09add8fc93cae8a3f13adcb2564931fee4Kay Sievers                </p></dd>
156f7d09add8fc93cae8a3f13adcb2564931fee4Kay Sievers<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span class="emphasis"><em>This option is obsolete</em></span>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  If you need to disable IXFR to a particular server or
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  servers see
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  the information on the <span><strong class="command">provide-ixfr</strong></span> option
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering            Usage&#8221;</a>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  See also
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  See the description of
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  <span><strong class="command">provide-ixfr</strong></span> in
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering            Usage&#8221;</a>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  See the description of
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  <span><strong class="command">request-ixfr</strong></span> in
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering            Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering            Usage&#8221;</a>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering<dd><p>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  This option was used in <span class="acronym">BIND</span>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  8 to make
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  as a space or tab character,
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  to facilitate loading of zone files on a UNIX system that
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  were generated
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  on an NT or DOS machine. In <span class="acronym">BIND</span> 9, both UNIX "<span><strong class="command">\n</strong></span>"
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  are always accepted,
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  and the option is ignored.
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                </p></dd>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering<dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers</dt>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering<dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  These options control the behavior of an authoritative
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  server when
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  answering queries which have additional data, or when
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  following CNAME
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  and DNAME chains.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  When both of these options are set to <strong class="userinput"><code>yes</code></strong>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  (the default) and a
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  query is being answered from authoritative data (a zone
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  configured into the server), the additional data section of
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  reply will be filled in using data from other authoritative
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  zones
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  and from the cache.  In some situations this is undesirable,
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  such
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  as when there is concern over the correctness of the cache,
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  or
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  in servers where slave zones may be added and modified by
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  untrusted third parties.  Also, avoiding
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  the search for this additional data will speed up server
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  operations
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  at the possible expense of additional queries to resolve
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  what would
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  otherwise be provided in the additional section.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  if known, even though they are not in the example.com zone.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Setting these options to <span><strong class="command">no</strong></span>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  disables this behavior and makes
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  the server only search for additional data in the zone it
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  answers from.
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                </p>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering<p>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  These options are intended for use in authoritative-only
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  servers, or in authoritative-only views.  Attempts to set
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  them to <span><strong class="command">no</strong></span> without also
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  specifying
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span><strong class="command">recursion no</strong></span> will cause the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  server to
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  ignore the options and log a warning message.
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  disables the use of the cache not only for additional data
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  lookups
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  but also when looking up the answer.  This is usually the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  desired
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  behavior in an authoritative-only server where the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  correctness of
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek                  the cached data is an issue.
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  When a name server is non-recursively queried for a name
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  that is not
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  below the apex of any served zone, it normally answers with
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  an
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  "upwards referral" to the root servers or the servers of
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  some other
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  known parent of the query name.  Since the data in an
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  upwards referral
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  comes from the cache, the server will not be able to provide
bf9335608821264163058a8b036a00775a8ffbe4Kay Sievers                  upwards
bf9335608821264163058a8b036a00775a8ffbe4Kay Sievers                  referrals when <span><strong class="command">additional-from-cache no</strong></span>
bf9335608821264163058a8b036a00775a8ffbe4Kay Sievers                  has been specified.  Instead, it will respond to such
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  queries
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  with REFUSED.  This should not cause any problems since
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  upwards referrals are not required for the resolution
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  process.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering</dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  If <strong class="userinput"><code>yes</code></strong>, then an
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  IPv4-mapped IPv6 address will match any address match
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  list entries that match the corresponding IPv4 address.
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  Enabling this option is sometimes useful on IPv6-enabled
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Linux
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  systems, to work around a kernel quirk that causes IPv4
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  TCP connections such as zone transfers to be accepted
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  on an IPv6 socket using mapped addresses, causing
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  address match lists designed for IPv4 to fail to match.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  The use of this option for any other purpose is discouraged.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  When 'yes' and the server loads a new version of a master
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  zone from its zone file or receives a new version of a slave
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  file by a non-incremental zone transfer, it will compare
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  the new version to the previous one and calculate a set
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  of differences.  The differences are then logged in the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  zone's journal file such that the changes can be transmitted
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  to downstream slaves as an incremental zone transfer.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  By allowing incremental zone transfers to be used for
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  non-dynamic zones, this option saves bandwidth at the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  expense of increased CPU and memory consumption at the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  master.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  In particular, if the new version of a zone is completely
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  different from the previous one, the set of differences
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  will be of a size comparable to the combined size of the
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  old and new zone version, and the server will need to
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  temporarily allocate memory to hold this complete
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  difference set.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p><span><strong class="command">ixfr-from-differences</strong></span>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  also accepts <span><strong class="command">master</strong></span> and
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span><strong class="command">slave</strong></span> at the view and options
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  levels which causes
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span><strong class="command">ixfr-from-differences</strong></span> to apply to
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  all <span><strong class="command">master</strong></span> or
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span><strong class="command">slave</strong></span> zones respectively.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering</dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  This should be set when you have multiple masters for a zone
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  and the
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  addresses refer to different machines.  If 'yes' named will
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  not log
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  when the serial number on the master is less than what named
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  currently
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  has.  The default is <strong class="userinput"><code>no</code></strong>.
43447fb72693d62363a1a271dacc70d400ed685bLennart Poettering                </p></dd>
43447fb72693d62363a1a271dacc70d400ed685bLennart Poettering<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
43447fb72693d62363a1a271dacc70d400ed685bLennart Poettering<dd><p>
43447fb72693d62363a1a271dacc70d400ed685bLennart Poettering                  Enable DNSSEC support in named.  Unless set to <strong class="userinput"><code>yes</code></strong>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  named behaves as if it does not support DNSSEC.
499b604b21c02ee64c8590a76d7900d64d7a5cb7Zbigniew Jędrzejewski-Szmek                  The default is <strong class="userinput"><code>yes</code></strong>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Enable DNSSEC validation in named.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  The default is <strong class="userinput"><code>no</code></strong>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  When verifying DNSSEC signatures accept expired signatures.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  The default is <strong class="userinput"><code>no</code></strong>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Specify whether query logging should be started when named
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  start.
6aa8d43ade72e24c9426e604f7fc4b7582b9db7cLennart Poettering                  If <span><strong class="command">querylog</strong></span> is not specified
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  then the query logging
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p></dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  This option is used to restrict the character set and syntax
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  of
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  certain domain names in master files and/or DNS responses
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  received
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  from the network.  The default varies according to usage
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  area.  For
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  For <span><strong class="command">slave</strong></span> zones the default
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  is <span><strong class="command">warn</strong></span>.
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  For answer received from the network (<span><strong class="command">response</strong></span>)
40e21da873c120936faff0aa42a6533f6933edf7Kay Sievers                  the default is <span><strong class="command">ignore</strong></span>.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
1aed45907715ad4dce7dbc84a957cd5de8cca36eLennart Poettering<p>
1aed45907715ad4dce7dbc84a957cd5de8cca36eLennart Poettering                  The rules for legal hostnames or mail domains are derived
1aed45907715ad4dce7dbc84a957cd5de8cca36eLennart Poettering                  from RFC 952 and RFC 821 as modified by RFC 1123.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<p><span><strong class="command">check-names</strong></span>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  applies to the owner names of A, AAA and MX records.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  It also applies to the domain names in the RDATA of NS, SOA
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  and MX records.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  It also applies to the RDATA of PTR records where the owner
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  name indicated that it is a reverse lookup of a hostname
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                </p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering</dd>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering<dd><p>
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  Check whether the MX record appears to refer to a IP address.
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  The default is to <span><strong class="command">warn</strong></span>.  Other possible
85d683970b7dc2c4470b2b7d60c3d9dce28c1471Lennart Poettering                  values are <span><strong class="command">fail</strong></span> and
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  <span><strong class="command">ignore</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  This option is used to check for non-terminal wildcards.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  The use of non-terminal wildcards is almost always as a
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  result of a failure
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  to understand the wildcard matching algorithm (RFC 1034).
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  This option
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  affects master zones.  The default (<span><strong class="command">yes</strong></span>) is to check
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  for non-terminal wildcards and issue a warning.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  Perform post load zone integrity checks on master
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  zones.  This checks that MX and SRV records refer
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  to address (A or AAAA) records and that glue
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  address records exist for delegated zones.  For
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  MX and SRV records only in-zone hostnames are
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  checked (for out-of-zone hostnames use named-checkzone).
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  For NS records only names below top of zone are
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  checked (for out-of-zone names and glue consistancy
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  checks use named-checkzone).  The default is
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  <span><strong class="command">yes</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  If <span><strong class="command">check-integrity</strong></span> is set then
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  fail, warn or ignore MX records that refer
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  If <span><strong class="command">check-integrity</strong></span> is set then
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  fail, warn or ignore SRV records that refer
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  to CNAMES.  The default is to <span><strong class="command">warn</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  When performing integrity checks also check that
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  sibling glue exists.  The default is <span><strong class="command">yes</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  When returning authoritative negative responses to
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  SOA queries set the TTL of the SOA recored returned in
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  the authority section to zero.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  The default is <span><strong class="command">yes</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  When caching a negative response to a SOA query
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  set the TTL to zero.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  The default is <span><strong class="command">no</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  When regenerating the RRSIGs following a UPDATE
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  request to a secure zone, check the KSK flag on
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  the DNSKEY RR to determine if this key should be
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  used to generate the RRSIG.  This flag is ignored
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  if there are not DNSKEY RRs both with and without
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  a KSK.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  The default is <span><strong class="command">yes</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  Try to refresh the zone using TCP if UDP queries fail.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  The default is <span><strong class="command">yes</strong></span>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering</dl></div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering</div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="sect3" lang="en">
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="titlepage"><div><div><h4 class="title">
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<a name="id2561272"></a>Forwarding</h4></div></div></div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            The forwarding facility can be used to create a large site-wide
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            cache on a few servers, reducing traffic over links to external
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            name servers. It can also be used to allow queries by servers that
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            do not have direct access to the Internet, but wish to look up
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            exterior
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            names anyway. Forwarding occurs only on those queries for which
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            the server is not authoritative and does not have the answer in
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            its cache.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering          </p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="variablelist"><dl>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  This option is only meaningful if the
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  forwarders list is not empty. A value of <code class="varname">first</code>,
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  the default, causes the server to query the forwarders
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  first, and
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  if that doesn't answer the question the server will then
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  look for
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  the answer itself. If <code class="varname">only</code> is
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  specified, the
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  server will only query the forwarders.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  Specifies the IP addresses to be used
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  for forwarding. The default is the empty list (no
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  forwarding).
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering</dl></div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            Forwarding can also be configured on a per-domain basis, allowing
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            for the global forwarding options to be overridden in a variety
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            of ways. You can set particular domains to use different
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            forwarders,
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            or have a different <span><strong class="command">forward only/first</strong></span> behavior,
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            Statement Grammar&#8221;</a>.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering          </p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering</div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="sect3" lang="en">
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="titlepage"><div><div><h4 class="title">
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<a name="id2561331"></a>Dual-stack Servers</h4></div></div></div>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            Dual-stack servers are used as servers of last resort to work
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            around
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            problems in reachability due the lack of support for either IPv4
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            or IPv6
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering            on the host machine.
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering          </p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<div class="variablelist"><dl>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering<dd><p>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  Specifies host names or addresses of machines with access to
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  both IPv4 and IPv6 transports. If a hostname is used the
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  server must be able
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  to resolve the name using only the transport it has.  If the
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  machine is dual
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  stacked then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  access to a transport has been disabled on the command line
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                  (e.g. <span><strong class="command">named -4</strong></span>).
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering                </p></dd>
8ad2685909f988602eca32ccba5c8ea4159e7f2eLennart Poettering</dl></div>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering</div>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<div class="sect3" lang="en">
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<a name="access_control"></a>Access Control</h4></div></div></div>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering            Access to the server can be restricted based on the IP address
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering            of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering            details on how to specify IP address lists.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering          </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<div class="variablelist"><dl>
96ec33c079caacdf9c7cdfb2cad2f1bc48dfca65Lennart Poettering<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd><p>
96ec33c079caacdf9c7cdfb2cad2f1bc48dfca65Lennart Poettering                  Specifies which hosts are allowed to
96ec33c079caacdf9c7cdfb2cad2f1bc48dfca65Lennart Poettering                  notify this server, a slave, of zone changes in addition
96ec33c079caacdf9c7cdfb2cad2f1bc48dfca65Lennart Poettering                  to the zone masters.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">allow-notify</strong></span> may also be
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  specified in the
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">zone</strong></span> statement, in which case
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  it overrides the
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">options allow-notify</strong></span>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  statement.  It is only meaningful
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  for a slave zone.  If not specified, the default is to
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  process notify messages
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  only from a zone's master.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p></dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifies which hosts are allowed to ask ordinary
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  DNS questions. <span><strong class="command">allow-query</strong></span> may
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  also be specified in the <span><strong class="command">zone</strong></span>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  statement, in which case it overrides the
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">options allow-query</strong></span> statement.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  If not specified, the default is to allow queries
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  from all hosts.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<h3 class="title">Note</h3>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                    <span><strong class="command">allow-query-cache</strong></span> is now
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                    used to specify access to the cache.
ab06eef8101866dd1337c4759002f7360a9db416Anatol Pomozov                  </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering</div>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering</dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifies which hosts are allowed to get answers
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  from the cache. The default is the builtin acls
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">localnets</strong></span> and
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">localhost</strong></span>.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  The way to set query access to the cache is now
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  via <span><strong class="command">allow-query-cache</strong></span>.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  This differs from earlier versions which used
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">allow-query</strong></span>.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering</dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd><p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifies which hosts are allowed to make recursive
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  queries through this server. If not specified,
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  the default is to allow recursive queries from
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  the builtin acls <span><strong class="command">localnets</strong></span> and
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <span><strong class="command">localhost</strong></span>.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Note that disallowing recursive queries for a
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  host does not prevent the host from retrieving
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  data that is already in the server's cache.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p></dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd><p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifies which hosts are allowed to
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  submit Dynamic DNS updates for master zones. The default is
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  to deny
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  updates from all hosts.  Note that allowing updates based
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  on the requestor's IP address is insecure; see
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p></dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifies which hosts are allowed to
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  submit Dynamic DNS updates to slave zones to be forwarded to
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  the
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  which
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  means that no update forwarding will be performed.  To
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  enable
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  update forwarding, specify
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  <strong class="userinput"><code>{ any; }</code></strong> is usually
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  counterproductive, since
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  the responsibility for update access control should rest
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  with the
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  master server, not the slaves.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  Note that enabling the update forwarding feature on a slave
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  server
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  may expose master servers relying on insecure IP address
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  based
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  for more details.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                </p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering</dd>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering<dd><p>
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  This option was introduced for the smooth transition from
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  AAAA
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  to A6 and from "nibble labels" to binary labels.
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  However, since both A6 and binary labels were then
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  deprecated,
0428ddb729d12563b827510e04663de9cb4056f3Lennart Poettering                  this option was also deprecated.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  It is now ignored with some warning messages.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                </p></dd>
6827101ab4df4730a22062f4b3a8f8c2bae5be28Zbigniew Jędrzejewski-Szmek<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dd><p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  Specifies which hosts are allowed to
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
6827101ab4df4730a22062f4b3a8f8c2bae5be28Zbigniew Jędrzejewski-Szmek                  also be specified in the <span><strong class="command">zone</strong></span>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  statement, in which
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  If not specified, the default is to allow transfers to all
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  hosts.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                </p></dd>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<dd><p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  Specifies a list of addresses that the
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  server will not accept queries from or use to resolve a
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  query. Queries
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  from these addresses will not be responded to. The default
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                  is <strong class="userinput"><code>none</code></strong>.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering                </p></dd>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering</dl></div>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering</div>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<div class="sect3" lang="en">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<a name="id2561670"></a>Interfaces</h4></div></div></div>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            The interfaces and ports that the server will answer queries
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            an optional port, and an <code class="varname">address_match_list</code>.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            The server will listen on all interfaces allowed by the address
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            match list. If a port is not specified, port 53 will be used.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            Multiple <span><strong class="command">listen-on</strong></span> statements are
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            allowed.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            For example,
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<pre class="programlisting">listen-on { 5.6.7.8; };
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poetteringlisten-on port 1234 { !1.2.3.4; 1.2/16; };
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering</pre>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            will enable the name server on port 53 for the IP address
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            5.6.7.8, and on port 1234 of an address on the machine in net
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            1.2 that is not 1.2.3.4.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            If no <span><strong class="command">listen-on</strong></span> is specified, the
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            server will listen on port 53 on all interfaces.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            The <span><strong class="command">listen-on-v6</strong></span> option is used to
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            specify the interfaces and the ports on which the server will
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            listen
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            for incoming queries sent using IPv6.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            When </p>
1cb88f2c61f590083847d65cd5a518e834da87d3Lennart Poettering<pre class="programlisting">{ any; }</pre>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p> is
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            specified
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            as the <code class="varname">address_match_list</code> for the
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            <span><strong class="command">listen-on-v6</strong></span> option,
15f47220ab59f480ddedc422cad435091778fc95Ben Boeckel            the server does not bind a separate socket to each IPv6 interface
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            address as it does for IPv4 if the operating system has enough API
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            3542).
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            Instead, it listens on the IPv6 wildcard address.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            If the system only has incomplete API support for IPv6, however,
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            the behavior is the same as that for IPv4.
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering          </p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering<p>
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            A list of particular IPv6 addresses can also be specified, in
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            which case
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            the server listens on a separate socket for each specified
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering            address,
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering            regardless of whether the desired API is supported by the system.
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering          </p>
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering<p>
4d92e078e9d7e9a9d346065ea5e4afbafbdadb48Lennart Poettering            Multiple <span><strong class="command">listen-on-v6</strong></span> options can
139ee8cc316a861bcc8a8ebdf4a8449dffe16f79Lennart Poettering            be used.
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            For example,
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering          </p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<pre class="programlisting">listen-on-v6 { any; };
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poetteringlisten-on-v6 port 1234 { !2001:db8::/32; any; };
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering</pre>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            will enable the name server on port 53 for any IPv6 addresses
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            (with a single wildcard socket),
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            and on port 1234 of IPv6 addresses that is not in the prefix
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            2001:db8::/32 (with separate sockets for each matched address.)
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering          </p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            To make the server not listen on any IPv6 address, use
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering          </p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<pre class="programlisting">listen-on-v6 { none; };
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering</pre>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering<p>
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            If no <span><strong class="command">listen-on-v6</strong></span> option is
f9b557200b6d59a3dce1623d0873a259ee2fe421Lennart Poettering            specified,
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            the server will not listen on any IPv6 address.
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering          </p>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering</div>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="sect3" lang="en">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<a name="id2561827"></a>Query Address</h4></div></div></div>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<p>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            If the server doesn't know the answer to a question, it will
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            query other name servers. <span><strong class="command">query-source</strong></span> specifies
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            the address and port used for such queries. For queries sent over
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            will be used.
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            a random unprivileged port will be used, <span><strong class="command">avoid-v4-udp-ports</strong></span>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            and <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            to prevent named
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            from selecting certain ports. The defaults are
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering          </p>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<pre class="programlisting">query-source address * port *;
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poetteringquery-source-v6 address * port *;
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering</pre>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<h3 class="title">Note</h3>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<p>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering              The address specified in the <span><strong class="command">query-source</strong></span> option
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering              is used for both UDP and TCP queries, but the port applies only
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering              to
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering              UDP queries.  TCP queries always use a random
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering              unprivileged port.
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering            </p>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering</div>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<h3 class="title">Note</h3>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<p>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering              Solaris 2.5.1 and earlier does not support setting the source
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering              address for TCP sockets.
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering            </p>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering</div>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt<h3 class="title">Note</h3>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering<p>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering              See also <span><strong class="command">transfer-source</strong></span> and
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering              <span><strong class="command">notify-source</strong></span>.
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering            </p>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering</div>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering</div>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering<div class="sect3" lang="en">
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<p>
075d4ecb4026c5bc55e73bd2d44e3fc4d679adc7Lennart Poettering            <span class="acronym">BIND</span> has mechanisms in place to
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering            facilitate zone transfers
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering            and set limits on the amount of load that transfers place on the
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering            system. The following options apply to zone transfers.
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering          </p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<div class="variablelist"><dl>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<dd><p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  Defines a global list of IP addresses of name servers
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  that are also sent NOTIFY messages whenever a fresh copy of
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  the
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  zone is loaded, in addition to the servers listed in the
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  zone's NS records.
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  This helps to ensure that copies of the zones will
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  is given in a <span><strong class="command">zone</strong></span> statement,
6563b535a062055ae68f2e574018d9d04a864b65Lennart Poettering                  it will override
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  the <span><strong class="command">options also-notify</strong></span>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  statement. When a <span><strong class="command">zone notify</strong></span>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  statement
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  is set to <span><strong class="command">no</strong></span>, the IP
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  addresses in the global <span><strong class="command">also-notify</strong></span> list will
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  not be sent NOTIFY messages for that zone. The default is
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  the empty
6563b535a062055ae68f2e574018d9d04a864b65Lennart Poettering                  list (no global notification list).
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                </p></dd>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<dd><p>
6563b535a062055ae68f2e574018d9d04a864b65Lennart Poettering                  Inbound zone transfers running longer than
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  this many minutes will be terminated. The default is 120
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  minutes
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  (2 hours).  The maximum value is 28 days (40320 minutes).
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                </p></dd>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
597c52cfedb5edd13ee1635fa6be72fc80e587c3Lennart Poettering<dd><p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  Inbound zone transfers making no progress
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  in this many minutes will be terminated. The default is 60
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  minutes
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  (1 hour).  The maximum value is 28 days (40320 minutes).
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Outbound zone transfers running longer than
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  this many minutes will be terminated. The default is 120
8d0256b7eb119de92c748cf566257996b02fb506Lennart Poettering                  minutes
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  (2 hours).  The maximum value is 28 days (40320 minutes).
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Outbound zone transfers making no progress
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  in this many minutes will be terminated.  The default is 60
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  minutes (1
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  hour).  The maximum value is 28 days (40320 minutes).
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Slave servers will periodically query master servers
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  to find out if zone serial numbers have changed. Each such
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  query uses
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  a minute amount of the slave server's network bandwidth.  To
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  limit the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  amount of bandwidth used, BIND 9 limits the rate at which
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  queries are
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  sent.  The value of the <span><strong class="command">serial-query-rate</strong></span> option,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  an integer, is the maximum number of queries sent per
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  second.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The default is 20.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  In BIND 8, the <span><strong class="command">serial-queries</strong></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  option
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  set the maximum number of concurrent serial number queries
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  allowed to be outstanding at any given time.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  BIND 9 does not limit the number of outstanding
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Instead, it limits the rate at which the queries are sent
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Zone transfers can be sent using two different formats,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">one-answer</strong></span> and
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">many-answers</strong></span>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The <span><strong class="command">transfer-format</strong></span> option is used
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  on the master server to determine which format it sends.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">one-answer</strong></span> uses one DNS message per
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  resource record transferred.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">many-answers</strong></span> packs as many resource
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  records as possible into a message.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">many-answers</strong></span> is more efficient, but is
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  only supported by relatively new slave servers,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  such as <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  8.x and <span class="acronym">BIND</span> 4.9.5 onwards.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The <span><strong class="command">many-answers</strong></span> format is also supported by
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  recent Microsoft Windows nameservers.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The default is <span><strong class="command">many-answers</strong></span>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">transfer-format</strong></span> may be overridden on a
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  per-server basis by using the <span><strong class="command">server</strong></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  statement.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
a98d5d64720bdf32e3b5f72f896b583e23f730adLennart Poettering<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
a98d5d64720bdf32e3b5f72f896b583e23f730adLennart Poettering<dd><p>
a98d5d64720bdf32e3b5f72f896b583e23f730adLennart Poettering                  The maximum number of inbound zone transfers
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  that can be running concurrently. The default value is <code class="literal">10</code>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Increasing <span><strong class="command">transfers-in</strong></span> may
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  speed up the convergence
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  of slave zones, but it also may increase the load on the
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  local system.
dca348bcbb462305864526c587495a14a76bfcdeJan Engelhardt                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The maximum number of outbound zone transfers
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  that can be running concurrently. Zone transfer requests in
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  excess
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  of the limit will be refused. The default value is <code class="literal">10</code>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
aaccc32cdc44b2b972946e44792d63ae17c089c2Lennart Poettering<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd><p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The maximum number of inbound zone transfers
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  that can be concurrently transferring from a given remote
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  name server.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  The default value is <code class="literal">2</code>.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  Increasing <span><strong class="command">transfers-per-ns</strong></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  may
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  speed up the convergence of slave zones, but it also may
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  increase
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  of the <span><strong class="command">server</strong></span> statement.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                </p></dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<p><span><strong class="command">transfer-source</strong></span>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  determines which local address will be bound to IPv4
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  TCP connections used to fetch zones transferred
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  inbound by the server.  It also determines the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  source IPv4 address, and optionally the UDP port,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  used for the refresh queries and forwarded dynamic
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  updates.  If not set, it defaults to a system
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  controlled value which will usually be the address
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  of the interface "closest to" the remote end. This
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  address must appear in the remote end's
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">allow-transfer</strong></span> option for the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  zone being transferred, if one is specified. This
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  statement sets the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  <span><strong class="command">transfer-source</strong></span> for all zones,
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  but can be overridden on a per-view or per-zone
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                  basis by including a
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                  <span><strong class="command">transfer-source</strong></span> statement within
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                  the <span><strong class="command">view</strong></span> or
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                  <span><strong class="command">zone</strong></span> block in the configuration
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                  file.
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering                </p>
aad803af990f7c88e94427b9278d88afe3a12d38Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<h3 class="title">Note</h3>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                    Solaris 2.5.1 and earlier does not support setting the
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                    source address for TCP sockets.
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering                  </p>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering</div>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering</dd>
0c11f949db8d6d9899e0c473bf1f8cca0614493eLennart Poettering<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dd><p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  The same as <span><strong class="command">transfer-source</strong></span>,
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  except zone transfers are performed using IPv6.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </p></dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  An alternate transfer source if the one listed in
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">transfer-source</strong></span> fails and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">use-alt-transfer-source</strong></span> is
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  set.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<h3 class="title">Note</h3>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  If you do not wish the alternate transfer source
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  to be used you should set
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">use-alt-transfer-source</strong></span>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  appropriately and you should not depend upon
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  getting a answer back to the first refresh
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  query.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </div>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering</dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dd><p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  An alternate transfer source if the one listed in
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">transfer-source-v6</strong></span> fails and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">use-alt-transfer-source</strong></span> is
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  set.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </p></dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dd><p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  Use the alternate transfer sources or not.  If views are
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  specified this defaults to <span><strong class="command">no</strong></span>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  otherwise it defaults to
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">yes</strong></span> (for BIND 8
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  compatibility).
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </p></dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<dd>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<p><span><strong class="command">notify-source</strong></span>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  determines which local source address, and
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  optionally UDP port, will be used to send NOTIFY
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  messages.  This address must appear in the slave
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  server's <span><strong class="command">masters</strong></span> zone clause or
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  in an <span><strong class="command">allow-notify</strong></span> clause.  This
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  statement sets the <span><strong class="command">notify-source</strong></span>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  for all zones, but can be overridden on a per-zone or
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  per-view basis by including a
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">notify-source</strong></span> statement within
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  the <span><strong class="command">zone</strong></span> or
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  <span><strong class="command">view</strong></span> block in the configuration
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  file.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                </p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<h3 class="title">Note</h3>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering<p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                    Solaris 2.5.1 and earlier does not support setting the
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                    source address for TCP sockets.
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering                  </p>
38a60d7112d33ffd596b23e8df53d75a7c09e71bLennart Poettering</div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering</dd>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dd><p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  Like <span><strong class="command">notify-source</strong></span>,
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  but applies to notify messages sent to IPv6 addresses.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                </p></dd>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering</dl></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering</div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="sect3" lang="en">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<a name="id2562710"></a>Bad UDP Port Lists</h4></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            of IPv4 and IPv6 UDP ports that will not be used as system
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            assigned source ports for UDP sockets.  These lists
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            prevent named from choosing as its random source port a
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            port that is blocked by your firewall.  If a query went
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            out with such a source port, the answer would not get by
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            the firewall and the name server would have to query
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            again.
ab06eef8101866dd1337c4759002f7360a9db416Anatol Pomozov          </p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering</div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="sect3" lang="en">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<a name="id2562725"></a>Operating System Resource Limits</h4></div></div></div>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            The server's usage of many system resources can be limited.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            Scaled values are allowed when specifying resource limits.  For
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            example, <span><strong class="command">1G</strong></span> can be used instead of
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            <span><strong class="command">1073741824</strong></span> to specify a limit of
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            one
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            gigabyte. <span><strong class="command">unlimited</strong></span> requests
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            unlimited use, or the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            maximum available amount. <span><strong class="command">default</strong></span>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            uses the limit
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            that was in force when the server was started. See the description
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering          </p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            The following options set operating system resource limits for
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            the name server process.  Some operating systems don't support
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            some or
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            any of the limits. On such systems, a warning will be issued if
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering            unsupported limit is used.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering          </p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<div class="variablelist"><dl>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dd><p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  The maximum size of a core dump. The default
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  is <code class="literal">default</code>.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                </p></dd>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering<dd><p>
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  The maximum amount of data memory the server
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  may use. The default is <code class="literal">default</code>.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  This is a hard limit on server memory usage.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  If the server attempts to allocate memory in excess of this
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  limit, the allocation will fail, which may in turn leave
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  the server unable to perform DNS service.  Therefore,
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  this option is rarely useful as a way of limiting the
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  amount of memory used by the server, but it can be used
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  to raise an operating system data size limit that is
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                  too small by default.  If you wish to limit the amount
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  of memory used by the server, use the
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <span><strong class="command">max-cache-size</strong></span> and
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <span><strong class="command">recursive-clients</strong></span>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  options instead.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  The maximum number of files the server
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  may have open concurrently. The default is <code class="literal">unlimited</code>.
c269cec334f940d82146f70d69125b1caef08baaLennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  The maximum amount of stack memory the server
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  may use. The default is <code class="literal">default</code>.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering</dl></div>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering</div>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<div class="sect3" lang="en">
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<a name="id2562977"></a>Server  Resource Limits</h4></div></div></div>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering            The following options set limits on the server's
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering            resource consumption that are enforced internally by the
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering            server rather than the operating system.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering          </p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<div class="variablelist"><dl>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  This option is obsolete; it is accepted
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  and ignored for BIND 8 compatibility.  The option
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <span><strong class="command">max-journal-size</strong></span> performs a
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  similar function in BIND 9.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  Sets a maximum size for each journal file
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  approaches
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  the specified size, some of the oldest transactions in the
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  journal
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  will be automatically removed.  The default is
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <code class="literal">unlimited</code>.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  In BIND 8, specifies the maximum number of host statistic
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  entries to be kept.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  Not implemented in BIND 9.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  The maximum number of simultaneous recursive lookups
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  the server will perform on behalf of clients.  The default
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  is
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <code class="literal">1000</code>.  Because each recursing
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  client uses a fair
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  bit of memory, on the order of 20 kilobytes, the value of
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  the
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  <span><strong class="command">recursive-clients</strong></span> option may
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  have to be decreased
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                  on hosts with limited memory.
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering                </p></dd>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The maximum number of simultaneous client TCP
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  connections that the server will accept.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The default is <code class="literal">100</code>.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The maximum amount of memory to use for the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  server's cache, in bytes.  When the amount of data in the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  cache
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  reaches this limit, the server will cause records to expire
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  prematurely so that the limit is not exceeded.  In a server
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  with
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  multiple views, the limit applies separately to the cache of
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  each
d1f9edafe7b832c507931640f32069d001916b0eLennart Poettering                  view.  The default is <code class="literal">unlimited</code>, meaning that
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  records are purged from the cache only when their TTLs
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  expire.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The listen queue depth.  The default and minimum is 3.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  If the kernel supports the accept filter "dataready" this
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  also controls how
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  many TCP connections that will be queued in kernel space
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  waiting for
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  some data before being passed to accept.  Values less than 3
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  will be
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  silently raised.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</dl></div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="sect3" lang="en">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<a name="id2563178"></a>Periodic Task Intervals</h4></div></div></div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="variablelist"><dl>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The server will remove expired resource records
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The default is 60 minutes.  The maximum value is 28 days
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  (40320 minutes).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  If set to 0, no  periodic cleaning will occur.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The server will perform zone maintenance tasks
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  interval expires. The default is 60 minutes. Reasonable
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  values are up
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  to 1 day (1440 minutes).  The maximum value is 28 days
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  (40320 minutes).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  If set to 0, no zone maintenance for these zones will occur.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd><p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  The server will scan the network interface list
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  every <span><strong class="command">interface-interval</strong></span>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  minutes. The default
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  is 60 minutes. The maximum value is 28 days (40320 minutes).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  If set to 0, interface scanning will only occur when
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  the configuration file is  loaded. After the scan, the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  server will
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  begin listening for queries on any newly discovered
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  interfaces (provided they are allowed by the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  <span><strong class="command">listen-on</strong></span> configuration), and
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  will
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  stop listening on interfaces that have gone away.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                </p></dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  Name server statistics will be logged
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  every <span><strong class="command">statistics-interval</strong></span>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  minutes. The default is
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  60. The maximum value is 28 days (40320 minutes).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  If set to 0, no statistics will be logged.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<h3 class="title">Note</h3>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                    Not yet implemented in
91ac74250149a29122b2291c5393dec4592430d4Kay Sievers                    <span class="acronym">BIND</span>9.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering                  </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</dd>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</dl></div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="sect3" lang="en">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<a name="topology"></a>Topology</h4></div></div></div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            All other things being equal, when the server chooses a name
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            server
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            to query from a list of name servers, it prefers the one that is
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            takes an <span><strong class="command">address_match_list</strong></span> and
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            interprets it
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            in a special way. Each top-level list element is assigned a
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            distance.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            Non-negated elements get a distance based on their position in the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            list, where the closer the match is to the start of the list, the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            shorter the distance is between it and the server. A negated match
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            will be assigned the maximum distance from the server. If there
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            is no match, the address will get a distance which is further than
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            any non-negated list element, and closer than any negated element.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            For example,
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering          </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<pre class="programlisting">topology {
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering    10/8;
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering    !1.2.3/24;
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering    { 1.2/16; 3/8; };
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering};</pre>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            will prefer servers on network 10 the most, followed by hosts
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            is preferred least of all.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering          </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            The default topology is
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering          </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<pre class="programlisting">    topology { localhost; localnets; };
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</pre>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5b00c0168be6e7b11db7b26fc1712cd6cda3c2e3Lennart Poettering<h3 class="title">Note</h3>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering              The <span><strong class="command">topology</strong></span> option
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering              is not implemented in <span class="acronym">BIND</span> 9.
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            </p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering</div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="sect3" lang="en">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering<p>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            The response to a DNS query may consist of multiple resource
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            records (RRs) forming a resource records set (RRset).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            The name server will normally return the
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            RRs within the RRset in an indeterminate order
c4f1b86299c4ce2a62ce845bc48f2794f5459762Lennart Poettering            (but see the <span><strong class="command">rrset-order</strong></span>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
2d938ac75d013f713c1225def78a53583af6a596Lennart Poettering            The client resolver code should rearrange the RRs as appropriate,
2d938ac75d013f713c1225def78a53583af6a596Lennart Poettering            that is, using any addresses on the local net in preference to
2d938ac75d013f713c1225def78a53583af6a596Lennart Poettering            other addresses.
2d938ac75d013f713c1225def78a53583af6a596Lennart Poettering            However, not all resolvers can do this or are correctly
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            configured.
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            When a client is using a local server the sorting can be performed
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering            in the server, based on the client's address. This only requires
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            configuring the name servers, not all the clients.
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers          </p>
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers<p>
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            The <span><strong class="command">sortlist</strong></span> statement (see below)
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            takes
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            an <span><strong class="command">address_match_list</strong></span> and
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            interprets it even
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            more specifically than the <span><strong class="command">topology</strong></span>
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            statement
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            Each top level statement in the <span><strong class="command">sortlist</strong></span> must
b5b4c94a67d90891a0225af0e08cf45dbc329377Lennart Poettering            itself be an explicit <span><strong class="command">address_match_list</strong></span> with
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            one or two elements. The first element (which may be an IP
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            address,
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            of each top level list is checked against the source address of
2d1972857b7bd19b4a74a8f80865749a8082f32aKay Sievers            the query until a match is found.
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering          </p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<p>
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            Once the source address of the query has been matched, if
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            the top level statement contains only one element, the actual
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            primitive
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            element that matched the source address is used to select the
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            address
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            in the response to move to the beginning of the response. If the
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            statement is a list of two elements, then the second element is
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            treated the same as the <span><strong class="command">address_match_list</strong></span> in
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            a <span><strong class="command">topology</strong></span> statement. Each top
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            level element
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            is assigned a distance and the address in the response with the
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            minimum
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering            distance is moved to the beginning of the response.
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering          </p>
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            In the following example, any queries received from any of
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering            the addresses of the host itself will get responses preferring
187076d47907f7b3fcd61b2ef5eef9820915946aLennart Poettering            addresses
187076d47907f7b3fcd61b2ef5eef9820915946aLennart Poettering            on any of the locally connected networks. Next most preferred are
187076d47907f7b3fcd61b2ef5eef9820915946aLennart Poettering            addresses
187076d47907f7b3fcd61b2ef5eef9820915946aLennart Poettering            on the 192.168.1/24 network, and after that either the
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            192.168.2/24
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            or
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            192.168.3/24 network with no preference shown between these two
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            networks. Queries received from a host on the 192.168.1/24 network
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            will prefer other addresses on that network to the 192.168.2/24
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            and
07cd4fc16806783d3b6b3008db222ac6a024805cKay Sievers            192.168.3/24 networks. Queries received from a host on the
91cf7e5c37f97c6eb29966fac0afcbaa6662e05dTollef Fog Heen            192.168.4/24
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers            or the 192.168.5/24 network will only prefer other addresses on
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers            their directly connected networks.
64661ee70d5a10c6208a1cb66ecd8b158e2d8bc5Kay Sievers          </p>
2d13da8821b8197e62f819b5b996750800e910abKay Sievers<pre class="programlisting">sortlist {
2d13da8821b8197e62f819b5b996750800e910abKay Sievers    { localhost;                                   // IF   the local host
2d13da8821b8197e62f819b5b996750800e910abKay Sievers        { localnets;                               // THEN first fit on the
2d13da8821b8197e62f819b5b996750800e910abKay Sievers            192.168.1/24;                          //   following nets
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            { 192.168.2/24; 192.168.3/24; }; }; };
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers    { 192.168.1/24;                                // IF   on class C 192.168.1
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers        { 192.168.1/24;                            // THEN use .1, or .2 or .3
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            { 192.168.2/24; 192.168.3/24; }; }; };
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering    { 192.168.2/24;                                // IF   on class C 192.168.2
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers        { 192.168.2/24;                            // THEN use .2, or .1 or .3
194bbe33382f5365be3865ed1779147cb680f1d3Kay Sievers            { 192.168.1/24; 192.168.3/24; }; }; };
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers    { 192.168.3/24;                                // IF   on class C 192.168.3
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers        { 192.168.3/24;                            // THEN use .3, or .1 or .2
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers            { 192.168.1/24; 192.168.2/24; }; }; };
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
f13b388f97bc3ba8db844bd3413d510e2466a0b6Kay Sievers    };
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering};</pre>
c195956988799837b763ab1b9f078e5f0b7f26e6Kay Sievers<p>
c195956988799837b763ab1b9f078e5f0b7f26e6Kay Sievers            The following example will give reasonable behavior for the
c195956988799837b763ab1b9f078e5f0b7f26e6Kay Sievers            local host and hosts on directly connected networks. It is similar
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            to the behavior of the address sort in <span class="acronym">BIND</span> 4.9.x. Responses sent
c195956988799837b763ab1b9f078e5f0b7f26e6Kay Sievers            to queries from the local host will favor any of the directly
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            connected
9ae9afce6f53a872f4b01b9be13daa75833bd59eLennart Poettering            networks. Responses sent to queries from any other hosts on a
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers            directly
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers            connected network will prefer addresses on that same network.
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers            Responses
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers            to other queries will not be sorted.
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers          </p>
18b754d345ecb0b15e369978aaffa72e9814b86aKay Sievers<pre class="programlisting">sortlist {
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering           { localhost; localnets; };
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering           { localnets; };
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering};
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</pre>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="sect3" lang="en">
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="titlepage"><div><div><h4 class="title">
49f43d5f91a99b23f745726aa351d8f159774357Ville Skyttä<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            When multiple records are returned in an answer it may be
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            useful to configure the order of the records placed into the
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            response.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            The <span><strong class="command">rrset-order</strong></span> statement permits
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            configuration
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            of the ordering of the records in a multiple record response.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            See also the <span><strong class="command">sortlist</strong></span> statement,
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            An <span><strong class="command">order_spec</strong></span> is defined as
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            follows:
3943231cfeb3d76dc4ec0b9f845c3f874593a9deLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            order <em class="replaceable"><code>ordering</code></em>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            If no name is specified, the default is "<span><strong class="command">*</strong></span>".
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            The legal values for <span><strong class="command">ordering</strong></span> are:
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="informaltable"><table border="1">
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<colgroup>
439d6dfd12f58d7230bcae06d73b841eb3bc588aLennart Poettering<col>
439d6dfd12f58d7230bcae06d73b841eb3bc588aLennart Poettering<col>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</colgroup>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<tbody>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<tr>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p><span><strong class="command">fixed</strong></span></p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                      Records are returned in the order they
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                      are defined in the zone file.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
3943231cfeb3d76dc4ec0b9f845c3f874593a9deLennart Poettering</tr>
3943231cfeb3d76dc4ec0b9f845c3f874593a9deLennart Poettering<tr>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p><span><strong class="command">random</strong></span></p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                      Records are returned in some random order.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</tr>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<tr>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p><span><strong class="command">cyclic</strong></span></p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    <p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                      Records are returned in a round-robin
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                      order.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                    </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  </td>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</tr>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</tbody>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</table></div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            For example:
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<pre class="programlisting">rrset-order {
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering   class IN type A name "host.example.com" order random;
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering   order cyclic;
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering};
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</pre>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            will cause any responses for type A records in class IN that
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            have "<code class="literal">host.example.com</code>" as a
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            suffix, to always be returned
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            in random order. All other records are returned in cyclic order.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            If multiple <span><strong class="command">rrset-order</strong></span> statements
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            appear,
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            they are not combined &#8212; the last one applies.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering          </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
f8c0a2cb695e3b8140b51cb40637a09ba6eff48eLennart Poettering<h3 class="title">Note</h3>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering              The <span><strong class="command">rrset-order</strong></span> statement
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering              is not yet fully implemented in <span class="acronym">BIND</span> 9.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering              BIND 9 currently does not fully support "fixed" ordering.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering            </p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering</div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="sect3" lang="en">
3943231cfeb3d76dc4ec0b9f845c3f874593a9deLennart Poettering<div class="titlepage"><div><div><h4 class="title">
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<a name="tuning"></a>Tuning</h4></div></div></div>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<div class="variablelist"><dl>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<dd><p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  Sets the number of seconds to cache a
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  lame server indication. 0 disables caching. (This is
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  <span class="bold"><strong>NOT</strong></span> recommended.)
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  Default is <code class="literal">600</code> (10 minutes).
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  Maximum value is
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  <code class="literal">1800</code> (30 minutes).
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                </p></dd>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<dd><p>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  To reduce network traffic and increase performance
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  used to set a maximum retention time for these answers in
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  the server
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  in seconds. The default
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  7 days and will
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                  be silently truncated to 7 days if set to a greater value.
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering                </p></dd>
ea5943d3862cc690daa76e2ad336737407ec711cLennart Poettering<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering<dd><p>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  Sets the maximum time for which the server will
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  cache ordinary (positive) answers. The default is
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  one week (7 days).
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                </p></dd>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering<dd>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering<p>
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  The minimum number of root servers that
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  is required for a request for the root servers to be
79849bf9f47f9867c72c7eb76b981bb354d0e30eLennart Poettering                  accepted. Default
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  is <strong class="userinput"><code>2</code></strong>.
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                </p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<h3 class="title">Note</h3>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                    Not implemented in <span class="acronym">BIND</span> 9.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  </p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering</div>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering</dd>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<dd><p>
ab06eef8101866dd1337c4759002f7360a9db416Anatol Pomozov                  Specifies the number of days into the
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  future when DNSSEC signatures automatically generated as a
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  result
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  will expire. The default is <code class="literal">30</code> days.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  The maximum value is 10 years (3660 days). The signature
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  inception time is unconditionally set to one hour before the
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  current time
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  to allow for a limited amount of clock skew.
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                </p></dd>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<dt>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering</dt>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<dd>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  These options control the server's behavior on refreshing a
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  zone
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  (querying for SOA changes) or retrying failed transfers.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  Usually the SOA values for the zone are used, but these
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  values
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  are set by the master, giving slave server administrators
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  little
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  control over their contents.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                </p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  These options allow the administrator to set a minimum and
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  maximum
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  refresh and retry time either per-zone, per-view, or
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  globally.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  These options are valid for slave and stub zones,
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  and clamp the SOA refresh and retry times to the specified
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                  values.
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering                </p>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering</dd>
16f1239e1ece27257c0deedcf01aa39474f66241Lennart Poettering<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering<dd><p>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  Sets the advertised EDNS UDP buffer size.  Valid
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  values are 512 to 4096 (values outside this range
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  will be silently adjusted).  The default value is
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  4096.  The usual reason for setting edns-udp-size to
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  a non default value it to get UDP answers to pass
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  through broken firewalls that block fragmented
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  packets and/or block UDP packets that are greater
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  than 512 bytes.
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                </p></dd>
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering<dd><p>
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  Sets the maximum EDNS UDP message size named will
437b7dee328738b7aca89a9c7527f228ff8f2d34Lennart Poettering                  send.  Valid values are 512 to 4096 (values outside
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  this range will be silently adjusted).  The default
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  value is 4096.  The usual reason for setting
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  max-udp-size to a non default value it to get UDP
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  answers to pass through broken firewalls that
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  block fragmented packets and/or block UDP packets
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  that are greater than 512 bytes.
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                </p></dd>
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering<dd><p>Specifies
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  the file format of zone files (see
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  The default value is <code class="constant">text</code>, which is the
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  standard textual representation.  Files in other formats
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  than <code class="constant">text</code> are typically expected
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  to be generated by the <span><strong class="command">named-compilezone</strong></span>.
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  Note that when a zone file in a different format than
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  may omit some of the checks which would be performed for a
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  file in the <code class="constant">text</code> format.  In particular,
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  <span><strong class="command">check-names</strong></span> checks do not apply
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  for the <code class="constant">raw</code> format.  This means
204fa33c82588c47ebeef3f8c4c0b7da750e37f7Lennart Poettering                  a zone file in the <code class="constant">raw</code> format
e0d25329b23a43332ea340f9907721873a316f4eKay Sievers                  must be generated with the same check level as that
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  specified in the <span><strong class="command">named</strong></span> configuration
e0d25329b23a43332ea340f9907721873a316f4eKay Sievers                  file.  This statement sets the
e0d25329b23a43332ea340f9907721873a316f4eKay Sievers                  <span><strong class="command">masterfile-format</strong></span> for all zones,
e0d25329b23a43332ea340f9907721873a316f4eKay Sievers                  but can be overridden on a per-zone or per-view basis
e0d25329b23a43332ea340f9907721873a316f4eKay Sievers                  by including a <span><strong class="command">masterfile-format</strong></span>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  statement within the <span><strong class="command">zone</strong></span> or
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  <span><strong class="command">view</strong></span> block in the configuration
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  file.
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                </p></dd>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<dt>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering</dt>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<dd>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<p>These set the
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  initial value (minimum) and maximum number of recursive
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  simultanious clients for any given query
e9c1ea9de87d4d508ac38ce87a2fa56e7529a91aJason St. John                  (&lt;qname,qtype,qclass&gt;) that the server will accept
ccd07a083e8040a5bb091c5036ab1b4493ff8363Lennart Poettering                  before dropping additional clients.  named will attempt to
353e12c2f4a9e96a47eb80b80d2ffb7bc1d44a1bLennart Poettering                  self tune this value and changes will be logged.  The
353e12c2f4a9e96a47eb80b80d2ffb7bc1d44a1bLennart Poettering                  default values are 10 and 100.
353e12c2f4a9e96a47eb80b80d2ffb7bc1d44a1bLennart Poettering                </p>
353e12c2f4a9e96a47eb80b80d2ffb7bc1d44a1bLennart Poettering<p>
353e12c2f4a9e96a47eb80b80d2ffb7bc1d44a1bLennart Poettering                  This value should reflect how many queries come in for
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  a given name in the time it takes to resolve that name.
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  If the number of queries exceed this value named will
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  assume that it is dealing with a non-responsive zone
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering                  and will drop additional queries.  If it gets a response
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  after dropping queries it will raise the estimate.  The
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering                  estimate will then be lowered in 20 minutes if it has
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  remained unchanged.
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                </p>
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering<p>
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  If <span><strong class="command">clients-per-query</strong></span> is set to zero
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  then there is no limit on the number of clients per query
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  and no queries will be dropped.
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                </p>
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering<p>
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  If <span><strong class="command">max-clients-per-query</strong></span> is set to zero
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  then there is no upper bound other than imposed by
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                  <span><strong class="command">recursive-clients</strong></span>.
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering                </p>
d26e4270409506cd398875216413b651d6ee7de6Lennart Poettering</dd>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering</dl></div>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering</div>
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<div class="sect3" lang="en">
b13df9644bc6d4823b5a84e8a6bbf3bbb2c207c2Lennart Poettering<div class="titlepage"><div><div><h4 class="title">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            The server provides some helpful diagnostic information
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            through a number of built-in zones under the
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            pseudo-top-level-domain <code class="literal">bind</code> in the
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            <span><strong class="command">CHAOS</strong></span> class.  These zones are part
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            of a
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            class
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            <span><strong class="command">CHAOS</strong></span> which is separate from the
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            default view of
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            class <span><strong class="command">IN</strong></span>; therefore, any global
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            server options
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            such as <span><strong class="command">allow-query</strong></span> do not apply
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            the these zones.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            If you feel the need to disable these zones, use the options
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            view by
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            that matches all clients.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<div class="variablelist"><dl>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dd><p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The version the server should report
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  via a query of the name <code class="literal">version.bind</code>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The default is the real version number of this server.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  Specifying <span><strong class="command">version none</strong></span>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  disables processing of the queries.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                </p></dd>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dd><p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The hostname the server should report via a query of
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  the name <code class="filename">hostname.bind</code>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  This defaults to the hostname of the machine hosting the
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  name server as
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  found by the gethostname() function.  The primary purpose of such queries
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  is to
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  identify which of a group of anycast servers is actually
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  disables processing of the queries.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                </p></dd>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dd><p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The ID of the server should report via a query of
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  the name <code class="filename">ID.SERVER</code>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The primary purpose of such queries is to
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  identify which of a group of anycast servers is actually
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt                  disables processing of the queries.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  use the hostname as found by the gethostname() function.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                </p></dd>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering</dl></div>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering</div>
b6a867398de9f75fb623a84db7c6181d26b0a8d5Lennart Poettering<div class="sect3" lang="en">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<div class="titlepage"><div><div><h4 class="title">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            Named has some built-in empty zones (SOA and NS records only).
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            These are for zones that should normally be answered locally
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            and which queries should not be sent to the Internet's root
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            servers.  The offical servers which cover these namespaces
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            return NXDOMAIN responses to these queries.  In particular,
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            these cover the reverse namespace for addresses from RFC 1918 and
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            RFC 3330.  They also include the reverse namespace for IPv6 local
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            address (locally assigned), IPv6 link local addresses, the IPv6
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            loopback address and the IPv6 unknown addresss.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            Named will attempt to determine if a built in zone already exists
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            or is active (covered by a forward-only forwarding declaration)
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            and will not not create a empty zone in that case.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            The current list of empty zones is:
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<div class="itemizedlist"><ul type="disc">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>10.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>127.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>254.169.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>16.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>17.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>18.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>19.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>20.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>21.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>22.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>23.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>24.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>25.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>26.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>27.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>28.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>29.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>30.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>31.172.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>168.192.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>2.0.192.IN-ADDR.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>D.F.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>8.E.F.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>9.E.F.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>A.E.F.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<li>B.E.F.IP6.ARPA</li>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering</ul></div>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            Empty zones are settable at the view level and only apply to
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            views of class IN.  Disabled empty zones are only inherited
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            from options if there are no disabled empty zones specified
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            at the view level.  To override the options list of disabled
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            zones you can disable the root zone at the view level, for example:
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering</p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<pre class="programlisting">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            disable-empty-zone ".";
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering</pre>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
d28315e4aff91560ed4c2fc9f876ec8bfc559f2dJan Engelhardt          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            If you are using the address ranges covered here you should
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            already have reverse zones covering the addresses you use.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            In practice this appears to not be the case with many queries
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            being made to the infrustructure servers for names in these
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            spaces.  So many in fact that sacrificial servers were needed
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            to be deployed to channel the query load away from the
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            infrustructure servers.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<h3 class="title">Note</h3>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            The real parent servers for these zones should disable all
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            empty zone under the parent zone they serve.  For the real
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            root servers this is all built in empty zones.  This will
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering            enable them to return referrals to deeper in the tree.
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering          </div>
4c8cd173305697f59adcebf980ad7babe751d38cLennart Poettering<div class="variablelist"><dl>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering<dd><p>
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  Specify what server name will appear in the returned
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering                  SOA record for empty zones.  If none is specified then
                  the zone's name will be used.
                </p></dd>
<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
<dd><p>
                  Specify what contact name will appear in the returned
                  SOA record for empty zones.  If none is specified then
                  "." will be used.
                </p></dd>
<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
<dd><p>
                  Enable / disable all empty zones.  By default they
                  are enabled.
                </p></dd>
<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
<dd><p>
                  Disable a indiviual empty zones.  By default none are
                  disabled.  This option can be specified multiple times.
                </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="statsfile"></a>The Statistics File</h4></div></div></div>
<p>
            The statistics file generated by <span class="acronym">BIND</span> 9
            is similar, but not identical, to that
            generated by <span class="acronym">BIND</span> 8.
          </p>
<p>
            The statistics dump begins with a line, like:
          </p>
<p>
            <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
          </p>
<p>
            The number in parentheses is a standard
            Unix-style timestamp, measured as seconds since January 1, 1970.
            Following
            that line are a series of lines containing a counter type, the
            value of the
            counter, optionally a zone name, and optionally a view name.
            The lines without view and zone listed are global statistics for
            the entire server.
            Lines with a zone and view name for the given view and zone (the
            view name is
            omitted for the default view).
          </p>
<p>
            The statistics dump ends with the line where the
            number is identical to the number in the beginning line; for example:
          </p>
<p>
            <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
          </p>
<p>
            The following statistics counters are maintained:
          </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                    <p><span><strong class="command">success</strong></span></p>
                  </td>
<td>
                    <p>
                      The number of
                      successful queries made to the server or zone.  A
                      successful query
                      is defined as query which returns a NOERROR response
                      with at least
                      one answer RR.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">referral</strong></span></p>
                  </td>
<td>
                    <p>
                      The number of queries which resulted
                      in referral responses.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">nxrrset</strong></span></p>
                  </td>
<td>
                    <p>
                      The number of queries which resulted in
                      NOERROR responses with no data.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">nxdomain</strong></span></p>
                  </td>
<td>
                    <p>
                      The number
                      of queries which resulted in NXDOMAIN responses.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">failure</strong></span></p>
                  </td>
<td>
                    <p>
                      The number of queries which resulted in a
                      failure response other than those above.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">recursion</strong></span></p>
                  </td>
<td>
                    <p>
                      The number of queries which caused the server
                      to perform recursion in order to find the final answer.
                    </p>
                  </td>
</tr>
</tbody>
</table></div>
<p>
            Each query received by the server will cause exactly one of
            <span><strong class="command">success</strong></span>,
            <span><strong class="command">referral</strong></span>,
            <span><strong class="command">nxrrset</strong></span>,
            <span><strong class="command">nxdomain</strong></span>, or
            <span><strong class="command">failure</strong></span>
            to be incremented, and may additionally cause the
            <span><strong class="command">recursion</strong></span> counter to be
            incremented.
          </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="acache"></a>Additional Section Caching</h4></div></div></div>
<p>
            The additional section cache, also called <span><strong class="command">acache</strong></span>,
            is an internal cache to improve the response performance of BIND 9.
            When additional section caching is enabled, BIND 9 will
            cache an internal short-cut to the additional section content for
            each answer RR.
            Note that <span><strong class="command">acache</strong></span> is an internal caching
            mechanism of BIND 9, and is not related to the DNS caching
            server function.
          </p>
<p>
            Additional section caching does not change the
            response content (except the RRsets ordering of the additional
            section, see below), but can improve the response performance
            significantly.
            It is particularly effective when BIND 9 acts as an authoritative
            server for a zone that has many delegations with many glue RRs.
          </p>
<p>
            In order to obtain the maximum performance improvement
            from additional section caching, setting
            <span><strong class="command">additional-from-cache</strong></span>
            to <span><strong class="command">no</strong></span> is recommended, since the current
            implementation of <span><strong class="command">acache</strong></span>
            does not short-cut of additional section information from the
            DNS cache data.
          </p>
<p>
            One obvious disadvantage of <span><strong class="command">acache</strong></span> is
            that it requires much more
            memory for the internal cached data.
            Thus, if the response performance does not matter and memory
            consumption is much more critical, the
            <span><strong class="command">acache</strong></span> mechanism can be
            disabled by setting <span><strong class="command">acache-enable</strong></span> to
            <span><strong class="command">no</strong></span>.
            It is also possible to specify the upper limit of memory
            consumption
            for acache by using <span><strong class="command">max-acache-size</strong></span>.
          </p>
<p>
            Additional section caching also has a minor effect on the
            RRset ordering in the additional section.
            Without <span><strong class="command">acache</strong></span>,
            <span><strong class="command">cyclic</strong></span> order is effective for the additional
            section as well as the answer and authority sections.
            However, additional section caching fixes the ordering when it
            first caches an RRset for the additional section, and the same
            ordering will be kept in succeeding responses, regardless of the
            setting of <span><strong class="command">rrset-order</strong></span>.
            The effect of this should be minor, however, since an
            RRset in the additional section
            typically only contains a small number of RRs (and in many cases
            it only contains a single RR), in which case the
            ordering does not matter much.
          </p>
<p>
            The following is a summary of options related to
            <span><strong class="command">acache</strong></span>.
          </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
<dd><p>
                  If <span><strong class="command">yes</strong></span>, additional section caching is
                  enabled.  The default value is <span><strong class="command">no</strong></span>.
                </p></dd>
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
<dd><p>
                  The server will remove stale cache entries, based on an LRU
                  based
                  algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
                  The default is 60 minutes.
                  If set to 0, no  periodic cleaning will occur.
                </p></dd>
<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
<dd><p>
                  The maximum amount of memory to use for the server's acache,
                  in bytes.
                  When the amount of data in the acache reaches this limit,
                  the server
                  will clean more aggressivly so that the limit is not
                  exceeded.
                  In a server with multiple views, the limit applies
                  separately to the
                  acache of each view.
                  The default is <code class="literal">unlimited</code>,
                  meaning that
                  entries are purged from the acache only at the
                  periodic cleaning time.
                </p></dd>
</dl></div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
    [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
    [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
            Usage</h3></div></div></div>
<p>
            The <span><strong class="command">server</strong></span> statement defines
            characteristics
            to be associated with a remote name server.  If a prefix length is
            specified then a range of servers is covered.  Only the most
            specific
            server clause applies regardless of the order in
            <code class="filename">named.conf</code>.
          </p>
<p>
            The <span><strong class="command">server</strong></span> statement can occur at
            the top level of the
            configuration file or inside a <span><strong class="command">view</strong></span>
            statement.
            If a <span><strong class="command">view</strong></span> statement contains
            one or more <span><strong class="command">server</strong></span> statements, only
            those
            apply to the view and any top-level ones are ignored.
            If a view contains no <span><strong class="command">server</strong></span>
            statements,
            any top-level <span><strong class="command">server</strong></span> statements are
            used as
            defaults.
          </p>
<p>
            If you discover that a remote server is giving out bad data,
            marking it as bogus will prevent further queries to it. The
            default
            value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
          </p>
<p>
            The <span><strong class="command">provide-ixfr</strong></span> clause determines
            whether
            the local server, acting as master, will respond with an
            incremental
            zone transfer when the given remote server, a slave, requests it.
            If set to <span><strong class="command">yes</strong></span>, incremental transfer
            will be provided
            whenever possible. If set to <span><strong class="command">no</strong></span>,
            all transfers
            to the remote server will be non-incremental. If not set, the
            value
            of the <span><strong class="command">provide-ixfr</strong></span> option in the
            view or
            global options block is used as a default.
          </p>
<p>
            The <span><strong class="command">request-ixfr</strong></span> clause determines
            whether
            the local server, acting as a slave, will request incremental zone
            transfers from the given remote server, a master. If not set, the
            value of the <span><strong class="command">request-ixfr</strong></span> option in
            the view or
            global options block is used as a default.
          </p>
<p>
            IXFR requests to servers that do not support IXFR will
            automatically
            fall back to AXFR.  Therefore, there is no need to manually list
            which servers support IXFR and which ones do not; the global
            default
            of <span><strong class="command">yes</strong></span> should always work.
            The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
            <span><strong class="command">request-ixfr</strong></span> clauses is
            to make it possible to disable the use of IXFR even when both
            master
            and slave claim to support it, for example if one of the servers
            is buggy and crashes or corrupts data when IXFR is used.
          </p>
<p>
            The <span><strong class="command">edns</strong></span> clause determines whether
            the local server will attempt to use EDNS when communicating
            with the remote server.  The default is <span><strong class="command">yes</strong></span>.
          </p>
<p>
            The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
            that is advertised by named when querying the remote server.
            Valid values are 512 to 4096 (values outside this range will be
            silently adjusted).  This option is useful when you wish to
            advertises a different value to this server than the value you
            advertise globally, for example, when there is a firewall at the
            remote site that is blocking large replies.
          </p>
<p>
            The <span><strong class="command">max-udp-size</strong></span> option sets the
            maximum EDNS UDP message size named will send.  Valid
            values are 512 to 4096 (values outside this range will
            be silently adjusted).  This option is useful when you
            know that there is a firewall that is blocking large
            replies from named.
          </p>
<p>
            The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
            uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
            as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
            more efficient, but is only known to be understood by <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span>
            8.x, and patched versions of <span class="acronym">BIND</span>
            4.9.5. You can specify which method
            to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
            If <span><strong class="command">transfer-format</strong></span> is not
            specified, the <span><strong class="command">transfer-format</strong></span>
            specified
            by the <span><strong class="command">options</strong></span> statement will be
            used.
          </p>
<p><span><strong class="command">transfers</strong></span>
            is used to limit the number of concurrent inbound zone
            transfers from the specified server. If no
            <span><strong class="command">transfers</strong></span> clause is specified, the
            limit is set according to the
            <span><strong class="command">transfers-per-ns</strong></span> option.
          </p>
<p>
            The <span><strong class="command">keys</strong></span> clause identifies a
            <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
            to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
            when talking to the remote server.
            When a request is sent to the remote server, a request signature
            will be generated using the key specified here and appended to the
            message. A request originating from the remote server is not
            required
            to be signed by this key.
          </p>
<p>
            Although the grammar of the <span><strong class="command">keys</strong></span>
            clause
            allows for multiple keys, only a single key per server is
            currently
            supported.
          </p>
<p>
            The <span><strong class="command">transfer-source</strong></span> and
            <span><strong class="command">transfer-source-v6</strong></span> clauses specify
            the IPv4 and IPv6 source
            address to be used for zone transfer with the remote server,
            respectively.
            For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
            be specified.
            Similarly, for an IPv6 remote server, only
            <span><strong class="command">transfer-source-v6</strong></span> can be
            specified.
            Form more details, see the description of
            <span><strong class="command">transfer-source</strong></span> and
            <span><strong class="command">transfer-source-v6</strong></span> in
            <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
          </p>
<p>
            The <span><strong class="command">notify-source</strong></span> and
            <span><strong class="command">notify-source-v6</strong></span> clauses specify the
            IPv4 and IPv6 source address to be used for notify
            messages sent to remote servers, respectively.  For an
            IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
            can be specified.  Similarly, for an IPv6 remote server,
            only <span><strong class="command">notify-source-v6</strong></span> can be specified.
          </p>
<p>
            The <span><strong class="command">query-source</strong></span> and
            <span><strong class="command">query-source-v6</strong></span> clauses specify the
            IPv4 and IPv6 source address to be used for queries
            sent to remote servers, respectively.  For an IPv4
            remote server, only <span><strong class="command">query-source</strong></span> can
            be specified.  Similarly, for an IPv6 remote server,
            only <span><strong class="command">query-source-v6</strong></span> can be specified.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2565882"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">trusted-keys {
    <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
    [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2565931"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
            and Usage</h3></div></div></div>
<p>
            The <span><strong class="command">trusted-keys</strong></span> statement defines
            DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
            public key for a non-authoritative zone is known, but
            cannot be securely obtained through DNS, either because
            it is the DNS root zone or because its parent zone is
            unsigned.  Once a key has been configured as a trusted
            key, it is treated as if it had been validated and
            proven secure. The resolver attempts DNSSEC validation
            on all DNS data in subdomains of a security root.
          </p>
<p>
            All keys (and corresponding zones) listed in
            <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
            of what parent zones say.  Similarly for all keys listed in
            <span><strong class="command">trusted-keys</strong></span> only those keys are
            used to validate the DNSKEY RRset.  The parents DS RRset
            will not be used.
          </p>
<p>
            The <span><strong class="command">trusted-keys</strong></span> statement can contain
            multiple key entries, each consisting of the key's
            domain name, flags, protocol, algorithm, and the Base-64
            representation of the key data.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
      [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
      match-clients { <em class="replaceable"><code>address_match_list</code></em> };
      match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
      match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
      [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
      [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2566011"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
            The <span><strong class="command">view</strong></span> statement is a powerful
            feature
            of <span class="acronym">BIND</span> 9 that lets a name server
            answer a DNS query differently
            depending on who is asking. It is particularly useful for
            implementing
            split DNS setups without having to run multiple servers.
          </p>
<p>
            Each <span><strong class="command">view</strong></span> statement defines a view
            of the
            DNS namespace that will be seen by a subset of clients.  A client
            matches
            a view if its source IP address matches the
            <code class="varname">address_match_list</code> of the view's
            <span><strong class="command">match-clients</strong></span> clause and its
            destination IP address matches
            the <code class="varname">address_match_list</code> of the
            view's
            <span><strong class="command">match-destinations</strong></span> clause.  If not
            specified, both
            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
            default to matching all addresses.  In addition to checking IP
            addresses
            <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
            can also take <span><strong class="command">keys</strong></span> which provide an
            mechanism for the
            client to select the view.  A view can also be specified
            as <span><strong class="command">match-recursive-only</strong></span>, which
            means that only recursive
            requests from matching clients will match that view.
            The order of the <span><strong class="command">view</strong></span> statements is
            significant &#8212;
            a client request will be resolved in the context of the first
            <span><strong class="command">view</strong></span> that it matches.
          </p>
<p>
            Zones defined within a <span><strong class="command">view</strong></span>
            statement will
            be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
            By defining a zone of the same name in multiple views, different
            zone data can be given to different clients, for example,
            "internal"
            and "external" clients in a split DNS setup.
          </p>
<p>
            Many of the options given in the <span><strong class="command">options</strong></span> statement
            can also be used within a <span><strong class="command">view</strong></span>
            statement, and then
            apply only when resolving queries with that view.  When no
            view-specific
            value is given, the value in the <span><strong class="command">options</strong></span> statement
            is used as a default.  Also, zone options can have default values
            specified
            in the <span><strong class="command">view</strong></span> statement; these
            view-specific defaults
            take precedence over those in the <span><strong class="command">options</strong></span> statement.
          </p>
<p>
            Views are class specific.  If no class is given, class IN
            is assumed.  Note that all non-IN views must contain a hint zone,
            since only the IN class has compiled-in default hints.
          </p>
<p>
            If there are no <span><strong class="command">view</strong></span> statements in
            the config
            file, a default view that matches any client is automatically
            created
            in class IN. Any <span><strong class="command">zone</strong></span> statements
            specified on
            the top level of the configuration file are considered to be part
            of
            this default view, and the <span><strong class="command">options</strong></span>
            statement will
            apply to the default view. If any explicit <span><strong class="command">view</strong></span>
            statements are present, all <span><strong class="command">zone</strong></span>
            statements must
            occur inside <span><strong class="command">view</strong></span> statements.
          </p>
<p>
            Here is an example of a typical split DNS setup implemented
            using <span><strong class="command">view</strong></span> statements.
          </p>
<pre class="programlisting">view "internal" {
      // This should match our internal networks.
      match-clients { 10.0.0.0/8; };

      // Provide recursive service to internal clients only.
      recursion yes;

      // Provide a complete view of the example.com zone
      // including addresses of internal hosts.
      zone "example.com" {
            type master;
            file "example-internal.db";
      };
};

view "external" {
      // Match all clients not matched by the previous view.
      match-clients { any; };

      // Refuse recursive service to external clients.
      recursion no;

      // Provide a restricted view of the example.com zone
      // containing only publicly accessible hosts.
      zone "example.com" {
           type master;
           file "example-external.db";
      };
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
            Statement Grammar</h3></div></div></div>
<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type master;
    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
    [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type slave;
    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type hint;
    file <em class="replaceable"><code>string</code></em> ;
    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
};

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type stub;
    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type forward;
    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
    type delegation-only;
};

</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2567457"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567464"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        <code class="varname">master</code>
                      </p>
                    </td>
<td>
                      <p>
                        The server has a master copy of the data
                        for the zone and will be able to provide authoritative
                        answers for
                        it.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">slave</code>
                      </p>
                    </td>
<td>
                      <p>
                        A slave zone is a replica of a master
                        zone. The <span><strong class="command">masters</strong></span> list
                        specifies one or more IP addresses
                        of master servers that the slave contacts to update
                        its copy of the zone.
                        Masters list elements can also be names of other
                        masters lists.
                        By default, transfers are made from port 53 on the
                        servers; this can
                        be changed for all servers by specifying a port number
                        before the
                        list of IP addresses, or on a per-server basis after
                        the IP address.
                        Authentication to the master can also be done with
                        per-server TSIG keys.
                        If a file is specified, then the
                        replica will be written to this file whenever the zone
                        is changed,
                        and reloaded from this file on a server restart. Use
                        of a file is
                        recommended, since it often speeds server startup and
                        eliminates
                        a needless waste of bandwidth. Note that for large
                        numbers (in the
                        tens or hundreds of thousands) of zones per server, it
                        is best to
                        use a two level naming scheme for zone file names. For
                        example,
                        a slave server for the zone <code class="literal">example.com</code> might place
                        the zone contents into a file called
                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
                        just the first two letters of the zone name. (Most
                        operating systems
                        behave very slowly if you put 100 000 files into
                        a single directory.)
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">stub</code>
                      </p>
                    </td>
<td>
                      <p>
                        A stub zone is similar to a slave zone,
                        except that it replicates only the NS records of a
                        master zone instead
                        of the entire zone. Stub zones are not a standard part
                        of the DNS;
                        they are a feature specific to the <span class="acronym">BIND</span> implementation.
                      </p>

                      <p>
                        Stub zones can be used to eliminate the need for glue
                        NS record
                        in a parent zone at the expense of maintaining a stub
                        zone entry and
                        a set of name server addresses in <code class="filename">named.conf</code>.
                        This usage is not recommended for new configurations,
                        and BIND 9
                        supports it only in a limited way.
                        In <span class="acronym">BIND</span> 4/8, zone
                        transfers of a parent zone
                        included the NS records from stub children of that
                        zone. This meant
                        that, in some cases, users could get away with
                        configuring child stubs
                        only in the master server for the parent zone. <span class="acronym">BIND</span>
                        9 never mixes together zone data from different zones
                        in this
                        way. Therefore, if a <span class="acronym">BIND</span> 9 master serving a parent
                        zone has child stub zones configured, all the slave
                        servers for the
                        parent zone also need to have the same child stub
                        zones
                        configured.
                      </p>

                      <p>
                        Stub zones can also be used as a way of forcing the
                        resolution
                        of a given domain to use a particular set of
                        authoritative servers.
                        For example, the caching name servers on a private
                        network using
                        RFC1918 addressing may be configured with stub zones
                        for
                        <code class="literal">10.in-addr.arpa</code>
                        to use a set of internal name servers as the
                        authoritative
                        servers for that domain.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">forward</code>
                      </p>
                    </td>
<td>
                      <p>
                        A "forward zone" is a way to configure
                        forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
                        of type <span><strong class="command">forward</strong></span> can
                        contain a <span><strong class="command">forward</strong></span>
                        and/or <span><strong class="command">forwarders</strong></span>
                        statement,
                        which will apply to queries within the domain given by
                        the zone
                        name. If no <span><strong class="command">forwarders</strong></span>
                        statement is present or
                        an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
                        forwarding will be done for the domain, canceling the
                        effects of
                        any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
                        if you want to use this type of zone to change the
                        behavior of the
                        global <span><strong class="command">forward</strong></span> option
                        (that is, "forward first
                        to", then "forward only", or vice versa, but want to
                        use the same
                        servers as set globally) you need to re-specify the
                        global forwarders.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">hint</code>
                      </p>
                    </td>
<td>
                      <p>
                        The initial set of root name servers is
                        specified using a "hint zone". When the server starts
                        up, it uses
                        the root hints to find a root name server and get the
                        most recent
                        list of root name servers. If no hint zone is
                        specified for class
                        IN, the server uses a compiled-in default set of root
                        servers hints.
                        Classes other than IN have no built-in defaults hints.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">delegation-only</code>
                      </p>
                    </td>
<td>
                      <p>
                        This is used to enforce the delegation only
                        status of infrastructure zones (e.g. COM, NET, ORG).
                        Any answer that
                        is received without a explicit or implicit delegation
                        in the authority
                        section will be treated as NXDOMAIN.  This does not
                        apply to the zone
                        apex.  This SHOULD NOT be applied to leaf zones.
                      </p>
                      <p>
                        <code class="varname">delegation-only</code> has no
                        effect on answers received
                        from forwarders.
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567883"></a>Class</h4></div></div></div>
<p>
              The zone's name may optionally be followed by a class. If
              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
              is assumed. This is correct for the vast majority of cases.
            </p>
<p>
              The <code class="literal">hesiod</code> class is
              named for an information service from MIT's Project Athena. It
              is
              used to share information about various systems databases, such
              as users, groups, printers and so on. The keyword
              <code class="literal">HS</code> is
              a synonym for hesiod.
            </p>
<p>
              Another MIT development is CHAOSnet, a LAN protocol created
              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
            </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2567916"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
<dd><p>
                    See the description of <span><strong class="command">allow-transfer</strong></span>
                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
<dd><p>
                    See the description of <span><strong class="command">allow-update</strong></span>
                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
<dd><p>
                    Specifies a "Simple Secure Update" policy. See
                    <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
<dd><p>
                    See the description of <span><strong class="command">allow-update-forwarding</strong></span>
                    in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
<dd><p>
                    Only meaningful if <span><strong class="command">notify</strong></span>
                    is
                    active for this zone. The set of machines that will
                    receive a
                    <code class="literal">DNS NOTIFY</code> message
                    for this zone is made up of all the listed name servers
                    (other than
                    the primary master) for the zone plus any IP addresses
                    specified
                    with <span><strong class="command">also-notify</strong></span>. A port
                    may be specified
                    with each <span><strong class="command">also-notify</strong></span>
                    address to send the notify
                    messages to a port other than the default of 53.
                    <span><strong class="command">also-notify</strong></span> is not
                    meaningful for stub zones.
                    The default is the empty list.
                  </p></dd>
<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
<dd><p>
                    This option is used to restrict the character set and
                    syntax of
                    certain domain names in master files and/or DNS responses
                    received from the
                    network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
                    zones the default is <span><strong class="command">warn</strong></span>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
<dd>
<p>
                    Specify the type of database to be used for storing the
                    zone data.  The string following the <span><strong class="command">database</strong></span> keyword
                    is interpreted as a list of whitespace-delimited words.
                    The first word
                    identifies the database type, and any subsequent words are
                    passed
                    as arguments to the database to be interpreted in a way
                    specific
                    to the database type.
                  </p>
<p>
                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
                    native in-memory
                    red-black-tree database.  This database does not take
                    arguments.
                  </p>
<p>
                    Other values are possible if additional database drivers
                    have been linked into the server.  Some sample drivers are
                    included
                    with the distribution but none are linked in by default.
                  </p>
</dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
<dd><p>
                    The flag only applies to hint and stub zones.  If set
                    to <strong class="userinput"><code>yes</code></strong> then the zone will also be
                    treated as if it
                    is also a delegation-only type zone.
                  </p></dd>
<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
<dd><p>
                    Only meaningful if the zone has a forwarders
                    list. The <span><strong class="command">only</strong></span> value causes
                    the lookup to fail
                    after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
                    allow a normal lookup to be tried.
                  </p></dd>
<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
<dd><p>
                    Used to override the list of global forwarders.
                    If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
                    no forwarding is done for the zone; the global options are
                    not used.
                  </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
<dd><p>
                    Was used in <span class="acronym">BIND</span> 8 to
                    specify the name
                    of the transaction log (journal) file for dynamic update
                    and IXFR.
                    <span class="acronym">BIND</span> 9 ignores the option
                    and constructs the name of the journal
                    file by appending "<code class="filename">.jnl</code>"
                    to the name of the
                    zone file.
                  </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
<dd><p>
                    Was an undocumented option in <span class="acronym">BIND</span> 8.
                    Ignored in <span class="acronym">BIND</span> 9.
                  </p></dd>
<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
<dd><p>
                    Allow the default journal's file name to be overridden.
                    The default is the zone's file with "<code class="filename">.jnl</code>" appended.
                    This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
                  </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
<dd><p>
                    In <span class="acronym">BIND</span> 8, this option was
                    intended for specifying
                    a public zone key for verification of signatures in DNSSEC
                    signed
                    zones when they are loaded from disk. <span class="acronym">BIND</span> 9 does not verify signatures
                    on load and ignores the option.
                  </p></dd>
<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
<dd><p>
                    If <strong class="userinput"><code>yes</code></strong>, the server will keep
                    statistical
                    information for this zone, which can be dumped to the
                    <span><strong class="command">statistics-file</strong></span> defined in
                    the server options.
                  </p></dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
                  </p></dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
<dd><p>
                    See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
<dd><p>
                    See the description of
                    <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
          Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
          Usage&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
<dd><p>
                    See the description of <span><strong class="command">multi-master</strong></span> in
                    <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                  </p></dd>
<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
<dd><p>
                    See the description of <span><strong class="command">masterfile-format</strong></span>
                    in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                  </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
<p>
              <span class="acronym">BIND</span> 9 supports two alternative
              methods of granting clients
              the right to perform dynamic updates to a zone,
              configured by the <span><strong class="command">allow-update</strong></span>
              and
              <span><strong class="command">update-policy</strong></span> option,
              respectively.
            </p>
<p>
              The <span><strong class="command">allow-update</strong></span> clause works the
              same
              way as in previous versions of <span class="acronym">BIND</span>. It grants given clients the
              permission to update any record of any name in the zone.
            </p>
<p>
              The <span><strong class="command">update-policy</strong></span> clause is new
              in <span class="acronym">BIND</span>
              9 and allows more fine-grained control over what updates are
              allowed.
              A set of rules is specified, where each rule either grants or
              denies
              permissions for one or more names to be updated by one or more
              identities.
              If the dynamic update request message is signed (that is, it
              includes
              either a TSIG or SIG(0) record), the identity of the signer can
              be determined.
            </p>
<p>
              Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
              option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
              is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
              to be present.  The <span><strong class="command">update-policy</strong></span>
              statement only
              examines the signer of a message; the source address is not
              relevant.
            </p>
<p>
              This is how a rule definition looks:
            </p>
<pre class="programlisting">
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
</pre>
<p>
              Each rule grants or denies privileges.  Once a message has
              successfully matched a rule, the operation is immediately
              granted
              or denied and no further rules are examined.  A rule is matched
              when the signer matches the identity field, the name matches the
              name field in accordance with the nametype field, and the type
              matches
              the types specified in the type field.
            </p>
<p>
              The identity field specifies a name or a wildcard name.
              Normally, this
              is the name of the TSIG or SIG(0) key used to sign the update
              request.  When a
              TKEY exchange has been used to create a shared secret, the
              identity of the
              shared secret is the same as the identity of the key used to
              authenticate the
              TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
              wildcard name, it is subject to DNS wildcard expansion, so the
              rule will apply
              to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
              contain a fully qualified domain name.
            </p>
<p>
              The <em class="replaceable"><code>nametype</code></em> field has 6
              values:
              <code class="varname">name</code>, <code class="varname">subdomain</code>,
              <code class="varname">wildcard</code>, <code class="varname">self</code>,
               <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        <code class="varname">name</code>
                      </p>
                    </td>
<td>
                      <p>
                        Exact-match semantics.  This rule matches
                        when the name being updated is identical
                        to the contents of the
                        <em class="replaceable"><code>name</code></em> field.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">subdomain</code>
                      </p>
                    </td>
<td>
                      <p>
                        This rule matches when the name being updated
                        is a subdomain of, or identical to, the
                        contents of the <em class="replaceable"><code>name</code></em>
                        field.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">wildcard</code>
                      </p>
                    </td>
<td>
                      <p>
                        The <em class="replaceable"><code>name</code></em> field
                        is subject to DNS wildcard expansion, and
                        this rule matches when the name being updated
                        name is a valid expansion of the wildcard.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">self</code>
                      </p>
                    </td>
<td>
                      <p>
                        This rule matches when the name being updated
                        matches the contents of the
                        <em class="replaceable"><code>identity</code></em> field.
                        The <em class="replaceable"><code>name</code></em> field
                        is ignored, but should be the same as the
                        <em class="replaceable"><code>identity</code></em> field.
                        The <code class="varname">self</code> nametype is
                        most useful when allowing using one key per
                        name to update, where the key has the same
                        name as the name to be updated.  The
                        <em class="replaceable"><code>identity</code></em> would
                        be specified as <code class="constant">*</code> in
                        this case.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">selfsub</code>
                      </p>
                    </td>
<td>
                      <p>
                        This rule is similar to <code class="varname">self</code>
                        except that subdomains of <code class="varname">self</code>
                        can also be updated.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="varname">selfwild</code>
                      </p>
                    </td>
<td>
                      <p>
                        This rule is similar to <code class="varname">self</code>
                        except that only subdomains of
                        <code class="varname">self</code> can be updated.
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              In all cases, the <em class="replaceable"><code>name</code></em>
              field must
              specify a fully qualified domain name.
            </p>
<p>
              If no types are explicitly specified, this rule matches all
              types except
              RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
              "ANY" (ANY matches all types except NSEC, which can never be
              updated).
              Note that when an attempt is made to delete all records
              associated with a
              name, the rules are checked for each existing record type.
            </p>
</div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2569739"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
<p>
            This section, largely borrowed from RFC 1034, describes the
            concept of a Resource Record (RR) and explains when each is used.
            Since the publication of RFC 1034, several new RRs have been
            identified
            and implemented in the DNS. These are also included.
          </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2569757"></a>Resource Records</h4></div></div></div>
<p>
              A domain name identifies a node.  Each node has a set of
              resource information, which may be empty.  The set of resource
              information associated with a particular name is composed of
              separate RRs. The order of RRs in a set is not significant and
              need not be preserved by name servers, resolvers, or other
              parts of the DNS. However, sorting of multiple RRs is
              permitted for optimization purposes, for example, to specify
              that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
            </p>
<p>
              The components of a Resource Record are:
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        owner name
                      </p>
                    </td>
<td>
                      <p>
                        The domain name where the RR is found.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        type
                      </p>
                    </td>
<td>
                      <p>
                        An encoded 16 bit value that specifies
                        the type of the resource record.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        TTL
                      </p>
                    </td>
<td>
                      <p>
                        The time to live of the RR. This field
                        is a 32 bit integer in units of seconds, and is
                        primarily used by
                        resolvers when they cache RRs. The TTL describes how
                        long a RR can
                        be cached before it should be discarded.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        class
                      </p>
                    </td>
<td>
                      <p>
                        An encoded 16 bit value that identifies
                        a protocol family or instance of a protocol.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        RDATA
                      </p>
                    </td>
<td>
                      <p>
                        The resource data.  The format of the
                        data is type (and sometimes class) specific.
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        A
                      </p>
                    </td>
<td>
                      <p>
                        A host address.  In the IN class, this is a
                        32-bit IP address.  Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        AAAA
                      </p>
                    </td>
<td>
                      <p>
                        IPv6 address.  Described in RFC 1886.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        A6
                      </p>
                    </td>
<td>
                      <p>
                        IPv6 address.  This can be a partial
                        address (a suffix) and an indirection to the name
                        where the rest of the
                        address (the prefix) can be found.  Experimental.
                        Described in RFC 2874.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        AFSDB
                      </p>
                    </td>
<td>
                      <p>
                        Location of AFS database servers.
                        Experimental.  Described in RFC 1183.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        APL
                      </p>
                    </td>
<td>
                      <p>
                        Address prefix list.  Experimental.
                        Described in RFC 3123.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        CERT
                      </p>
                    </td>
<td>
                      <p>
                        Holds a digital certificate.
                        Described in RFC 2538.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        CNAME
                      </p>
                    </td>
<td>
                      <p>
                        Identifies the canonical name of an alias.
                        Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        DNAME
                      </p>
                    </td>
<td>
                      <p>
                        Replaces the domain name specified with
                        another name to be looked up, effectively aliasing an
                        entire
                        subtree of the domain name space rather than a single
                        record
                        as in the case of the CNAME RR.
                        Described in RFC 2672.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        DNSKEY
                      </p>
                    </td>
<td>
                      <p>
                        Stores a public key associated with a signed
                        DNS zone.  Described in RFC 4034.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        DS
                      </p>
                    </td>
<td>
                      <p>
                        Stores the hash of a public key associated with a
                        signed DNS zone.  Described in RFC 4034.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        GPOS
                      </p>
                    </td>
<td>
                      <p>
                        Specifies the global position.  Superseded by LOC.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        HINFO
                      </p>
                    </td>
<td>
                      <p>
                        Identifies the CPU and OS used by a host.
                        Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        ISDN
                      </p>
                    </td>
<td>
                      <p>
                        Representation of ISDN addresses.
                        Experimental.  Described in RFC 1183.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        KEY
                      </p>
                    </td>
<td>
                      <p>
                        Stores a public key associated with a
                        DNS name.  Used in original DNSSEC; replaced
                        by DNSKEY in DNSSECbis, but still used with
                        SIG(0).  Described in RFCs 2535 and 2931.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        KX
                      </p>
                    </td>
<td>
                      <p>
                        Identifies a key exchanger for this
                        DNS name.  Described in RFC 2230.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        LOC
                      </p>
                    </td>
<td>
                      <p>
                        For storing GPS info.  Described in RFC 1876.
                        Experimental.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        MX
                      </p>
                    </td>
<td>
                      <p>
                        Identifies a mail exchange for the domain with
                        a 16 bit preference value (lower is better)
                        followed by the host name of the mail exchange.
                        Described in RFC 974, RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        NAPTR
                      </p>
                    </td>
<td>
                      <p>
                        Name authority pointer.  Described in RFC 2915.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        NSAP
                      </p>
                    </td>
<td>
                      <p>
                        A network service access point.
                        Described in RFC 1706.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        NS
                      </p>
                    </td>
<td>
                      <p>
                        The authoritative name server for the
                        domain.  Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        NSEC
                      </p>
                    </td>
<td>
                      <p>
                        Used in DNSSECbis to securely indicate that
                        RRs with an owner name in a certain name interval do
                        not exist in
                        a zone and indicate what RR types are present for an
                        existing name.
                        Described in RFC 4034.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        NXT
                      </p>
                    </td>
<td>
                      <p>
                        Used in DNSSEC to securely indicate that
                        RRs with an owner name in a certain name interval do
                        not exist in
                        a zone and indicate what RR types are present for an
                        existing name.
                        Used in original DNSSEC; replaced by NSEC in
                        DNSSECbis.
                        Described in RFC 2535.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        PTR
                      </p>
                    </td>
<td>
                      <p>
                        A pointer to another part of the domain
                        name space.  Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        PX
                      </p>
                    </td>
<td>
                      <p>
                        Provides mappings between RFC 822 and X.400
                        addresses.  Described in RFC 2163.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        RP
                      </p>
                    </td>
<td>
                      <p>
                        Information on persons responsible
                        for the domain.  Experimental.  Described in RFC 1183.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        RRSIG
                      </p>
                    </td>
<td>
                      <p>
                        Contains DNSSECbis signature data.  Described
                        in RFC 4034.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        RT
                      </p>
                    </td>
<td>
                      <p>
                        Route-through binding for hosts that
                        do not have their own direct wide area network
                        addresses.
                        Experimental.  Described in RFC 1183.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        SIG
                      </p>
                    </td>
<td>
                      <p>
                        Contains DNSSEC signature data.  Used in
                        original DNSSEC; replaced by RRSIG in
                        DNSSECbis, but still used for SIG(0).
                        Described in RFCs 2535 and 2931.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        SOA
                      </p>
                    </td>
<td>
                      <p>
                        Identifies the start of a zone of authority.
                        Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        SRV
                      </p>
                    </td>
<td>
                      <p>
                        Information about well known network
                        services (replaces WKS).  Described in RFC 2782.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        TXT
                      </p>
                    </td>
<td>
                      <p>
                        Text records.  Described in RFC 1035.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        WKS
                      </p>
                    </td>
<td>
                      <p>
                        Information about which well known
                        network services, such as SMTP, that a domain
                        supports. Historical.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        X25
                      </p>
                    </td>
<td>
                      <p>
                        Representation of X.25 network addresses.
                        Experimental.  Described in RFC 1183.
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              The following <span class="emphasis"><em>classes</em></span> of resource records
              are currently valid in the DNS:
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        IN
                      </p>
                    </td>
<td>
                      <p>
                        The Internet.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        CH
                      </p>
                    </td>
<td>
                      <p>
                        CHAOSnet, a LAN protocol created at MIT in the
                        mid-1970s.
                        Rarely used for its historical purpose, but reused for
                        BIND's
                        built-in server information zones, e.g.,
                        <code class="literal">version.bind</code>.
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        HS
                      </p>
                    </td>
<td>
                      <p>
                        Hesiod, an information service
                        developed by MIT's Project Athena. It is used to share
                        information
                        about various systems databases, such as users,
                        groups, printers
                        and so on.
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              The owner name is often implicit, rather than forming an
              integral
              part of the RR.  For example, many name servers internally form
              tree
              or hash structures for the name space, and chain RRs off nodes.
              The remaining RR parts are the fixed header (type, class, TTL)
              which is consistent for all RRs, and a variable part (RDATA)
              that
              fits the needs of the resource being described.
            </p>
<p>
              The meaning of the TTL field is a time limit on how long an
              RR can be kept in a cache.  This limit does not apply to
              authoritative
              data in zones; it is also timed out, but by the refreshing
              policies
              for the zone.  The TTL is assigned by the administrator for the
              zone where the data originates.  While short TTLs can be used to
              minimize caching, and a zero TTL prohibits caching, the
              realities
              of Internet performance suggest that these times should be on
              the
              order of days for the typical host.  If a change can be
              anticipated,
              the TTL can be reduced prior to the change to minimize
              inconsistency
              during the change, and then increased back to its former value
              following
              the change.
            </p>
<p>
              The data in the RDATA section of RRs is carried as a combination
              of binary strings and domain names.  The domain names are
              frequently
              used as "pointers" to other data in the DNS.
            </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2571104"></a>Textual expression of RRs</h4></div></div></div>
<p>
              RRs are represented in binary form in the packets of the DNS
              protocol, and are usually represented in highly encoded form
              when
              stored in a name server or resolver.  In the examples provided
              in
              RFC 1034, a style similar to that used in master files was
              employed
              in order to show the contents of RRs.  In this format, most RRs
              are shown on a single line, although continuation lines are
              possible
              using parentheses.
            </p>
<p>
              The start of the line gives the owner of the RR.  If a line
              begins with a blank, then the owner is assumed to be the same as
              that of the previous RR.  Blank lines are often included for
              readability.
            </p>
<p>
              Following the owner, we list the TTL, type, and class of the
              RR.  Class and type use the mnemonics defined above, and TTL is
              an integer before the type field.  In order to avoid ambiguity
              in
              parsing, type and class mnemonics are disjoint, TTLs are
              integers,
              and the type mnemonic is always last. The IN class and TTL
              values
              are often omitted from examples in the interests of clarity.
            </p>
<p>
              The resource data or RDATA section of the RR are given using
              knowledge of the typical representation for the data.
            </p>
<p>
              For example, we might show the RRs carried in a message as:
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        <code class="literal">ISI.EDU.</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">MX</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">10 VENERA.ISI.EDU.</code>
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p></p>
                    </td>
<td>
                      <p>
                        <code class="literal">MX</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">10 VAXA.ISI.EDU</code>
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="literal">VENERA.ISI.EDU</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">128.9.0.32</code>
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p></p>
                    </td>
<td>
                      <p>
                        <code class="literal">A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">10.1.0.52</code>
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p>
                        <code class="literal">VAXA.ISI.EDU</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">10.2.0.27</code>
                      </p>
                    </td>
</tr>
<tr>
<td>
                      <p></p>
                    </td>
<td>
                      <p>
                        <code class="literal">A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">128.9.0.33</code>
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              The MX RRs have an RDATA section which consists of a 16 bit
              number followed by a domain name.  The address RRs use a
              standard
              IP address format to contain a 32 bit internet address.
            </p>
<p>
              This example shows six RRs, with two RRs at each of three
              domain names.
            </p>
<p>
              Similarly we might see:
            </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                      <p>
                        <code class="literal">XX.LCS.MIT.EDU.</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">IN A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">10.0.0.44</code>
                      </p>
                    </td>
</tr>
<tr>
<td>�</td>
<td>
                      <p>
                        <code class="literal">CH A</code>
                      </p>
                    </td>
<td>
                      <p>
                        <code class="literal">MIT.EDU. 2420</code>
                      </p>
                    </td>
</tr>
</tbody>
</table></div>
<p>
              This example shows two addresses for
              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
            </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2571556"></a>Discussion of MX Records</h3></div></div></div>
<p>
            As described above, domain servers store information as a
            series of resource records, each of which contains a particular
            piece of information about a given domain name (which is usually,
            but not always, a host). The simplest way to think of a RR is as
            a typed pair of data, a domain name matched with a relevant datum,
            and stored with some additional type information to help systems
            determine when the RR is relevant.
          </p>
<p>
            MX records are used to control delivery of email. The data
            specified in the record is a priority and a domain name. The
            priority
            controls the order in which email delivery is attempted, with the
            lowest number first. If two priorities are the same, a server is
            chosen randomly. If no servers at a given priority are responding,
            the mail transport agent will fall back to the next largest
            priority.
            Priority numbers do not have any absolute meaning &#8212; they are
            relevant
            only respective to other MX records for that domain name. The
            domain
            name given is the machine to which the mail will be delivered.
            It <span class="emphasis"><em>must</em></span> have an associated address record
            (A or AAAA) &#8212; CNAME is not sufficient.
          </p>
<p>
            For a given domain, if there is both a CNAME record and an
            MX record, the MX record is in error, and will be ignored.
            Instead,
            the mail will be delivered to the server specified in the MX
            record
            pointed to by the CNAME.
          </p>
<p>
            For example:
          </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
<col>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                    <p>
                      <code class="literal">example.com.</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">MX</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">10</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">mail.example.com.</code>
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p></p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">MX</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">10</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">mail2.example.com.</code>
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p></p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">MX</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">20</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">mail.backup.org.</code>
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p>
                      <code class="literal">mail.example.com.</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">A</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">10.0.0.1</code>
                    </p>
                  </td>
<td>
                    <p></p>
                  </td>
</tr>
<tr>
<td>
                    <p>
                      <code class="literal">mail2.example.com.</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">A</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">10.0.0.2</code>
                    </p>
                  </td>
<td>
                    <p></p>
                  </td>
</tr>
</tbody>
</table></div>
<p>
            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
            <code class="literal">mail2.example.com</code> (in
            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
            be attempted.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
<p>
            The time to live of the RR field is a 32 bit integer represented
            in units of seconds, and is primarily used by resolvers when they
            cache RRs. The TTL describes how long a RR can be cached before it
            should be discarded. The following three types of TTL are
            currently
            used in a zone file.
          </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                    <p>
                      SOA
                    </p>
                  </td>
<td>
                    <p>
                      The last field in the SOA is the negative
                      caching TTL. This controls how long other servers will
                      cache no-such-domain
                      (NXDOMAIN) responses from you.
                    </p>
                    <p>
                      The maximum time for
                      negative caching is 3 hours (3h).
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p>
                      $TTL
                    </p>
                  </td>
<td>
                    <p>
                      The $TTL directive at the top of the
                      zone file (before the SOA) gives a default TTL for every
                      RR without
                      a specific TTL set.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p>
                      RR TTLs
                    </p>
                  </td>
<td>
                    <p>
                      Each RR can have a TTL as the second
                      field in the RR, which will control how long other
                      servers can cache
                      the it.
                    </p>
                  </td>
</tr>
</tbody>
</table></div>
<p>
            All of these TTLs default to units of seconds, though units
            can be explicitly specified, for example, <code class="literal">1h30m</code>.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572244"></a>Inverse Mapping in IPv4</h3></div></div></div>
<p>
            Reverse name resolution (that is, translation from IP address
            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
            and PTR records. Entries in the in-addr.arpa domain are made in
            least-to-most significant order, read left to right. This is the
            opposite order to the way IP addresses are usually written. Thus,
            a machine with an IP address of 10.1.2.3 would have a
            corresponding
            in-addr.arpa name of
            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
            whose data field is the name of the machine or, optionally,
            multiple
            PTR records if the machine has more than one name. For example,
            in the [<span class="optional">example.com</span>] domain:
          </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                    <p>
                      <code class="literal">$ORIGIN</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">2.1.10.in-addr.arpa</code>
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p>
                      <code class="literal">3</code>
                    </p>
                  </td>
<td>
                    <p>
                      <code class="literal">IN PTR foo.example.com.</code>
                    </p>
                  </td>
</tr>
</tbody>
</table></div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
              The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
              are for providing context to the examples only-they do not
              necessarily
              appear in the actual usage. They are only used here to indicate
              that the example is relative to the listed origin.
            </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572371"></a>Other Zone File Directives</h3></div></div></div>
<p>
            The Master File Format was initially defined in RFC 1035 and
            has subsequently been extended. While the Master File Format
            itself
            is class independent all records in a Master File must be of the
            same
            class.
          </p>
<p>
            Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
            and <span><strong class="command">$TTL.</strong></span>
          </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2572393"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
<p>
              Syntax: <span><strong class="command">$ORIGIN</strong></span>
              <em class="replaceable"><code>domain-name</code></em>
              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
            </p>
<p><span><strong class="command">$ORIGIN</strong></span>
              sets the domain name that will be appended to any
              unqualified records. When a zone is first read in there
              is an implicit <span><strong class="command">$ORIGIN</strong></span>
              &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
              The current <span><strong class="command">$ORIGIN</strong></span> is appended to
              the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
              argument if it is not absolute.
            </p>
<pre class="programlisting">
$ORIGIN example.com.
WWW     CNAME   MAIN-SERVER
</pre>
<p>
              is equivalent to
            </p>
<pre class="programlisting">
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2572590"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
<p>
              Syntax: <span><strong class="command">$INCLUDE</strong></span>
              <em class="replaceable"><code>filename</code></em>
              [<span class="optional">
<em class="replaceable"><code>origin</code></em> </span>]
              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
            </p>
<p>
              Read and process the file <code class="filename">filename</code> as
              if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
              specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
              to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
              used.
            </p>
<p>
              The origin and the current domain name
              revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
              the file has been read.
            </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
                RFC 1035 specifies that the current origin should be restored
                after
                an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
                on whether the current
                domain name should also be restored.  BIND 9 restores both of
                them.
                This could be construed as a deviation from RFC 1035, a
                feature, or both.
              </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="id2572660"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<p>
              Syntax: <span><strong class="command">$TTL</strong></span>
              <em class="replaceable"><code>default-ttl</code></em>
              [<span class="optional">
<em class="replaceable"><code>comment</code></em> </span>]
            </p>
<p>
              Set the default Time To Live (TTL) for subsequent records
              with undefined TTLs. Valid TTLs are of the range 0-2147483647
              seconds.
            </p>
<p><span><strong class="command">$TTL</strong></span>
               is defined in RFC 2308.
            </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2572696"></a><span class="acronym">BIND</span> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
<p>
            Syntax: <span><strong class="command">$GENERATE</strong></span>
            <em class="replaceable"><code>range</code></em>
            <em class="replaceable"><code>lhs</code></em>
            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
            <em class="replaceable"><code>type</code></em>
            <em class="replaceable"><code>rhs</code></em>
            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
          </p>
<p><span><strong class="command">$GENERATE</strong></span>
            is used to create a series of resource records that only
            differ from each other by an
            iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
            easily generate the sets of records required to support
            sub /24 reverse delegations described in RFC 2317:
            Classless IN-ADDR.ARPA delegation.
          </p>
<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0</pre>
<p>
            is equivalent to
          </p>
<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
</pre>
<div class="informaltable"><table border="1">
<colgroup>
<col>
<col>
</colgroup>
<tbody>
<tr>
<td>
                    <p><span><strong class="command">range</strong></span></p>
                  </td>
<td>
                    <p>
                      This can be one of two forms: start-stop
                      or start-stop/step. If the first form is used then step
                      is set to
                      1. All of start, stop and step must be positive.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">lhs</strong></span></p>
                  </td>
<td>
                    <p><span><strong class="command">lhs</strong></span>
                      describes the owner name of the resource records
                      to be created.  Any single <span><strong class="command">$</strong></span>
                      symbols within the <span><strong class="command">lhs</strong></span> side
                      are replaced by the iterator value.

                      To get a $ in the output you need to escape the
                      <span><strong class="command">$</strong></span> using a backslash
                      <span><strong class="command">\</strong></span>,
                      e.g. <span><strong class="command">\$</strong></span>. The
                      <span><strong class="command">$</strong></span> may optionally be followed
                      by modifiers which change the offset from the
                      iterator, field width and base.

                      Modifiers are introduced by a
                      <span><strong class="command">{</strong></span> immediately following the
                      <span><strong class="command">$</strong></span> as
                      <span><strong class="command">${offset[,width[,base]]}</strong></span>.
                      For example, <span><strong class="command">${-20,3,d}</strong></span>
                      subtracts 20 from the current value, prints the
                      result as a decimal in a zero padded field of
                      width 3.

                      Available output forms are decimal
                      (<span><strong class="command">d</strong></span>), octal
                      (<span><strong class="command">o</strong></span>) and hexadecimal
                      (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
                      for uppercase).  The default modifier is
                      <span><strong class="command">${0,0,d}</strong></span>.  If the
                      <span><strong class="command">lhs</strong></span> is not absolute, the
                      current <span><strong class="command">$ORIGIN</strong></span> is appended
                      to the name.
                    </p>
                    <p>
                      For compatibility with earlier versions <span><strong class="command">$$</strong></span> is still
                      recognized as indicating a literal $ in the output.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">ttl</strong></span></p>
                  </td>
<td>
                    <p>
                      Specifies the time-to-live of the generated records. If
                      not specified this will be inherited using the
                      normal ttl inheritance rules.
                    </p>
                    <p><span><strong class="command">class</strong></span>
                      and <span><strong class="command">ttl</strong></span> can be
                      entered in either order.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">class</strong></span></p>
                  </td>
<td>
                    <p>
                      Specifies the class of the generated records.
                      This must match the zone class if it is
                      specified.
                    </p>
                    <p><span><strong class="command">class</strong></span>
                      and <span><strong class="command">ttl</strong></span> can be
                      entered in either order.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">type</strong></span></p>
                  </td>
<td>
                    <p>
                      At present the only supported types are
                      PTR, CNAME, DNAME, A, AAAA and NS.
                    </p>
                  </td>
</tr>
<tr>
<td>
                    <p><span><strong class="command">rhs</strong></span></p>
                  </td>
<td>
                    <p>
                      A domain name. It is processed
                      similarly to lhs.
                    </p>
                  </td>
</tr>
</tbody>
</table></div>
<p>
            The <span><strong class="command">$GENERATE</strong></span> directive is a <span class="acronym">BIND</span> extension
            and not part of the standard zone file format.
          </p>
<p>
            BIND 8 does not support the optional TTL and CLASS fields.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
<p>
            In addition to the standard textual format, BIND 9
            supports the ability to read or dump to zone files in
            other formats.  The <code class="constant">raw</code> format is
            currently available as an additional format.  It is a
            binary format representing BIND 9's internal data
            structure directly, thereby remarkably improving the
            loading time.
          </p>
<p>
            For a primary server, a zone file in the
            <code class="constant">raw</code> format is expected to be
            generated from a textual zone file by the
            <span><strong class="command">named-compilezone</strong></span> command.  For a
            secondary server or for a dynamic zone, it is automatically
            generated (if this format is specified by the
            <span><strong class="command">masterfile-format</strong></span> option) when
            <span><strong class="command">named</strong></span> dumps the zone contents after
            zone transfer or when applying prior updates.
          </p>
<p>
            If a zone file in a binary format needs manual modification,
            it first must be converted to a textual form by the
            <span><strong class="command">named-compilezone</strong></span> command.  All
            necessary modification should go to the text file, which
            should then be converted to the binary form by the
            <span><strong class="command">named-compilezone</strong></span> command again.
          </p>
<p>
             Although the <code class="constant">raw</code> format uses the
             network byte order and avoids architecture-dependent
             data alignment so that it is as much portable as
             possible, it is primarily expected to be used inside
             the same single system.  In order to export a zone
             file in the <code class="constant">raw</code> format or make a
             portable backup of the file, it is recommended to
             convert the file to the standard textual representation.
          </p>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
<td width="20%" align="center">�</td>
<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter�5.�The <span class="acronym">BIND</span> 9 Lightweight Resolver�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</td>
</tr>
</table>
</div>
</body>
</html>