Bv9ARM.ch06.html revision 81199ce5ba7bd719add38189b06987e0a6e583a1
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - copyright notice and this permission notice appear in all copies.
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e20309353e6246485c521278131d3fced73d7957Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id$ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>Chapter�6.�BIND 9 Configuration Reference</title>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation header">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="titlepage"><div><div><h2 class="title">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573300">Comment Syntax</a></span></dt>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574165"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574423"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">include</strong></span> Statement Definition and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574891"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574915"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575009"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575144"><span><strong class="command">logging</strong></span> Statement Definition and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577350"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577447"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577611"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577660"><span><strong class="command">masters</strong></span> Statement Definition and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577682"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593078"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593580"><span><strong class="command">trusted-keys</strong></span> Statement Definition
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593634"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594001"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596017"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2599724">Zone File</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602642">Discussion of MX Records</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603325">Inverse Mapping in IPv4</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603589">Other Zone File Directives</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2603794"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews of configuration, such as views. <acronym class="acronym">BIND</acronym>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 9, although more complex configurations should be reviewed to check
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews if they can be more efficiently implemented using the new features
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews found in <acronym class="acronym">BIND</acronym> 9.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User <acronym class="acronym">BIND</acronym> 4 configuration files can be
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews converted to the new format
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews using the shell script
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="titlepage"><div><div><h2 class="title" style="clear: both">
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews file documentation:
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews The name of an <code class="varname">address_match_list</code> as
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews defined by the <span><strong class="command">acl</strong></span> statement.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="varname">address_match_list</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User A list of one or more
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews or <code class="varname">acl_name</code> elements, see
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User A named list of one or more <code class="varname">ip_addr</code>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson with optional <code class="varname">key_id</code> and/or
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A <code class="varname">masters_list</code> may include other
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User A quoted string which will be used as
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews a DNS name, for example "<code class="literal">my.test.domain</code>".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A list of one or more <code class="varname">domain_name</code>
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User One to four integers valued 0 through
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater An IPv4 address with exactly four elements
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in <code class="varname">dotted_decimal</code> notation.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IPv6 scoped addresses that have ambiguity on their
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater scope zones must be disambiguated by an appropriate
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User zone ID with the percent character (`%') as
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews delimiter. It is strongly recommended to use
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User string zone names rather than numeric identifiers,
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User in order to be robust against system configuration
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User changes. However, since there is no standard
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews mapping for such names and identifier values,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater currently only interface names as link identifiers
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater are supported, assuming one-to-one mapping between
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User interfaces and links. For example, a link-local
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User address <span><strong class="command">fe80::1</strong></span> on the link
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater attached to the interface <span><strong class="command">ne0</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Note that on most systems link-local addresses
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater always have the ambiguity, and need to be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews disambiguated.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews A <code class="varname">number</code> between 0 and 63, used
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson to select a differentiated services code point (DSCP)
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews value for use with outgoing traffic on operating systems
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews that support DSCP.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews An IP port <code class="varname">number</code>.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The <code class="varname">number</code> is limited to 0
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson through 65535, with values
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User below 1024 typically restricted to use by processes running
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User In some cases, an asterisk (`*') character can be used as a
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews placeholder to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews select a random high-numbered port.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews An IP network specified as an <code class="varname">ip_addr</code>,
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews followed by a slash (`/') and then the number of bits in the
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater Trailing zeros in a <code class="varname">ip_addr</code>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews may omitted.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews For example, <span><strong class="command">127/8</strong></span> is the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews network <span><strong class="command">127.0.0.0</strong></span> with
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews When specifying a prefix involving a IPv6 scoped address
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the scope may be omitted. In that case the prefix will
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews match packets from any scope.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews A <code class="varname">domain_name</code> representing
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews the name of a shared key, to be used for transaction
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User A list of one or more
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User separated by semicolons and ending with a semicolon.
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User A non-negative 32-bit integer
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews (i.e., a number between 0 and 4294967295, inclusive).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Its acceptable value might further
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater be limited by the context in which it is used.
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User A quoted string which will be used as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User A list of an <code class="varname">ip_port</code> or a port
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews A port range is specified in the form of
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <strong class="userinput"><code>range</code></strong> followed by
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <code class="varname">port_high</code>, which represents
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews port numbers from <code class="varname">port_low</code> through
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User <code class="varname">port_high</code>, inclusive.
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User <code class="varname">port_low</code> must not be larger than
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <strong class="userinput"><code>range 1024 65535</code></strong> represents
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ports from 1024 through 65535.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In either case an asterisk (`*') character is not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allowed as a valid <code class="varname">ip_port</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A 64-bit unsigned integer, or the keywords
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>unlimited</code></strong> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>default</code></strong>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Integers may take values
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 0 <= value <= 18446744073709551615, though
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington certain parameters
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (such as <span><strong class="command">max-journal-size</strong></span>) may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington use a more limited range within these extremes.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In most cases, setting a value to 0 does not
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington literally mean zero; it means "undefined" or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "as big as possible", depending on the context.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington See the explanations of particular parameters
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that use <code class="varname">size_spec</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for details on how they interpret its use.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Numeric values can optionally be followed by a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington scaling factor:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for kilobytes,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for megabytes, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for gigabytes, which scale by 1024, 1024*1024, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 1024*1024*1024 respectively.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">unlimited</code> generally means
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "as big as possible", and is usually the best
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington way to safely set a very large number.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington uses the limit that was in force when the server was started.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User and <strong class="userinput"><code>0</code></strong>.
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater <code class="varname">dialup_option</code>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User One of <strong class="userinput"><code>yes</code></strong>,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <strong class="userinput"><code>passive</code></strong>.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User are restricted to slave and stub zones.
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<div class="titlepage"><div><div><h3 class="title">
c11c7b47726c02eb05e29ff7be56a3343146e396Tinderbox User<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<div class="titlepage"><div><div><h4 class="title">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="id2573131"></a>Syntax</h4></div></div></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews [<span class="optional"> address_match_list_element; ... </span>]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews key key_id | acl_name | { address_match_list } )
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User<a name="id2573159"></a>Definition and Usage</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Address match lists are primarily used to determine access
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User control for various server operations. They are also used in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews statements. The elements which constitute an address match
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews list can be any of the following:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User a key ID, as defined by the <span><strong class="command">key</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<li>the name of an address match list defined with
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the <span><strong class="command">acl</strong></span> statement
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<li>a nested address match list enclosed in braces</li>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Elements can be negated with a leading exclamation mark (`!'),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and the match list names "any", "none", "localhost", and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "localnets" are predefined. More information on those names
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be found in the description of the acl statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The addition of the key clause made the name of this syntactic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington element something of a misnomer, since security keys can be used
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to validate access without regard to a host or network address.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Nonetheless, the term "address match list" is still used
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington throughout the documentation.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When a given IP address or prefix is compared to an address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington match list, the comparison takes place in approximately O(1)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington time. However, key comparisons require that the list of keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be traversed until a matching key is found, and therefore may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be somewhat slower.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews The interpretation of a match depends on whether the list is being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews When used as an access control list, a non-negated match
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews allows access and a negated match denies access. If
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews there is no match, access is denied. The clauses
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-notify</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-recursion</strong></span>,
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span><strong class="command">allow-recursion-on</strong></span>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">allow-query</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-query-on</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-query-cache</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-query-cache-on</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-transfer</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-update</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">allow-update-forwarding</strong></span>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">blackhole</strong></span>, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">keep-response-order</strong></span> all use address match
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic Updater server to refuse queries on any of the machine's
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews addresses which do not match the list.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Order of insertion is significant. If more than one element
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in an ACL is found to match a given IP address or prefix,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington preference will be given to the one that came
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>first</em></span> in the ACL definition.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Because of this first-match behavior, an element that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington defines a subset of another element in the list should
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington come before the broader element, regardless of whether
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington either is negated. For example, in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews the 1.2.3.13 element is completely useless because the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that problem by having 1.2.3.13 blocked by the negation, but
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User all other 1.2.3.* hosts fall through.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2573300"></a>Comment Syntax</h3></div></div></div>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews comments to appear
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews file. To appeal to programmers of all kinds, they can be written
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2573383"></a>Syntax</h4></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews# and perl</pre>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
56effd2e3f579fd77b1fb37d47871d1bf1286bc4Automatic Updater<a name="id2573413"></a>Definition and Usage</h4></div></div></div>
0e91f17da8a29086876a88962e0a3482094b6057Evan Hunt Comments may appear anywhere that whitespace may appear in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews a <acronym class="acronym">BIND</acronym> configuration file.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews C-style comments start with the two characters /* (slash,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews star) and end with */ (star, slash). Because they are completely
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews delimited with these characters, they can be used to comment only
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews a portion of a line or to span multiple lines.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews C-style comments cannot be nested. For example, the following
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews is not valid because the entire comment ends with the first */:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">/* This is the start of a comment.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is still part of the comment.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews/* This is an incorrect attempt at nesting a comment. */
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This is no longer in any comment. */
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews C++-style comments start with the two characters // (slash,
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews slash) and continue to the end of the physical line. They cannot
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews be continued across multiple physical lines; to have one logical
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews comment span multiple lines, each line must use the // pair.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<pre class="programlisting">// This is the start of a comment. The next line
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// is a new comment, even though it is logically
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington// part of the previous comment.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Shell-style (or perl-style, if you prefer) comments start
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews with the character <code class="literal">#</code> (number sign)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and continue to the end of the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews physical line, as in C++ comments.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews For example:
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<pre class="programlisting"># This is the start of a comment. The next line
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User# is a new comment, even though it is logically
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews# part of the previous comment.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews You cannot use the semicolon (`;') character
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to start a comment such as you would in a zone file. The
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User semicolon indicates the end of a configuration
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
1fdd58445074579ee3b65c871137a7a1740eb542Mark Andrews A <acronym class="acronym">BIND</acronym> 9 configuration consists of
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User statements and comments.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Statements end with a semicolon. Statements and comments are the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User only elements that can appear without enclosing braces. Many
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User statements contain a block of sub-statements, which are also
cc5a9ce75af9870f2cb9e2bf00548c2f7e6398d6Automatic Updater terminated with a semicolon.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews The following statements are supported:
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <p><span><strong class="command">acl</strong></span></p>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews defines a named IP address
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews matching list, for access control and other uses.
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <p><span><strong class="command">controls</strong></span></p>
e8c17c74535be290abaaa160a434ed80bf0ad2feMark Andrews declares control channels to be used
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User by the <span><strong class="command">rndc</strong></span> utility.
93089a352d6903b0d7845a039de4ec2df9a0e35aTinderbox User <p><span><strong class="command">include</strong></span></p>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater includes a file.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <p><span><strong class="command">key</strong></span></p>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater specifies key information for use in
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater authentication and authorization using TSIG.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <p><span><strong class="command">logging</strong></span></p>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater specifies what the server logs, and where
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater the log messages are sent.
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <p><span><strong class="command">lwres</strong></span></p>
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater configures <span><strong class="command">named</strong></span> to
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User <p><span><strong class="command">masters</strong></span></p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User defines a named masters list for
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User inclusion in stub and slave zones'
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater <span><strong class="command">masters</strong></span> or
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span><strong class="command">also-notify</strong></span> lists.
bf8c3776f1bf1a1270e5e0443ae5a8df022632a8Mark Andrews <p><span><strong class="command">options</strong></span></p>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater controls global server configuration
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater options and sets defaults for other statements.
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User <p><span><strong class="command">server</strong></span></p>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater sets certain configuration options on
3040b455151b1e1173193933664b2891b6159f24Mark Andrews a per-server basis.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <p><span><strong class="command">statistics-channels</strong></span></p>
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater declares communication channels to get access to
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <span><strong class="command">named</strong></span> statistics.
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater <p><span><strong class="command">trusted-keys</strong></span></p>
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater defines trusted DNSSEC keys.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <p><span><strong class="command">managed-keys</strong></span></p>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington lists DNSSEC keys to be kept up to date
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington using RFC 5011 trust anchor maintenance.
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User <p><span><strong class="command">view</strong></span></p>
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User defines a view.
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews <p><span><strong class="command">zone</strong></span></p>
789875a1bd6d50c00d3bd883cad17ead1d3c21cdMark Andrews defines a zone.
7e8129652903780873ba91f379f9ffca1f59773cMark Andrews The <span><strong class="command">logging</strong></span> and
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span><strong class="command">options</strong></span> statements may only occur once
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews configuration.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<div class="titlepage"><div><div><h3 class="title">
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<a name="id2574165"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt address_match_list
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<div class="titlepage"><div><div><h3 class="title">
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt The <span><strong class="command">acl</strong></span> statement assigns a symbolic
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt name to an address match list. It gets its name from a primary
b123be91958e0bc58a10c165be64d47661199e3bEvan Hunt use of address match lists: Access Control Lists (ACLs).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following ACLs are built-in:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="informaltable"><table border="1">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">any</strong></span></p>
e20309353e6246485c521278131d3fced73d7957Tinderbox User Matches all hosts.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <p><span><strong class="command">none</strong></span></p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Matches no hosts.
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews <p><span><strong class="command">localhost</strong></span></p>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews Matches the IPv4 and IPv6 addresses of all network
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews interfaces on the system. When addresses are
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews added or removed, the <span><strong class="command">localhost</strong></span>
b30ec46fec40a1b246f7965fbcd341fc6cfd1cc1Mark Andrews ACL element is updated to reflect the changes.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <p><span><strong class="command">localnets</strong></span></p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Matches any host on an IPv4 or IPv6 network
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User for which the system has an interface.
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User When addresses are added or removed,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the <span><strong class="command">localnets</strong></span>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User ACL element is updated to reflect the changes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Some systems do not provide a way to determine the prefix
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater local IPv6 addresses.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In such a case, <span><strong class="command">localnets</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater only matches the local
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<a name="id2574423"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
88d58d79c5bc7ce3c20a42461a5070116c736836Automatic Updater<pre class="programlisting"><span><strong class="command">controls</strong></span> {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [ inet ( ip_addr | * ) [ port ip_port ]
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater allow { <em class="replaceable"><code> address_match_list </code></em> }
3040b455151b1e1173193933664b2891b6159f24Mark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys { <em class="replaceable"><code>key_list</code></em> }; ]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater The <span><strong class="command">controls</strong></span> statement declares control
9fa39c73fc1d8bc44fdbbb79a1d26b837e7dd555Mark Andrews channels to be used by system administrators to control the
7f814b8b164ae04916a8487cdc5e88ee3ff51a58Automatic Updater operation of the name server. These control channels are
3040b455151b1e1173193933664b2891b6159f24Mark Andrews used by the <span><strong class="command">rndc</strong></span> utility to send
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt commands to and retrieve non-DNS results from a name server.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews An <span><strong class="command">inet</strong></span> control channel is a TCP socket
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater listening at the specified <span><strong class="command">ip_port</strong></span> on the
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
1959fd489a8832e4e3d311670f64ae18e5d08156Automatic Updater address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
3040b455151b1e1173193933664b2891b6159f24Mark Andrews interpreted as the IPv4 wildcard address; connections will be
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User accepted on any of the system's IPv4 addresses.
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt To listen on the IPv6 wildcard address,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If you will only use <span><strong class="command">rndc</strong></span> on the local host,
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User using the loopback address (<code class="literal">127.0.0.1</code>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User or <code class="literal">::1</code>) is recommended for maximum security.
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews If no port is specified, port 953 is used. The asterisk
8bc194b266a17f89e6c54469d4dfbb408070f39eMark Andrews "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
560d6da48f066000541dd43f5d407644dee12bebTinderbox User The ability to issue commands over the control channel is
7addb3e8b5cf6e0c4df0e3cb8135aa71269f0261Tinderbox User restricted by the <span><strong class="command">allow</strong></span> and
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <span><strong class="command">keys</strong></span> clauses.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater Connections to the control channel are permitted based on the
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User <span><strong class="command">address_match_list</strong></span>. This is for simple
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater IP address based filtering only; any <span><strong class="command">key_id</strong></span>
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User elements of the <span><strong class="command">address_match_list</strong></span>
90b25b84f037ec923efaee84d2c0dc599293d04eTinderbox User A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews socket listening at the specified path in the file system.
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews Note on some platforms (SunOS and Solaris) the permissions
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews (<span><strong class="command">perm</strong></span>) are applied to the parent directory
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews as the permissions on the socket itself are ignored.
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews The primary authorization mechanism of the command
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User channel is the <span><strong class="command">key_list</strong></span>, which
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont contains a list of <span><strong class="command">key_id</strong></span>s.
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont is authorized to execute commands over the control channel.
4dca64bb8991502db368028aeeba2f832d3b971dAutomatic Updater See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
e5bf83fe0bbca838a0749e9071bd76d9ee0fb59bFrancis Dupont for information about configuring keys in <span><strong class="command">rndc</strong></span>.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater If no <span><strong class="command">controls</strong></span> statement is present,
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater <span><strong class="command">named</strong></span> will set up a default
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater control channel listening on the loopback address 127.0.0.1
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater and its IPv6 counterpart ::1.
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater In this case, and also when the <span><strong class="command">controls</strong></span> statement
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater is present but does not have a <span><strong class="command">keys</strong></span> clause,
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User <span><strong class="command">named</strong></span> will attempt to load the command channel key
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User from the file <code class="filename">rndc.key</code> in
7169f76a893666eb20fc7750782e7f411db742d6Tinderbox User <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater was specified as when <acronym class="acronym">BIND</acronym> was built).
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater To create a <code class="filename">rndc.key</code> file, run
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater <strong class="userinput"><code>rndc-confgen -a</code></strong>.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User The <code class="filename">rndc.key</code> feature was created to
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
ead8aa3182c5805fccb6c7c1636cede6a24a5fc1Automatic Updater which did not have digital signatures on its command channel
3040b455151b1e1173193933664b2891b6159f24Mark Andrews messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews and still have <span><strong class="command">rndc</strong></span> work the same way
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
e20309353e6246485c521278131d3fced73d7957Tinderbox User Since the <code class="filename">rndc.key</code> feature
3040b455151b1e1173193933664b2891b6159f24Mark Andrews is only intended to allow the backward-compatible usage of
44e3b272904bfd85556771d30cf1bc6fa539dd03Automatic Updater <acronym class="acronym">BIND</acronym> 8 configuration files, this
665ba746c0585088d0c314dcfc4671aa2c7b2dc1Automatic Updater feature does not
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater have a high degree of configurability. You cannot easily change
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the key name or the size of the secret, so you should make a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">rndc.conf</code> with your own key if you
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater wish to change
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User those things. The <code class="filename">rndc.key</code> file
da82e232161d67b77df2d67898bdac693f647be1Automatic Updater permissions set such that only the owner of the file (the user that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span> is running as) can access it.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews desire greater flexibility in allowing other users to access
e171a4137c6ba348957e61b7c4c3541493c0da02Automatic Updater <span><strong class="command">rndc</strong></span> commands, then you need to create
c53a6f37deaa396660adb6a4ca600c4a58adfd3fAutomatic Updater <code class="filename">rndc.conf</code> file and make it group
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater readable by a group
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that contains the users who should have access.
b3386fba31414344f38f0c30849c056dceb22dceTinderbox User To disable the command channel, use an empty
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <span><strong class="command">controls</strong></span> statement:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">controls { };</strong></span>.
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater<div class="titlepage"><div><div><h3 class="title">
af9cf290cea6ada6ce27b51c724ab77ad5d73fa0Tinderbox User<a name="id2574782"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<a name="id2574800"></a><span><strong class="command">include</strong></span> Statement Definition and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The <span><strong class="command">include</strong></span> statement inserts the
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater specified file at the point where the <span><strong class="command">include</strong></span>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater statement is encountered. The <span><strong class="command">include</strong></span>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater statement facilitates the administration of configuration
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater by permitting the reading or writing of some things but not
4104e236f71eb5108fcfda6711878a97f6f4a8e7Automatic Updater others. For example, the statement could include private keys
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater that are readable only by the name server.
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<div class="titlepage"><div><div><h3 class="title">
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<a name="id2574891"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
3040b455151b1e1173193933664b2891b6159f24Mark Andrews algorithm <em class="replaceable"><code>algorithm_id</code></em>;
8e9f3b69914ee02a80b87c97b1f8093edb3e9ae0Automatic Updater secret <em class="replaceable"><code>secret_string</code></em>;
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<div class="titlepage"><div><div><h3 class="title">
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<a name="id2574915"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
50fa300826799727204b93cbe63bebc341c5eadeTinderbox User The <span><strong class="command">key</strong></span> statement defines a shared
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater or the command channel
e20309353e6246485c521278131d3fced73d7957Tinderbox User (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
e20309353e6246485c521278131d3fced73d7957Tinderbox User Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
e20309353e6246485c521278131d3fced73d7957Tinderbox User Usage”</a>).
f8a9a38ee40c139a8d145ac76ecbff3a0f986453Mark Andrews The <span><strong class="command">key</strong></span> statement can occur at the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews of the configuration file or inside a <span><strong class="command">view</strong></span>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews statement. Keys defined in top-level <span><strong class="command">key</strong></span>
9d80d23172c30fd63e5046a7e69b8445e564ff31Automatic Updater statements can be used in all views. Keys intended for use in
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User a <span><strong class="command">controls</strong></span> statement
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Usage”</a>)
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews must be defined at the top level.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews The <em class="replaceable"><code>key_id</code></em>, also known as the
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews key name, is a domain name uniquely identifying the key. It can
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews be used in a <span><strong class="command">server</strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews statement to cause requests sent to that
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews server to be signed with this key, or in address match lists to
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews verify that incoming requests have been signed with a key
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews matching this name, algorithm, and secret.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews The <em class="replaceable"><code>algorithm_id</code></em> is a string
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews that specifies a security/authentication algorithm. The
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span><strong class="command">named</strong></span> server supports <code class="literal">hmac-md5</code>,
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User and <code class="literal">hmac-sha512</code> TSIG authentication.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Truncated hashes are supported by appending the minimum
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User number of required bits preceded by a dash, e.g.
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User <code class="literal">hmac-sha1-80</code>. The
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <em class="replaceable"><code>secret_string</code></em> is the secret
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User to be used by the algorithm, and is treated as a base-64
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User encoded string.
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User<div class="titlepage"><div><div><h3 class="title">
61932ed91732417e05c8c6fd335acf1be896c778Mark Andrews<a name="id2575009"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<pre class="programlisting"><span><strong class="command">logging</strong></span> {
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews | <span><strong class="command">stderr</strong></span>
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User | <span><strong class="command">null</strong></span> );
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
e80c7005e3d59dfeb04dad186d36f3c15622954cTinderbox User [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews [ <span><strong class="command">buffered</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews<div class="titlepage"><div><div><h3 class="title">
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews<a name="id2575144"></a><span><strong class="command">logging</strong></span> Statement Definition and
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews The <span><strong class="command">logging</strong></span> statement configures a
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews associates output methods, format options and severity levels with
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews a name that can then be used with the <span><strong class="command">category</strong></span> phrase
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews to select how various classes of messages are logged.
48dfee71508886d86fe8fb12f91961b5daf3141dMark Andrews Only one <span><strong class="command">logging</strong></span> statement is used to
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User the logging configuration will be:
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater category default { default_syslog; default_debug; };
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater category unmatched { null; };
8c9c79e5fea0cb698026a74821695907c8312a46Mark Andrews If <span><strong class="command">named</strong></span> is started with the
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User <code class="option">-L</code> option, it logs to the specified file
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User at startup, instead of using syslog. In this case the logging
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User configuration will be:
3040b455151b1e1173193933664b2891b6159f24Mark Andrews category default { default_logfile; default_debug; };
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater category unmatched { null; };
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater In <acronym class="acronym">BIND</acronym> 9, the logging configuration
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews is only established when
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews established as soon as the <span><strong class="command">logging</strong></span>
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews was parsed. When the server is starting up, all logging messages
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews regarding syntax errors in the configuration file go to the default
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews channels, or to standard error if the <code class="option">-g</code> option
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews was specified.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2575209"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
166c467a9414778bdd0f2a1e4a32220843c0fde3Tinderbox User All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater you can make as many of them as you want.
166c467a9414778bdd0f2a1e4a32220843c0fde3Tinderbox User Every channel definition must include a destination clause that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater says whether messages selected for the channel go to a file, to a
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater particular syslog facility, to the standard error stream, or are
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater discarded. It can optionally also limit the message severity level
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews that will be accepted by the channel (the default is
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews <span><strong class="command">info</strong></span>), and whether to include a
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">named</strong></span>-generated time stamp, the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews category name
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User and/or severity level (the default is not to include any).
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The <span><strong class="command">null</strong></span> destination clause
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews causes all messages sent to the channel to be discarded;
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews in that case, other options for the channel are meaningless.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The <span><strong class="command">file</strong></span> destination clause directs
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews to a disk file. It can include limitations
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews both on how large the file is allowed to become, and how many
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews of the file will be saved each time the file is opened.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews If you use the <span><strong class="command">versions</strong></span> log file
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews option, then
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <span><strong class="command">named</strong></span> will retain that many backup
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews versions of the file by
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews renaming them when opening. For example, if you choose to keep
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews three old versions
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews of the file <code class="filename">lamers.log</code>, then just
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews before it is opened
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <code class="filename">lamers.log.1</code> is renamed to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews renamed to <code class="filename">lamers.log.0</code>.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews You can say <span><strong class="command">versions unlimited</strong></span> to
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews the number of versions.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews If a <span><strong class="command">size</strong></span> option is associated with
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews the log file,
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews then renaming is only done when the file being opened exceeds the
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews indicated size. No backup versions are kept by default; any
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews log file is simply appended.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The <span><strong class="command">size</strong></span> option for files is used
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington associated with it. If backup versions are kept, the files are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater described above and a new one begun. If there is no
bbf7c3fd96ae5e02cb84743c581862e35327032aAutomatic Updater <span><strong class="command">versions</strong></span> option, no more data will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be written to the log
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater until some out-of-band mechanism removes or truncates the log to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User maximum size. The default behavior is not to limit the size of
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Example usage of the <span><strong class="command">size</strong></span> and
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater <span><strong class="command">versions</strong></span> options:
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<pre class="programlisting">channel an_example_channel {
95cfad51a3f71246d263af79a7861a6821f7a0beAutomatic Updater file "example.log" versions 3 size 20m;
61932ed91732417e05c8c6fd335acf1be896c778Mark Andrews print-time yes;
3040b455151b1e1173193933664b2891b6159f24Mark Andrews print-category yes;
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The <span><strong class="command">syslog</strong></span> destination clause
99c231a3bd27893583204cd0a3e3103dc78dbc28Tinderbox User channel to the system log. Its argument is a
3040b455151b1e1173193933664b2891b6159f24Mark Andrews syslog facility as described in the <span><strong class="command">syslog</strong></span> man
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
08d53af7d51409036462fa80fb1bde7a8c2ac123Automatic Updater <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
6fd5f289d8455283fad33d1051e6fbaa3bec43d5Tinderbox User <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">local7</strong></span>, however not all facilities
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater are supported on
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater all operating systems.
07d9d0dbcc0c79deb3c34f4a8af05ac68a6800e4Mark Andrews How <span><strong class="command">syslog</strong></span> will handle messages
a66012b52c20200f118781463db4e4ee44454298Automatic Updater this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
3040b455151b1e1173193933664b2891b6159f24Mark Andrews only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews then this clause is silently ignored.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User On Windows machines syslog messages are directed to the EventViewer.
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater "priorities", except that they can also be used if you are writing
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater straight to a file rather than using <span><strong class="command">syslog</strong></span>.
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User Messages which are not at least of the severity level given will
2fd1e3918971180155c10d09454a277f015daecaAutomatic Updater not be selected for the channel; messages of higher severity
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User will be accepted.
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User will also determine what eventually passes through. For example,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cause messages of severity <span><strong class="command">info</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">notice</strong></span> to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington messages of only <span><strong class="command">warning</strong></span> or higher,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then <span><strong class="command">syslogd</strong></span> would
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater print all messages it received from the channel.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <span><strong class="command">stderr</strong></span> destination clause
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User channel to the server's standard error stream. This is intended
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User use when the server is running as a foreground process, for
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater when debugging a configuration.
08190bd4d89153cee463b34f9233ad6dd88965fcMark Andrews The server can supply extensive debugging information when
85b52a5959291f5014442814488ccb267cdea369Tinderbox User it is in debugging mode. If the server's global debug level is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User than zero, then debugging mode will be active. The global debug
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews level is set either by starting the <span><strong class="command">named</strong></span> server
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with the <code class="option">-d</code> flag followed by a positive integer,
e062b72f783cdb436a1a57a630bdff471dbb3038Mark Andrews or by running <span><strong class="command">rndc trace</strong></span>.
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater The global debug level
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaternotrace</strong></span>. All debugging messages in the server have a debug
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater level, and higher debug levels give more detailed output. Channels
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater that specify a specific debug severity, for example:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<pre class="programlisting">channel specific_debug_level {
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User severity debug 3;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will get debugging output of level 3 or less any time the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server is in debugging mode, regardless of the global debugging
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater level. Channels with <span><strong class="command">dynamic</strong></span>
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater severity use the
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater server's global debug level to determine what messages to print.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews If <span><strong class="command">print-time</strong></span> has been turned on,
52cfbde0bd391cfb37e3c1a1b460c16ba6bf1a73Automatic Updater the date and time will be logged. <span><strong class="command">print-time</strong></span> may
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User be specified for a <span><strong class="command">syslog</strong></span> channel,
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User but is usually
24e0e8d17df315d5d494ca933874e545eadce773Automatic Updater pointless since <span><strong class="command">syslog</strong></span> also logs
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews time. If <span><strong class="command">print-category</strong></span> is
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt requested, then the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater be used in any combination, and will always be printed in the
31a540386a9abaf681d8952f1b2cdf5c75a0ba6cAutomatic Updater order: time, category, severity. Here is an example where all
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews three <span><strong class="command">print-</strong></span> options
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater If <span><strong class="command">buffered</strong></span> has been turned on the output
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater to files will not be flushed after each log entry. By default
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater all log messages are flushed.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User There are four predefined channels that are used for
dcff0bfce2963a14e5af5774fd8901a42f18c720Tinderbox User <span><strong class="command">named</strong></span>'s default logging as follows.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews If <span><strong class="command">named</strong></span> is started with the
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater fifth channel <span><strong class="command">default_logfile</strong></span> is added.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews How they are
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User<pre class="programlisting">channel default_syslog {
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews // send to syslog's daemon facility
8ccd7da886e93cd490fcb6f4c4e98a6514f35820Automatic Updater syslog daemon;
cd839f5cf5f84cf163f55ff05cb88ce37efd24d1Automatic Updater // only send priority info and higher
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews severity info;
3040b455151b1e1173193933664b2891b6159f24Mark Andrewschannel default_debug {
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt // write to named.run in the working directory
3040b455151b1e1173193933664b2891b6159f24Mark Andrews // Note: stderr is used instead of "named.run" if
3040b455151b1e1173193933664b2891b6159f24Mark Andrews // the server is started with the '-g' option.
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews // log at the server's current debug level
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews severity dynamic;
3040b455151b1e1173193933664b2891b6159f24Mark Andrewschannel default_stderr {
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updater // writes to stderr
3040b455151b1e1173193933664b2891b6159f24Mark Andrews // only send priority info and higher
ff8ec39ce4afc2d774ce99f2386474d2c8539cd4Automatic Updater severity info;
3040b455151b1e1173193933664b2891b6159f24Mark Andrews // toss anything sent to this channel
c95f536d78842fbc8ebcef653d88e1f2270054f8Automatic Updaterchannel default_logfile {
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews // this channel is only present if named is
3040b455151b1e1173193933664b2891b6159f24Mark Andrews // started with the -L option, whose argument
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User // provides the file name
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews // log at the server's current debug level
45c349c278fd83acd4dcb91eec3482401a623e47Automatic Updater severity dynamic;
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The <span><strong class="command">default_debug</strong></span> channel has the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews property that it only produces output when the server's debug
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews nonzero. It normally writes to a file called <code class="filename">named.run</code>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews in the server's working directory.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews For security reasons, when the <code class="option">-u</code>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews command line option is used, the <code class="filename">named.run</code> file
3040b455151b1e1173193933664b2891b6159f24Mark Andrews is created only after <span><strong class="command">named</strong></span> has
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater changed to the
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater starting up and still running as root is discarded. If you need
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater to capture this output, you must run the server with the <code class="option">-L</code>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater option to specify a default logfile, or the <code class="option">-g</code>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater option to log to standard error which you can redirect to a file.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Once a channel is defined, it cannot be redefined. Thus you
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater cannot alter the built-in channels directly, but you can modify
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater the default logging by pointing categories at channels you have
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt<div class="titlepage"><div><div><h4 class="title">
3040b455151b1e1173193933664b2891b6159f24Mark Andrews<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews There are many categories, so you can send the logs you want
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to see wherever you want, without seeing logs you don't want. If
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater you don't specify a list of channels for a category, then log
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater in that category will be sent to the <span><strong class="command">default</strong></span> category
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater instead. If you don't specify a default category, the following
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater "default default" is used:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">category default { default_syslog; default_debug; };
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If you start <span><strong class="command">named</strong></span> with the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="option">-L</code> option then the default category is:
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<pre class="programlisting">category default { default_logfile; default_debug; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater As an example, let's say you want to log security events to
e0bf4fc289705375be65c05a8fb085d514a98c97Tinderbox User a file, but you also want keep the default logging behavior. You'd
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater specify the following:
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<pre class="programlisting">channel my_security_channel {
a6e1f63f50af688610ebd2521ba7f028767b51f3Mark Andrews file "my_security_file";
2cdbfcdad94eba75f3f8e77343a0eefabf553b8eAutomatic Updater severity info;
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox Usercategory security {
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater my_security_channel;
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater default_syslog;
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User default_debug;
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<pre class="programlisting">category xfer-out { null; };
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox Usercategory notify { null; };
dbd021853bb1cd6ab128e8da8865f5965030aedcTinderbox User Following are the available categories and brief descriptions
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User of the types of log information they contain. More
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User categories may be added in future <acronym class="acronym">BIND</acronym> releases.
f42fc714eda962112e45b904d1f846c61a080114Automatic Updater<div class="informaltable"><table border="1">
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User <p><span><strong class="command">default</strong></span></p>
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User The default category defines the logging
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews options for those categories where no specific
3040b455151b1e1173193933664b2891b6159f24Mark Andrews configuration has been
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <p><span><strong class="command">general</strong></span></p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews The catch-all. Many things still aren't
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews classified into categories, and they all end up here.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <p><span><strong class="command">database</strong></span></p>
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt Messages relating to the databases used
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews internally by the name server to store zone and cache
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <p><span><strong class="command">security</strong></span></p>
015f044f7f916eb18d053f2e5dcbee481425bc66Mark Andrews Approval and denial of requests.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <p><span><strong class="command">config</strong></span></p>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews Configuration file parsing and processing.
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews <p><span><strong class="command">resolver</strong></span></p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews DNS resolution, such as the recursive
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews lookups performed on behalf of clients by a caching name
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <p><span><strong class="command">xfer-in</strong></span></p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Zone transfers the server is receiving.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <p><span><strong class="command">xfer-out</strong></span></p>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Zone transfers the server is sending.
3a988722ad9e209ba4064604d482dc4efe0e19ebTinderbox User <p><span><strong class="command">notify</strong></span></p>
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews The NOTIFY protocol.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews <p><span><strong class="command">client</strong></span></p>
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews Processing of client requests.
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews <p><span><strong class="command">unmatched</strong></span></p>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Messages that <span><strong class="command">named</strong></span> was unable to determine the
351eca011cf38fd3272b325029afce144a9a1ebaMark Andrews class of or for which there was no matching <span><strong class="command">view</strong></span>.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This category is best sent to a file or stderr, by
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User default it is sent to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User the <span><strong class="command">null</strong></span> channel.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <p><span><strong class="command">network</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Network operations.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews <p><span><strong class="command">update</strong></span></p>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater Dynamic updates.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <p><span><strong class="command">update-security</strong></span></p>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater Approval and denial of update requests.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater <p><span><strong class="command">queries</strong></span></p>
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater Specify where queries should be logged to.
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater At startup, specifying the category <span><strong class="command">queries</strong></span> will also
8aa53dcb1d26277e8e805464bfff7bb7136f60cbAutomatic Updater enable query logging unless <span><strong class="command">querylog</strong></span> option has been
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt The query log entry reports the client's IP
3040b455151b1e1173193933664b2891b6159f24Mark Andrews address and port number, and the query name,
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews class and type. Next it reports whether the
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User Recursion Desired flag was set (+ if set, -
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User if not set), if the query was signed (S),
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User EDNS was in used along with the EDNS version
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User number (E(#)), if TCP was used (T), if DO
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User (DNSSEC Ok) was set (D), if CD (Checking
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User Disabled) was set (C), if a valid DNS Server
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User COOKIE was received (V), or if a DNS COOKIE
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User option without a valid Server COOKIE was
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User present (K). After this the destination
1368e4b34cef64604c874fcc40201c78e548714cTinderbox User address the query was sent to is reported.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User (The first part of this log message, showing the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User client address/port number and query name, is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User repeated in all subsequent log messages related
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to the same query.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">query-errors</strong></span></p>
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews Information about queries that resulted in some
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <p><span><strong class="command">dispatch</strong></span></p>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Dispatching of incoming packets to the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews server modules where they are to be processed.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <p><span><strong class="command">dnssec</strong></span></p>
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater DNSSEC and TSIG protocol processing.
3040b455151b1e1173193933664b2891b6159f24Mark Andrews <p><span><strong class="command">lame-servers</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Lame servers. These are misconfigurations
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in remote servers, discovered by BIND 9 when trying to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater query those servers during resolution.
3f68e9c0e5a6ce475d15eef04bfed9b08a22afa9Tinderbox User <p><span><strong class="command">delegation-only</strong></span></p>
3040b455151b1e1173193933664b2891b6159f24Mark Andrews Delegation only. Logs queries that have been
3040b455151b1e1173193933664b2891b6159f24Mark Andrews forced to NXDOMAIN as the result of a
3040b455151b1e1173193933664b2891b6159f24Mark Andrews delegation-only zone or a
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews <span><strong class="command">delegation-only</strong></span> in a
c5f7f6aa6c51d35353a9485b32abbabfe8358b4eMark Andrews forward, hint or stub zone declaration.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">edns-disabled</strong></span></p>
63654fea53d6a58a65112234bc8d0c322e0c81b5Automatic Updater Log queries that have been forced to use plain
63654fea53d6a58a65112234bc8d0c322e0c81b5Automatic Updater DNS due to timeouts. This is often due to
3040b455151b1e1173193933664b2891b6159f24Mark Andrews the remote servers not being RFC 1034 compliant
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User (not always returning FORMERR or similar to
64d59a0480180940d855a3431ac5ff617b53e997Tinderbox User EDNS queries and other extensions to the DNS
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User when they are not understood). In other words, this is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater targeted at servers that fail to respond to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNS queries that they don't understand.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Note: the log message can also be due to
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater packet loss. Before reporting servers for
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater non-RFC 1034 compliance they should be re-tested
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to determine the nature of the non-compliance.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews This testing should prevent or reduce the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews number of false-positive reports.
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User Note: eventually <span><strong class="command">named</strong></span> will have to stop
3040b455151b1e1173193933664b2891b6159f24Mark Andrews treating such timeouts as due to RFC 1034 non
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews compliance and start treating it as plain
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews packet loss. Falsely classifying packet
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater loss as due to RFC 1034 non compliance impacts
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater on DNSSEC validation which requires EDNS for
b6561016dc8a813bfd91cef5b876b3dfc3f08ffaTinderbox User the DNSSEC records to be returned.
fedd407a76adfdd745eb7d2461673693c6f9fea9Mark Andrews <p><span><strong class="command">RPZ</strong></span></p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Information about errors in response policy zone files,
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User rewritten responses, and at the highest
80f05de86cd3cd8e4a4215c4501643891b942dafTinderbox User <span><strong class="command">debug</strong></span> levels, mere rewriting
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User <p><span><strong class="command">rate-limit</strong></span></p>
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User The start, periodic, and final notices of the
3040b455151b1e1173193933664b2891b6159f24Mark Andrews rate limiting of a stream of responses are logged at
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews <span><strong class="command">info</strong></span> severity in this category.
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews These messages include a hash value of the domain name
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews of the response and the name itself,
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews except when there is insufficient memory to record
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews the name for the final notice
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews The final notice is normally delayed until about one
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews minute after rate limit stops.
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt A lack of memory can hurry the final notice,
3040b455151b1e1173193933664b2891b6159f24Mark Andrews in which case it starts with an asterisk (*).
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews Various internal events are logged at debug 1 level
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater Rate limiting of individual requests
82447d835d3ff5c658749b4e9b4f66166407b3eaAutomatic Updater is logged in the <span><strong class="command">query-errors</strong></span> category.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">cname</strong></span></p>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User Logs nameservers that are skipped due to them being
183b6c7fca54001820078f324d102fc33e64bbc6Automatic Updater a CNAME rather than A / AAAA records.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2576830"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
601c1908d06375f5dea00ab98671a6c934d8a840Automatic Updater The <span><strong class="command">query-errors</strong></span> category is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specifically intended for debugging purposes: To identify
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User why and how specific queries result in responses which
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User indicate an error.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Messages of this category are therefore only logged
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User with <span><strong class="command">debug</strong></span> levels.
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User At the debug levels of 1 or higher, each response with the
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User rcode of SERVFAIL is logged as follows:
f46621af221784fd08339c6fe9509d9e48334561Tinderbox User <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This means an error resulting in SERVFAIL was
3040b455151b1e1173193933664b2891b6159f24Mark Andrews detected at line 3880 of source file
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Log messages of this level will particularly
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater help identify the cause of SERVFAIL for an
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User authoritative server.
d58e33bfabfee19a035031dac633d36659738d56Evan Hunt At the debug levels of 2 or higher, detailed context
3040b455151b1e1173193933664b2891b6159f24Mark Andrews information of recursive resolutions that resulted in
3497d225321ed571428ed011650deb229ccfc977Tinderbox User SERVFAIL is logged.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The log message will look like as follows:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsfetch completed at resolver.c:2970 for www.example.com/A
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsin 30.000183: timed out/success [domain:example.com,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrewsbadresp:1,adberr:0,findfail:0,valfail:0]
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The first part before the colon shows that a recursive
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews resolution for AAAA records of www.example.com completed
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in 30.000183 seconds and the final result that led to the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews SERVFAIL was determined at line 2970 of source file
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The following part shows the detected final result and the
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater latest result of DNSSEC validation.
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater The latter is always success when no validation attempt
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User In this example, this query resulted in SERVFAIL probably
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User because all name servers are down or unreachable, leading
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to a timeout in 30 seconds.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User DNSSEC validation was probably not attempted.
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater The last part enclosed in square brackets shows statistics
c07cdac6cf5bf3e9affc1aed25f8350087691f1eAutomatic Updater information collected for this particular resolution
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The <code class="varname">domain</code> field shows the deepest zone
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User that the resolver reached;
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User it is the zone where the error was finally detected.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The meaning of the other fields is summarized in the
de73ef7ecdb9e009155993a6fa8dee5cd1bde319Mark Andrews following table.
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater<div class="informaltable"><table border="1">
7c899ff8af55a6855100e7fb4f5dd9a0a04b48a0Automatic Updater <p><code class="varname">referral</code></p>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The number of referrals the resolver received
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User throughout the resolution process.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User In the above example this is 2, which are most
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The number of cycles that the resolver tried
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews remote servers at the <code class="varname">domain</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews In each cycle the resolver sends one query
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (possibly resending it, depending on the response)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to each known name server of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The number of queries the resolver sent at the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The number of timeouts since the resolver
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews received the last response.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The number of lame servers the resolver detected
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington at the <code class="varname">domain</code> zone.
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User A server is detected to be lame either by an
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User invalid response or as a result of lookup in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews BIND9's address database (ADB), where lame
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews servers are cached.
6fab60452ed15c1039aee974a32d692d07eda4d2Automatic Updater <p><code class="varname">neterr</code></p>
b4846627b60aff904d523a433b44482b3b1825a7Tinderbox User The number of erroneous results that the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews resolver encountered in sending queries
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews at the <code class="varname">domain</code> zone.
71ba75c604df3604673232828a68bb28c420e698Mark Andrews One common case is the remote server is
71ba75c604df3604673232828a68bb28c420e698Mark Andrews unreachable and the resolver receives an ICMP
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews unreachable error message.
dfd613f037c1385db661f17e086d34ea57fea9b0Automatic Updater <p><code class="varname">badresp</code></p>
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater The number of unexpected responses (other than
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="varname">lame</code>) to queries sent by the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews resolver at the <code class="varname">domain</code> zone.
56334ccb2d4b5a04fc12b70b5852049db5d24088Evan Hunt Failures in finding remote server addresses
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User of the <code class="varname">domain</code> zone in the ADB.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews One common case of this is that the remote
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User server's name does not have any address records.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Failures of resolving remote server addresses.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews This is a total number of failures throughout
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User the resolution process.
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater Failures of DNSSEC validation.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Validation failures are counted throughout
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the resolution process (not limited to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the <code class="varname">domain</code> zone), but should
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews only happen in <code class="varname">domain</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater At the debug levels of 3 or higher, the same messages
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater as those at the debug 1 level are logged for other errors
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson than SERVFAIL.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Note that negative responses such as NXDOMAIN are not
7932a7637170550bc53b38c35db9a0187dcb3d3bAutomatic Updater regarded as errors here.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson At the debug levels of 4 or higher, the same messages
3a9593055ead76cbbb417aee2d2e656c2c92cf46Automatic Updater as those at the debug 2 level are logged for other errors
229ea4644b3a7d9c7fdaa43888e7f55ba01e2ee3Automatic Updater than SERVFAIL.
8bc3d252395842452a6d2c775cf8445f6349e331Tinderbox User Unlike the above case of level 3, messages are logged for
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews negative responses.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews This is because any unexpected results can be difficult to
8bc3d252395842452a6d2c775cf8445f6349e331Tinderbox User debug in the recursion case.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<a name="id2577350"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This is the grammar of the <span><strong class="command">lwres</strong></span>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User statement in the <code class="filename">named.conf</code> file:
467a823e57af687ebd486dfd73ea32f9d2a145beTinderbox User<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
7d704e522860496310bb29c28e76064868401a9cMark Andrews [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
e6fc17ec5ad5ba1c4bf5730b2b97c82d1f2b8f3cMark Andrews [<span class="optional"> lwres-tasks <em class="replaceable"><code>number</code></em>; </span>]
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater [<span class="optional"> lwres-clients <em class="replaceable"><code>number</code></em>; </span>]
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User<div class="titlepage"><div><div><h3 class="title">
402eda3e7d4254ffac1543bf2917c71248a09e4cTinderbox User<a name="id2577447"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews The <span><strong class="command">lwres</strong></span> statement configures the
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater server to also act as a lightweight resolver server. (See
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span><strong class="command">lwres</strong></span> statements configuring
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews lightweight resolver servers with different properties.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews The <span><strong class="command">listen-on</strong></span> statement specifies a
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews IPv4 addresses (and ports) that this instance of a lightweight
f7a71eef29bcbf892270460269c79664f600cffdAutomatic Updater resolver daemon
409ba95e573b40cf36acf97dd62ee7e9c7775851Tinderbox User should accept requests on. If no port is specified, port 921 is
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User If this statement is omitted, requests will be accepted on
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater The <span><strong class="command">view</strong></span> statement binds this
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User instance of a
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User lightweight resolver daemon to a view in the DNS namespace, so that
261ef37955c3468cbcb55d54b83c9a3b14e114dfTinderbox User response will be constructed in the same manner as a normal DNS
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User matching this view. If this statement is omitted, the default view
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User used, and if there is no default view, an error is triggered.
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User The <span><strong class="command">search</strong></span> statement is equivalent to
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User <span><strong class="command">search</strong></span> statement in
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User <code class="filename">/etc/resolv.conf</code>. It provides a
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User list of domains
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User which are appended to relative names in queries.
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User The <span><strong class="command">ndots</strong></span> statement is equivalent to
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User <span><strong class="command">ndots</strong></span> statement in
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User <code class="filename">/etc/resolv.conf</code>. It indicates the
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User number of dots in a relative domain name that should result in an
87d422bb38fa1c8f0fb29c2a1b8c044870a7df46Tinderbox User exact match lookup before search path elements are appended.
b8cc0c5d896c361525708a2be2e5af7df76c96d7Tinderbox User The <code class="option">lwres-tasks</code> statement specifies the number
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User of worker threads the lightweight resolver will dedicate to serving
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User clients. By default the number is the same as the number of CPUs on
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User the system; this can be overridden using the <code class="option">-n</code>
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User command line option when starting the server.
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User The <code class="option">lwres-clients</code> specifies
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User the number of client objects per thread the lightweight
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User resolver should create to serve client queries.
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User By default, if the lightweight resolver runs as a part
02d20c5d79600704d617d248642c477e9b5e6a2aTinderbox User of <span><strong class="command">named</strong></span>, 256 client objects are
2ec4ab21838e218863d052ebfa3e106e04f50820Evan Hunt created for each task; if it runs as <span><strong class="command">lwresd</strong></span>,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews 1024 client objects are created for each thread. The maximum
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews value is 32768; higher values will be silently ignored and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the maximum will be used instead.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Note that setting too high a value may overconsume
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews system resources.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The maximum number of client queries that the lightweight
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews resolver can handle at any one time equals
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="option">lwres-tasks</code> times <code class="option">lwres-clients</code>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2577611"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2577660"></a><span><strong class="command">masters</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<p><span><strong class="command">masters</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews lists allow for a common set of masters to be easily used by
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews or <span><strong class="command">also-notify</strong></span> lists.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2577682"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews This is the grammar of the <span><strong class="command">options</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement in the <code class="filename">named.conf</code> file:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">options</strong></span> {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> geoip-directory <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> lock-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> send-cookie <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> require-server-cookie <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> cookie-algorithm <em class="replaceable"><code>secret_string</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> cookie-secret <em class="replaceable"><code>secret_string</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ... }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> automatic-interface-scan { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> geoip-use-ecs <em class="replaceable"><code>yes_or_no</code></em>;</span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews{ <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> fetches-per-zone<em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify-rate <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> startup-notify-rate <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> max-zone-ttl ( <code class="constant">unlimited</code> | <em class="replaceable"><code>number</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> servfail-ttl <em class="replaceable"><code>number</code></em>; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em>; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User [<span class="optional"> nta-lifetime <em class="replaceable"><code>duration</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> nta-recheck <em class="replaceable"><code>duration</code></em> ; </span>]
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
309b912841e8b97bf0b0df0d96c3eaf16990c080Automatic Updater [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
66d24a46538c7c2d29fdb5611ab1173e83685b1dTinderbox User [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
66d24a46538c7c2d29fdb5611ab1173e83685b1dTinderbox User [<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews [<span class="optional"> suffix IPv6-address; </span>]
94df856897945fe58f130ba78765c57308bc5400Automatic Updater [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>]
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
da93950363b307b718d156514b95b9df93a63776Mark Andrews [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
da93950363b307b718d156514b95b9df93a63776Mark Andrews [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
35bc7055d1b9b816e68a4180d46a49963e45c233Automatic Updater [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> masterfile-format
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater (<code class="constant">relative</code>|<code class="constant">full</code>) ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
fbcaee30a27f47fe337152c27e7d90489dc8fd63Tinderbox User [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> prefetch <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt zone <em class="replaceable"><code>zone_name</code></em>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru | drop |
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User tcp-only | nxdomain | nodata | cname domain</code></em>) </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> log <em class="replaceable"><code>yes_or_no</code></em> </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<div class="titlepage"><div><div><h3 class="title">
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The <span><strong class="command">options</strong></span> statement sets up global
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User to be used by <acronym class="acronym">BIND</acronym>. This statement
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt may appear only
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt once in a configuration file. If there is no <span><strong class="command">options</strong></span>
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt statement, an options block with each option set to its default will
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Allows multiple views to share a single cache
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Each view has its own cache database by default, but
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User if multiple views have the same operational policy
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User for name resolution and caching, those views can
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User share a single cache to save memory and possibly
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User improve resolution efficiency by using this option.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The <span><strong class="command">attach-cache</strong></span> option
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User may also be specified in <span><strong class="command">view</strong></span>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User statements, in which case it overrides the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User global <span><strong class="command">attach-cache</strong></span> option.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The <em class="replaceable"><code>cache_name</code></em> specifies
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User the cache to be shared.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User When the <span><strong class="command">named</strong></span> server configures
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User views which are supposed to share a cache, it
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User creates a cache with the specified name for the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User first view of these sharing views.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The rest of the views will simply refer to the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User already created cache.
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt One common configuration to share a cache would be to
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User allow all views to share a single cache.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User This can be done by specifying
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User the <span><strong class="command">attach-cache</strong></span> as a global
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User option with an arbitrary name.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Another possible operation is to allow a subset of
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User all views to share a cache while the others to
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User retain their own caches.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User For example, if there are three views A, B, and C,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User and only A and B should share a cache, specify the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">attach-cache</strong></span> option as a view A (or
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User B)'s option, referring to the other view name:
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User // this view has its own cache
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User // this view refers to A's cache
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User attach-cache "A";
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User // this view has its own cache
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Views that share a cache must have the same policy
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User on configurable parameters that may affect caching.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The current implementation requires the following
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User configurable options be consistent among these
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">check-names</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">cleaning-interval</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">dnssec-accept-expired</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">dnssec-validation</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">max-cache-ttl</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">max-ncache-ttl</strong></span>,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">max-cache-size</strong></span>, and
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">zero-no-soa-ttl</strong></span>.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Note that there may be other parameters that may
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User cause confusion if they are inconsistent for
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User different views that share a single cache.
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt For example, if these views define different sets of
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt forwarders that can return different answers for the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User same question, sharing the answer does not make
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User sense or could even be harmful.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User It is administrator's responsibility to ensure
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User configuration differences in different views do
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User not cause disruption with a shared cache.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The working directory of the server.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Any non-absolute pathnames in the configuration file will be
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User as relative to this directory. The default location for most
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User output files (e.g. <code class="filename">named.run</code>)
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User is this directory.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User If a directory is not specified, the working directory
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User defaults to `<code class="filename">.</code>', the directory from
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User which the server
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User was started. The directory specified should be an absolute
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">geoip-directory</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Specifies the directory containing GeoIP
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <code class="filename">.dat</code> database files for GeoIP
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User initialization. By default, this option is unset
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User and the GeoIP support will use libGeoIP's
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User built-in directory.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User (For details, see <a href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Usage">the section called “<span><strong class="command">acl</strong></span> Statement Definition and
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Usage”</a> about the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span><strong class="command">geoip</strong></span> ACL.)
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User When performing dynamic update of secure zones, the
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User directory where the public and private DNSSEC key files
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User should be found, if different than the current working
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User directory. (Note that this option has no effect on the
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt paths for files containing non-DNSSEC keys such as
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt Specifies the directory in which to store the files that
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User track managed DNSSEC keys. By default, this is the working
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User If <span><strong class="command">named</strong></span> is not configured to use views,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User then managed keys for the server will be tracked in a single
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User file called <code class="filename">managed-keys.bind</code>.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User Otherwise, managed keys will be tracked in separate files,
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User one file per view; each file name will be the view name
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User (or, if it contains characters that are incompatible with
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User use as a file name, the SHA256 hash of the view name),
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User followed by the extension
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt (Note: in previous releases, file names for views
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt always used the SHA256 hash of the view name. To ensure
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt compatibility after upgrade, if a file using the old
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt name format is found to exist, it will be used instead
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User of the new format.)
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User <span class="emphasis"><em>This option is obsolete.</em></span> It
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User was used in <acronym class="acronym">BIND</acronym> 8 to specify
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User the pathname to the <span><strong class="command">named-xfer</strong></span>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User program. In <acronym class="acronym">BIND</acronym> 9, no separate
e2d635d630f6f61fefd3d4475c45b097b16b8a2aEvan Hunt <span><strong class="command">named-xfer</strong></span> program is needed;
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User its functionality is built into the name server.
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User The KRB5 keytab file to use for GSS-TSIG updates. If
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User this option is set and tkey-gssapi-credential is not
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User set, then updates will be allowed with any key
776a8e3ff8889711a1f61a9362607c42716563f4Tinderbox User matching a principal in the specified keytab.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User The security credential with which the server should
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User authenticate keys requested by the GSS-TSIG protocol.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User Currently only Kerberos 5 authentication is available
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User and the credential is a Kerberos principal which the
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User server can acquire through the default system key
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User file, normally <code class="filename">/etc/krb5.keytab</code>.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User The location keytab file can be overridden using the
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User tkey-gssapi-keytab option. Normally this principal is
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
6a0d2961c04b20f0114cca12157cfed64c5b126fTinderbox User also be set if a specific keytab is not set with
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User tkey-gssapi-keytab.
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
644973f327e9db74779e7c0426db90909173b284Automatic Updater The domain appended to the names of all shared keys
644973f327e9db74779e7c0426db90909173b284Automatic Updater generated with <span><strong class="command">TKEY</strong></span>. When a
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User client requests a <span><strong class="command">TKEY</strong></span> exchange,
418cc932318b1d67f88a36904d88d8a5a0a2ba09Automatic Updater it may or may not specify the desired name for the
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User key. If present, the name of the shared key will
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User be <code class="varname">client specified part</code> +
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User <code class="varname">tkey-domain</code>. Otherwise, the
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User name of the shared key will be <code class="varname">random hex
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User digits</code> + <code class="varname">tkey-domain</code>.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User In most cases, the <span><strong class="command">domainname</strong></span>
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User should be the server's domain name, or an otherwise
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User non-existent subdomain like
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User "_tkey.<code class="varname">domainname</code>". If you are
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User using GSS-TSIG, this variable must be defined, unless
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User you specify a specific keytab using tkey-gssapi-keytab.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User The Diffie-Hellman key used by the server
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User to generate shared keys with clients using the Diffie-Hellman
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User of <span><strong class="command">TKEY</strong></span>. The server must be
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User able to load the
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User public and private keys from files in the working directory.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User most cases, the keyname should be the server's host name.
d585233c52e283d9a8849f16f04f452419a2484eTinderbox User<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews This is for testing only. Do not use.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The pathname of the file the server dumps
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the database to when instructed to do so with
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">rndc dumpdb</strong></span>.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews If not specified, the default is <code class="filename">named_dump.db</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The pathname of the file the server writes memory
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews usage statistics to on exit. If not specified,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the default is <code class="filename">named.memstats</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="term"><span><strong class="command">lock-file</strong></span></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The pathname of a file on which <span><strong class="command">named</strong></span> will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews attempt to acquire a file lock when starting up for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the first time; if unsuccessful, the server will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews will terminate, under the assumption that another
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server is already running. If not specified, the default is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/var/run/named/named.lock</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Specifying <span><strong class="command">lock-file none</strong></span> disables the
68e1b398b5b1b417723e90b5e52b9148f8f93294Automatic Updater use of a lock file. <span><strong class="command">lock-file</strong></span> is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews ignored if <span><strong class="command">named</strong></span> was run using the <code class="option">-X</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews option, which overrides it. Changes to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">lock-file</strong></span> are ignored if
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <span><strong class="command">named</strong></span> is being reloaded or
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews reconfigured; it is only effective when the server is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User first started up.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The pathname of the file the server writes its process ID
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in. If not specified, the default is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <code class="filename">/var/run/named/named.pid</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The PID file is used by programs that want to send signals to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User use of a PID file — no file will be written and any
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews existing one will be removed. Note that <span><strong class="command">none</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is a keyword, not a filename, and therefore is not enclosed
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User double quotes.
7a2a1b8b14fc804ac80612d7b98064095e445be5Automatic Updater<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The pathname of the file the server dumps
e007e3e5b0316c6c05698a71101885743aca22bdAutomatic Updater the queries that are currently recursing when instructed
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to do so with <span><strong class="command">rndc recursing</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If not specified, the default is <code class="filename">named.recursing</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The pathname of the file the server appends statistics
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If not specified, the default is <code class="filename">named.stats</code> in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server's current directory. The format of the file is
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
cff0e0b52cf0928123bad6f3bccf56e22bbc07f5Automatic Updater<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The pathname of a file to override the built-in trusted
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater keys provided by <span><strong class="command">named</strong></span>.
644973f327e9db74779e7c0426db90909173b284Automatic Updater See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and <span><strong class="command">dnssec-validation</strong></span> for details.
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews If not specified, the default is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/etc/bind.keys</code>.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
bf1263835e8e35421960f65088c043f42aacef13Mark Andrews The pathname of the file the server dumps
15ae68f3db8261770fc33b8e0f83f5d8c7021e84Mark Andrews security roots to when instructed to do so with
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews <span><strong class="command">rndc secroots</strong></span>.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User If not specified, the default is
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater <code class="filename">named.secroots</code>.
9bc394fffdd50f6e47614b2d317da7274122366fTinderbox User<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater The pathname of the file into which to write a TSIG
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews session key generated by <span><strong class="command">named</strong></span> for use by
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User default is <code class="filename">/var/run/named/session.key</code>.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User particular the discussion of the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">update-policy</strong></span> statement's
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <strong class="userinput"><code>local</code></strong> option for more
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater information about this feature.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater The key name to use for the TSIG session key.
10640b2e3efc7bc8034108136d7487f7407fbf37Andreas Gustafsson If not specified, the default is "local-ddns".
10640b2e3efc7bc8034108136d7487f7407fbf37Andreas Gustafsson<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The algorithm to use for the TSIG session key.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews hmac-sha384, hmac-sha512 and hmac-md5. If not
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specified, the default is hmac-sha256.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User receiving and sending DNS protocol traffic.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The default is 53. This option is mainly intended for server
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User a server using a port other than 53 will not be able to
a792d42c3cdd6cd4608b936c0a06437b8c2d99ccTinderbox User communicate with
a01aa536188bb3535dfc1107a623e6355a8e6b7cMark Andrews the global DNS.
1d4f4d2db2d69e48fec2dde5c1535853677d22a7Automatic Updater<dt><span class="term"><span><strong class="command">dscp</strong></span></span></dt>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews The global Differentiated Services Code Point (DSCP)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater value to classify outgoing DNS traffic on operating
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User systems that support DSCP. Valid values are 0 through 63.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User It is not configured by default.
8d0e57cdac5e28964ebe7c0d925d158f17b401a6Tinderbox User<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The source of entropy to be used by the server. Entropy is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews primarily needed
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews for DNSSEC operations, such as TKEY transactions and dynamic
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews update of signed
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews zones. This options specifies the device (or file) from which
e10d61d84e0b735f1e8eca18644cfdb1b06cad33Tinderbox User entropy. If this is a file, operations requiring entropy will
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews fail when the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews file has been exhausted. If not specified, the default value
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews (or equivalent) when present, and none otherwise. The
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span><strong class="command">random-device</strong></span> option takes
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User the initial configuration load at server startup time and
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User is ignored on subsequent reloads.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If specified, the listed type (A or AAAA) will be emitted
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User before other glue
4c9f230f7ca5b2b08ea8fd7a6944135801dbe152Tinderbox User in the additional section of a query response.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews The default is not to prefer any type (NONE).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Turn on enforcement of delegation-only in TLDs
608c08fec9e45832e66649bbdb219c25167e654aTinderbox User (top level domains) and root zones with an optional
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DS queries are expected to be made to and be answered by
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater delegation only zones. Such queries and responses are
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews treated as an exception to delegation-only processing
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews and are not converted to NXDOMAIN responses provided
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews a CNAME is not discovered at the query name.
e80c7005e3d59dfeb04dad186d36f3c15622954cTinderbox User If a delegation only zone server also serves a child
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews zone it is not always possible to determine whether
a80993946f29ff39df38818ee9b2e58a4e46cb7eTinderbox User an answer comes from the delegation only zone or the
02b3e44a996e9753d86306b6a1b6b579a73787fcTinderbox User child zone. SOA NS and DNSKEY records are apex
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater only records and a matching response that contains
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater these records or DS is treated as coming from a
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews child zone. RRSIG records are also examined to see
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews if they are signed by a child zone or not. The
53b97c9873a923f504893d1e2ab62000dfac221fTinderbox User authority section is also examined to see if there
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews is evidence that the answer is from the child zone.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Answers that are determined to be from a child zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are not converted to NXDOMAIN responses. Despite
8c6328ab5890aa79d84b86ed672e185dc111bb68Automatic Updater all these checks there is still a possibility of
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User false negatives when a child zone is being served.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Similarly false positives can arise from empty nodes
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews (no records at the name) in the delegation only zone
f89eb76a7516649f8717c6397fc496ca906ddb57Tinderbox User when the query type is not ANY.
e20309353e6246485c521278131d3fced73d7957Tinderbox User Note some TLDs are not delegation only (e.g. "DE", "LV",
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews "US" and "MUSEUM"). This list is not exhaustive.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater Disable the specified DNSSEC algorithms at and below the
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User specified name.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Multiple <span><strong class="command">disable-algorithms</strong></span>
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater statements are allowed.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Only the best match <span><strong class="command">disable-algorithms</strong></span>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews clause will be used to determine which algorithms are used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If all supported algorithms are disabled, the zones covered
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews by the <span><strong class="command">disable-algorithms</strong></span> will be treated
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="term"><span><strong class="command">disable-ds-digests</strong></span></span></dt>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Disable the specified DS/DLV digest types at and below the
099b86fb8136a7dff81df85cf395978c16eb254cAutomatic Updater specified name.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Multiple <span><strong class="command">disable-ds-digests</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater statements are allowed.
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater Only the best match <span><strong class="command">disable-ds-digests</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater clause will be used to determine which digest types are used.
3e5340279d8875d136a4dd815cccad0044aa2644Automatic Updater If all supported digest types are disabled, the zones covered
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater by the <span><strong class="command">disable-ds-digests</strong></span> will be treated
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews as insecure.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater validator with an alternate method to validate DNSKEY
d630ef2ff74445949a482660938e9fa9da52ca14Automatic Updater records at the top of a zone. When a DNSKEY is at or
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User below a domain specified by the deepest
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews validation has left the key untrusted, the trust-anchor
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will be appended to the key name and a DLV record will be
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User looked up to see if it can validate the key. If the DLV
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User record validates a DNSKEY (similarly to the way a DS
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User record does) the DNSKEY RRset is deemed to be trusted.
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User If <span><strong class="command">dnssec-lookaside</strong></span> is set to
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews <strong class="userinput"><code>auto</code></strong>, then built-in default
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews values for the DLV domain and trust anchor will be
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User used, along with a built-in key for validation.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If <span><strong class="command">dnssec-lookaside</strong></span> is set to
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The default DLV key is stored in the file
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">named</strong></span> will load that key at
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <code class="constant">auto</code>. A copy of the file is
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User installed along with <acronym class="acronym">BIND</acronym> 9, and is
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User current as of the release date. If the DLV key expires, a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater new copy of <code class="filename">bind.keys</code> can be downloaded
90b25b84f037ec923efaee84d2c0dc599293d04eTinderbox User from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews (To prevent problems if <code class="filename">bind.keys</code> is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews not found, the current key is also compiled in to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">named</strong></span>. Relying on this is not
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews recommended, however, as it requires <span><strong class="command">named</strong></span>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User to be recompiled with a new key when the DLV key expires.)
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User NOTE: <span><strong class="command">named</strong></span> only loads certain specific
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User keys from <code class="filename">bind.keys</code>: those for the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DLV zone and for the DNS root zone. The file cannot be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater used to store keys for other zones.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User Specify hierarchies which must be or may not be secure
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User then <span><strong class="command">named</strong></span> will only accept answers if
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User DNSSEC validation applies allowing for insecure answers to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be accepted. The specified domain must be under a
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <span><strong class="command">trusted-keys</strong></span> or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">managed-keys</strong></span> statement, or
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <span><strong class="command">dnssec-lookaside</strong></span> must be active.
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This directive instructs <span><strong class="command">named</strong></span> to
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews return mapped IPv4 addresses to AAAA queries when
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater there are no AAAA records. It is intended to be
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User used in conjunction with a NAT64. Each
a61158fed2e0281a40e3e97e0b7c3f9789a07b4eTinderbox User <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User Multiple DNS64 prefixes can be defined.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater 64 and 96 as per RFC 6052.
59b277af9d9aac08d16be63aed5ae60ac9eef0d5Automatic Updater Additionally a reverse IP6.ARPA zone will be created for
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User the prefix to provide a mapping from the IP6.ARPA names
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the corresponding IN-ADDR.ARPA names using synthesized
a1788473b239588464bdeac4ab9f3fbcae959450Tinderbox User CNAMEs. <span><strong class="command">dns64-server</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">dns64-contact</strong></span> can be used to specify
c7f4dfc8decb44451cff27ef160d539d4954dc31Tinderbox User the name of the server and contact for the zones. These
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are settable at the view / options level. These are
f34958b7669dfca333cc0cd20113b1f55a89e1deTinderbox User not settable on a per-prefix basis.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews Each <span><strong class="command">dns64</strong></span> supports an optional
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <span><strong class="command">clients</strong></span> ACL that determines which
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews clients are affected by this directive. If not defined,
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater it defaults to <strong class="userinput"><code>any;</code></strong>.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews Each <span><strong class="command">dns64</strong></span> supports an optional
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <span><strong class="command">mapped</strong></span> ACL that selects which
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IPv4 addresses are to be mapped in the corresponding
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater A RRset. If not defined it defaults to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>any;</code></strong>.
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater Normally, DNS64 won't apply to a domain name that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater owns one or more AAAA records; these records will
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater simply be returned. The optional
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">exclude</strong></span> ACL allows specification
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater of a list of IPv6 addresses that will be ignored
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater if they appear in a domain name's AAAA records, and
c762a0e4141c8eb9d7567c614cf6dde994f6a76dTinderbox User DNS64 will be applied to any A records the domain
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater name owns. If not defined, <span><strong class="command">exclude</strong></span>
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews defaults to none.
10702d681eb650391bcaa0e2704aa3cf2dbf0e98Mark Andrews A optional <span><strong class="command">suffix</strong></span> can also
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater be defined to set the bits trailing the mapped
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IPv4 address bits. By default these bits are
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User set to <strong class="userinput"><code>::</code></strong>. The bits
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User matching the prefix and mapped IPv4 address
1b670d35282f1b9352692ad212be3c0aa97b0689Automatic Updater If <span><strong class="command">recursive-only</strong></span> is set to
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <span><strong class="command">yes</strong></span> the DNS64 synthesis will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater only happen for recursive queries. The default
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater is <span><strong class="command">no</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">break-dnssec</strong></span> is set to
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <span><strong class="command">yes</strong></span> the DNS64 synthesis will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater happen even if the result, if validated, would
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater cause a DNSSEC validation failure. If this option
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is set to <span><strong class="command">no</strong></span> (the default), the DO
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater is set on the incoming query, and there are RRSIGs on
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the applicable records, then synthesis will not happen.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User dns64 64:FF9B::/96 {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater clients { any; };
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User mapped { !rfc1918; any; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
79b627f399ce925988bb326315e6742d5316cb6bTinderbox User If this option is set to its default value of
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <code class="literal">maintain</code> in a zone of type
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="literal">master</code> which is DNSSEC-signed
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater and configured to allow dynamic updates (see
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User if <span><strong class="command">named</strong></span> has access to the
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User private signing key(s) for the zone, then
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <span><strong class="command">named</strong></span> will automatically sign all new
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater or changed records and maintain signatures for the zone
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User by regenerating RRSIG records whenever they approach
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater their expiration date.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If the option is changed to <code class="literal">no-resign</code>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then <span><strong class="command">named</strong></span> will sign all new or
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User changed records, but scheduled maintenance of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signatures is disabled.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User With either of these settings, <span><strong class="command">named</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will reject updates to a DNSSEC-signed zone when the
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater signing keys are inactive or unavailable to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span>. (A planned third option,
979e02d122cddf1624cca8a4dab8d084c900fa48Automatic Updater <code class="literal">external</code>, will disable all automatic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater signing and allow DNSSEC data to be submitted into a zone
324a8797b46d646fe8d3b2eef6785e0b2b3ac956Tinderbox User via dynamic update; this is not yet implemented.)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">nta-lifetime</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User Species the default lifetime, in seconds,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that will be used for negative trust anchors added
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater via <span><strong class="command">rndc nta</strong></span>.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater A negative trust anchor selectively disables
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User DNSSEC validation for zones that are known to be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater failing because of misconfiguration rather than
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User an attack. When data to be validated is
402eda3e7d4254ffac1543bf2917c71248a09e4cTinderbox User at or below an active NTA (and above any other
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User configured trust anchors), <span><strong class="command">named</strong></span> will
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User abort the DNSSEC validation process and treat the data as
b4846627b60aff904d523a433b44482b3b1825a7Tinderbox User insecure rather than bogus. This continues until the
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User NTA's lifetime is elapsed. NTAs persist
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User across <span><strong class="command">named</strong></span> restarts.
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User For convenience, TTL-style time unit suffixes can be
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater used to specify the NTA lifetime in seconds, minutes
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews or hours. <code class="option">nta-lifetime</code> defaults to
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User one hour. It cannot exceed one week.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="term"><span><strong class="command">nta-recheck</strong></span></span></dt>
114f7780384371121918624ae2c80ecfce545683Tinderbox User Species how often to check whether negative
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater trust anchors added via <span><strong class="command">rndc nta</strong></span>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater are still necessary.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User A negative trust anchor is normally used when a
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User domain has stopped validating due to operator error;
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User it temporarily disables DNSSEC validation for that
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User domain. In the interest of ensuring that DNSSEC
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User validation is turned back on as soon as possible,
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <span><strong class="command">named</strong></span> will periodically send a
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User query to the domain, ignoring negative trust anchors,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to find out whether it can now be validated. If so,
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User the negative trust anchor is allowed to expire early.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Validity checks can be disabled for an individual
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User NTA by using <span><strong class="command">rndc nta -f</strong></span>, or
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews for all NTAs by setting <code class="option">nta-recheck</code>
42c81cf2de732ec6d00e73fc755a399ca037e543Mark Andrews For convenience, TTL-style time unit suffixes can be
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User used to specify the NTA recheck interval in seconds,
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User minutes or hours. The default is five minutes. It
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User cannot be longer than <code class="option">nta-lifetime</code>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User (which cannot be longer than a week).
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt>
71fc4775d04aea66809e3eb5b5159c55413bdc5cMark Andrews Specifies a maximum permissible TTL value in seconds.
7d704e522860496310bb29c28e76064868401a9cMark Andrews For convenience, TTL-style time unit suffixes may be
7d704e522860496310bb29c28e76064868401a9cMark Andrews used to specify the maximum value.
cc17f4a672fc4ce67327902dd797c4465f12c4c9Mark Andrews When loading a zone file using a
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <code class="option">masterfile-format</code> of
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <code class="constant">text</code> or <code class="constant">raw</code>,
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater any record encountered with a TTL higher than
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater <code class="option">max-zone-ttl</code> will cause the zone to
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater This is useful in DNSSEC-signed zones because when
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater rolling to a new DNSKEY, the old key needs to remain
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater available until RRSIG records have expired from
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater caches. The <code class="option">max-zone-ttl</code> option guarantees
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater that the largest TTL in the zone will be no higher
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater than the set value.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User (NOTE: Because <code class="constant">map</code>-format files
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User load directly into memory, this option cannot be
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User used with them.)
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The default value is <code class="constant">unlimited</code>.
da24e725ff982595d74da7e75e9fbd6a696367ccAutomatic Updater A <code class="option">max-zone-ttl</code> of zero is treated as
e20309353e6246485c521278131d3fced73d7957Tinderbox User<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater If <strong class="userinput"><code>full</code></strong>, the server will collect
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews statistical data on all zones (unless specifically
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson turned off on a per-zone basis by specifying
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">zone-statistics terse</strong></span> or
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">zone-statistics none</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews in the <span><strong class="command">zone</strong></span> statement).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The default is <strong class="userinput"><code>terse</code></strong>, providing
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews minimal statistics on zones (including name and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews current serial number, but not query type
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews These statistics may be accessed via the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">statistics-channel</strong></span> or
8bc3d252395842452a6d2c775cf8445f6349e331Tinderbox User using <span><strong class="command">rndc stats</strong></span>, which
ca5ba35827e475a824ec79d489dbcdb3341a35ccTinderbox User will dump them to the file listed
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User in the <span><strong class="command">statistics-file</strong></span>. See
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User For backward compatibility with earlier versions
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User option can also accept <strong class="userinput"><code>yes</code></strong>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User has the same meaning as <strong class="userinput"><code>full</code></strong>.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews As of <acronym class="acronym">BIND</acronym> 9.10,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <strong class="userinput"><code>no</code></strong> has the same meaning
4c9f230f7ca5b2b08ea8fd7a6944135801dbe152Tinderbox User as <strong class="userinput"><code>none</code></strong>; previously, it
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater was the same as <strong class="userinput"><code>terse</code></strong>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<div class="titlepage"><div><div><h4 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If <strong class="userinput"><code>yes</code></strong> and supported by the OS,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User automatically rescan network interfaces when the interface
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User addresses are added or removed. The default is
603cf17f33da24d460616389ec40d6f2a6e110a0Automatic Updater <strong class="userinput"><code>yes</code></strong>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater Currently the OS needs to support routing sockets for
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span><strong class="command">automatic-interface-scan</strong></span> to be
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>yes</code></strong>, then zones can be
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User added at runtime via <span><strong class="command">rndc addzone</strong></span>.
b5423cbff7175727ed9046c8c670d8a7bb4d01eaTinderbox User The default is <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User is always set on NXDOMAIN responses, even if the server is
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User authoritative. The default is <strong class="userinput"><code>no</code></strong>;
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User a change from <acronym class="acronym">BIND</acronym> 8. If you
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews are using very old DNS software, you
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User may need to set it to <strong class="userinput"><code>yes</code></strong>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User This option was used in <acronym class="acronym">BIND</acronym>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews 8 to enable checking
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews Write memory statistics to the file specified by
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">memstatistics-file</strong></span> at exit.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User The default is <strong class="userinput"><code>no</code></strong> unless
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater '-m record' is specified on the command line in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater which case it is <strong class="userinput"><code>yes</code></strong>.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>yes</code></strong>, then the
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User server treats all zones as if they are doing zone transfers
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater a dial-on-demand dialup link, which can be brought up by
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews originating from this server. This has different effects
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to zone type and concentrates the zone maintenance so that
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater hopefully during the one call. It also suppresses some of
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
83d29eff2912ef967596eb5ed148de7668b35564Automatic Updater The <span><strong class="command">dialup</strong></span> option
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater may also be specified in the <span><strong class="command">view</strong></span> and
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span><strong class="command">zone</strong></span> statements,
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User in which case it overrides the global <span><strong class="command">dialup</strong></span>
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User If the zone is a master zone, then the server will send out a
098097efb95046a4a5285b6dae95dea3e3b70853Automatic Updater request to all the slaves (default). This should trigger the
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater number check in the slave (providing it supports NOTIFY)
78bc8fdc2488c92d7228e8de19827e2c114c56caAutomatic Updater allowing the slave
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to verify the zone while the connection is active.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The set of servers to which NOTIFY is sent can be controlled
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User zone is a slave or stub zone, then the server will suppress
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User "zone up to date" (refresh) queries and only perform them
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater <span><strong class="command">heartbeat-interval</strong></span> expires in
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater addition to sending
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews NOTIFY requests.
66cf4a406525db9c42977d8034a60e0a8e2a9290Automatic Updater Finer control can be achieved by using
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
d3ba57ed92b7095fdeabc444af5dd18ac4781064Tinderbox User <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews which suppresses normal refresh processing and sends refresh
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User when the <span><strong class="command">heartbeat-interval</strong></span>
04bc14c887243e624469fdbd336c1d3cb8ed7cc7Tinderbox User <strong class="userinput"><code>passive</code></strong> which just disables normal
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User normal refresh
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater heart-beat refresh
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User heart-beat notify
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">no</strong></span> (default)</p>
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User <p><span><strong class="command">yes</strong></span></p>
6c910bd5e4a85a56e3a61fdf7b237a45bb2553eeTinderbox User <p><span><strong class="command">notify</strong></span></p>
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User <p><span><strong class="command">refresh</strong></span></p>
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews <p><span><strong class="command">passive</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">notify-passive</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Note that normal NOTIFY processing is not affected by
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <span><strong class="command">dialup</strong></span>.
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater In <acronym class="acronym">BIND</acronym> 8, this option
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews enabled simulating the obsolete DNS query type
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
04bc14c887243e624469fdbd336c1d3cb8ed7cc7Tinderbox User IQUERY simulation.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User This option is obsolete.
959e5da49a2cff7dfd8fdb885cd11c5d7d94a292Tinderbox User In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews caused the server to attempt to fetch glue resource records
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater didn't have when constructing the additional
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater data section of a response. This is now considered a bad
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and BIND 9 never does it.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews When the nameserver exits due receiving SIGTERM,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater flush or do not flush any pending zone writes. The default
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">geoip-use-ecs</strong></span></span></dt>
0ead2ac0a4b59c3e4a731027f0f66fbe602b1289Tinderbox User When BIND is compiled with GeoIP support and configured
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User with "geoip" ACL elements, this option indicates whether
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the EDNS Client Subnet option, if present in a request,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should be used for matching against the GeoIP database.
d98b4b724343547314bde32a54966c8f124a5f03Mark Andrews The default is
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <span><strong class="command">geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User This option was incorrectly implemented
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To achieve the intended effect
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews In BIND 8, this enables keeping of
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews statistics for every host that the name server interacts
cd6e9010079a4e58f7e30063df3dec0ff154ad59Tinderbox User Not implemented in BIND 9.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <span class="emphasis"><em>This option is obsolete</em></span>.
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt It was used in <acronym class="acronym">BIND</acronym> 8 to
e705db6d5d886dc14f4a75a2046a075c0750e7eeAutomatic Updater determine whether a transaction log was
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
04bc14c887243e624469fdbd336c1d3cb8ed7cc7Tinderbox User log whenever possible. If you need to disable outgoing
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews incremental zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews If <strong class="userinput"><code>yes</code></strong>, then when generating
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater responses the server will only add records to the authority
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and additional data sections when they are required (e.g.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews delegations, negative responses). This may improve the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User performance of the server.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The default is <strong class="userinput"><code>no</code></strong>.
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User a domain name to have multiple CNAME records in violation of
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User always strictly enforces the CNAME rules both in master
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater files and dynamic updates.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User If <strong class="userinput"><code>yes</code></strong> (the default),
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User DNS NOTIFY messages are sent when a zone the server is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater authoritative for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater servers listed in the zone's NS records (except the master
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server identified
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in the SOA MNAME field), and to any servers listed in the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">also-notify</strong></span> option.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>master-only</code></strong>, notifies are only
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User for master zones.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater The <span><strong class="command">notify</strong></span> option may also be
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson specified in the <span><strong class="command">zone</strong></span>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews It would only be necessary to turn off this option if it
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews caused slaves
71fa3534bfaf174f6a938dc1ba3522f66606c4e1Mark Andrews<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater in the NS RRset against the SOA MNAME. Normally a NOTIFY
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User message is not sent to the SOA MNAME (SOA ORIGIN) as it is
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User supposed to contain the name of the ultimate master.
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews Sometimes, however, a slave is listed as the SOA MNAME in
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews hidden master configurations and in that case you would
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater want the ultimate master to still send NOTIFY messages to
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews all the nameservers listed in the NS RRset.
e5fe07a7ebff18f7ed4ac434b37daff6c8ee5d5bAutomatic Updater<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>yes</code></strong>, and a
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User DNS query requests recursion, then the server will attempt
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater all the work required to answer the query. If recursion is
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews and the server does not already know the answer, it will
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson referral response. The default is
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <strong class="userinput"><code>yes</code></strong>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews clients from getting data from the server's cache; it only
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews prevents new data from being cached as an effect of client
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Caching may still occur as an effect the server's internal
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User operation, such as NOTIFY address lookups.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User See also <span><strong class="command">fetch-glue</strong></span> above.
a900e4f99ff134b567b6df5ac2c841c7d0c551d3Automatic Updater<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User NSID (Name Server Identifier) option is sent with all
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User queries to authoritative name servers during iterative
5b4ef313da4283079786e516b4b07a1691e1dc50Mark Andrews resolution. If the authoritative server returns an NSID
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User option in its response, then its contents are logged in
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User the <span><strong class="command">resolver</strong></span> category at level
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">info</strong></span>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User The default is <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">request-sit</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">require-server-cookie</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">send-cookie</strong></span></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <strong class="userinput"><code>yes</code></strong>, then a COOKIE EDNS
faa406d25d1d73b04a1351d1e62ab55557ed61ebAutomatic Updater option is sent along with the query. If the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater resolver has previously talked to the server, the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater COOKIE returned in the previous transaction is sent.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is used by the server to determine whether
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the resolver has talked to it before. A resolver
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User sending the correct COOKIE is assumed not to be an
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User off-path attacker sending a spoofed-source query;
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User the query is therefore unlikely to be part of a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater reflection/amplification attack, so resolvers
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User sending a correct COOKIE option are not subject to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater response rate limiting (RRL). Resolvers which
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews do not send a correct COOKIE option may be limited
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews to receiving smaller responses via the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">nocookie-udp-size</strong></span> option.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="term"><span><strong class="command">sit-secret</strong></span></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews This experimental option is obsolete.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><span><strong class="command">cookie-algorithm</strong></span></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Set the algorithm to be used when generating the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews server cookie. One of "aes", "sha1" or "sha256".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The default is "aes" if supported by the cryptographic
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews library or otherwise "sha256".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><span><strong class="command">cookie-secret</strong></span></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If set, this is a shared secret used for generating
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews and verifying Source Identity Token EDNS options
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews within an anycast cluster. If not set, the system
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews will generate a random secret at startup. The
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews shared secret is encoded as a hex string and needs
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews to be 128 bits for AES128, 160 bits for SHA1 and
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews 256 bits for SHA256.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Setting this to <strong class="userinput"><code>yes</code></strong> will
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews cause the server to send NS records along with the SOA
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews record for negative
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews answers. The default is <strong class="userinput"><code>no</code></strong>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Not yet implemented in <acronym class="acronym">BIND</acronym>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <span class="emphasis"><em>This option is obsolete</em></span>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <acronym class="acronym">BIND</acronym> 9 always allocates query
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews IDs from a pool.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <span class="emphasis"><em>This option is obsolete</em></span>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If you need to disable IXFR to a particular server or
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews servers, see
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews the information on the <span><strong class="command">provide-ixfr</strong></span> option
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Usage”</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
e23256e740b238bddb4ba41ffac5f81a01c92245Automatic Updater<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User See the description of
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">provide-ixfr</strong></span> in
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Usage”</a>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User See the description of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">request-ixfr</strong></span> in
cd6e9010079a4e58f7e30063df3dec0ff154ad59Tinderbox User <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
cd6e9010079a4e58f7e30063df3dec0ff154ad59Tinderbox User Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater Usage”</a>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews<dt><span class="term"><span><strong class="command">request-expire</strong></span></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews See the description of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">request-expire</strong></span> in
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews Usage”</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews This option was used in <acronym class="acronym">BIND</acronym>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User as a space or tab character,
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User to facilitate loading of zone files on a UNIX system that
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User were generated
22d32791e5daa0bc80335a0f10ab2de95f41ccdbTinderbox User on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User are always accepted,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User and the option is ignored.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews These options control the behavior of an authoritative
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews answering queries which have additional data, or when
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews following CNAME
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and DNAME chains.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When both of these options are set to <strong class="userinput"><code>yes</code></strong>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (the default) and a
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson query is being answered from authoritative data (a zone
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews configured into the server), the additional data section of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews reply will be filled in using data from other authoritative
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and from the cache. In some situations this is undesirable,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews as when there is concern over the correctness of the cache,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews in servers where slave zones may be added and modified by
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews untrusted third parties. Also, avoiding
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews the search for this additional data will speed up server
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User at the possible expense of additional queries to resolve
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User otherwise be provided in the additional section.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User if known, even though they are not in the example.com zone.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Setting these options to <span><strong class="command">no</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User disables this behavior and makes
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User the server only search for additional data in the zone it
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User answers from.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User These options are intended for use in authoritative-only
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews servers, or in authoritative-only views. Attempts to set
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User them to <span><strong class="command">no</strong></span> without also
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">recursion no</strong></span> will cause the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User ignore the options and log a warning message.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User disables the use of the cache not only for additional data
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews but also when looking up the answer. This is usually the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User behavior in an authoritative-only server where the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User correctness of
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User the cached data is an issue.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews When a name server is non-recursively queried for a name
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User below the apex of any served zone, it normally answers with
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User "upwards referral" to the root servers or the servers of
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews known parent of the query name. Since the data in an
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews upwards referral
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews comes from the cache, the server will not be able to provide
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User referrals when <span><strong class="command">additional-from-cache no</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User has been specified. Instead, it will respond to such
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User with REFUSED. This should not cause any problems since
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User upwards referrals are not required for the resolution
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If <strong class="userinput"><code>yes</code></strong>, then an
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User IPv4-mapped IPv6 address will match any address match
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User list entries that match the corresponding IPv4 address.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This option was introduced to work around a kernel quirk
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User in some operating systems that causes IPv4 TCP
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User connections, such as zone transfers, to be accepted on an
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User IPv6 socket using mapped addresses. This caused address
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User match lists designed for IPv4 to fail to match. However,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">named</strong></span> now solves this problem
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User internally. The use of this option is discouraged.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This option is only available when
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <acronym class="acronym">BIND</acronym> 9 is compiled with the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User "configure" command line. It is intended to help the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User transition from IPv4 to IPv6 by not giving IPv6 addresses
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater to DNS clients unless they have connections to the IPv6
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Internet. This is not recommended unless absolutely
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User necessary. The default is <strong class="userinput"><code>no</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User may also be specified in <span><strong class="command">view</strong></span> statements
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If <strong class="userinput"><code>yes</code></strong>,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User and if the response does not include DNSSEC signatures,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User then all AAAA records are deleted from the response.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This filtering applies to all responses and not only
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User authoritative responses.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If <strong class="userinput"><code>break-dnssec</code></strong>,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User then AAAA records are deleted even when DNSSEC is enabled.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User As suggested by the name, this makes the response not verify,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User because the DNSSEC protocol is designed detect deletions.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This mechanism can erroneously cause other servers to
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User not give AAAA records to their clients.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User A recursing server with both IPv6 and IPv4 network connections
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User that queries an authoritative server using this mechanism
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews via IPv4 will be denied AAAA records even if its client is
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews This mechanism is applied to authoritative as well as
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews non-authoritative records.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User A client using IPv4 that is not allowed recursion can
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User erroneously be given AAAA records because the server is not
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User allowed to check for A records.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Some AAAA records are given to IPv4 clients in glue records.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User IPv4 clients that are servers can then erroneously
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User answer requests for AAAA records received via IPv4.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">filter-aaaa-on-v6</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Identical to <span><strong class="command">filter-aaaa-on-v4</strong></span>,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User except it filters AAAA responses to queries from IPv6
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews clients instead of IPv4 clients. To filter all
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User responses, set both options to <strong class="userinput"><code>yes</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User When <strong class="userinput"><code>yes</code></strong> and the server loads a new
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User version of a master zone from its zone file or receives a
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User new version of a slave file via zone transfer, it will
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User compare the new version to the previous one and calculate
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User a set of differences. The differences are then logged in
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User the zone's journal file such that the changes can be
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User transmitted to downstream slaves as an incremental zone
d3be47a4a841ca6fc07e8f18004cf72174e2d117Tinderbox User By allowing incremental zone transfers to be used for
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User non-dynamic zones, this option saves bandwidth at the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User expense of increased CPU and memory consumption at the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User In particular, if the new version of a zone is completely
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User different from the previous one, the set of differences
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User will be of a size comparable to the combined size of the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User old and new zone version, and the server will need to
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User temporarily allocate memory to hold this complete
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User difference set.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<p><span><strong class="command">ixfr-from-differences</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User also accepts <span><strong class="command">master</strong></span> and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">slave</strong></span> at the view and options
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User levels which causes
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User all <span><strong class="command">master</strong></span> or
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">slave</strong></span> zones respectively.
3d2e052eb879189e6d853097f8b568d887323bebTinderbox User It is off by default.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This should be set when you have multiple masters for a zone
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User when the serial number on the master is less than what <span><strong class="command">named</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User has. The default is <strong class="userinput"><code>no</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This indicates whether DNSSEC-related resource
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User records are to be returned by <span><strong class="command">named</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If set to <strong class="userinput"><code>no</code></strong>,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">named</strong></span> will not return DNSSEC-related
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User resource records unless specifically queried for.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The default is <strong class="userinput"><code>yes</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User set to <strong class="userinput"><code>yes</code></strong> to be effective.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User DNSSEC validation is enabled, and a default
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User trust-anchor for the DNS root zone is used. If set to
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews but a trust anchor must be manually configured using
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User a <span><strong class="command">trusted-keys</strong></span> or
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">managed-keys</strong></span> statement. The default
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User is <strong class="userinput"><code>yes</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Whenever the resolver sends out queries to an
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User EDNS-compliant server, it always sets the DO bit
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews indicating it can support DNSSEC responses even if
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">dnssec-validation</strong></span> is off.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Accept expired signatures when verifying DNSSEC signatures.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The default is <strong class="userinput"><code>no</code></strong>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Setting this option to <strong class="userinput"><code>yes</code></strong>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User leaves <span><strong class="command">named</strong></span> vulnerable to
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User replay attacks.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater Specify whether query logging should be started when <span><strong class="command">named</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If <span><strong class="command">querylog</strong></span> is not specified,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User then the query logging
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This option is used to restrict the character set and syntax
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User certain domain names in master files and/or DNS responses
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User from the network. The default varies according to usage
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews For <span><strong class="command">slave</strong></span> zones the default
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User is <span><strong class="command">warn</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User For answers received from the network (<span><strong class="command">response</strong></span>)
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User the default is <span><strong class="command">ignore</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The rules for legal hostnames and mail domains are derived
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews from RFC 952 and RFC 821 as modified by RFC 1123.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<p><span><strong class="command">check-names</strong></span>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User applies to the owner names of A, AAAA and MX records.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User It also applies to the domain names in the RDATA of NS, SOA,
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User MX, and SRV records.
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater It also applies to the RDATA of PTR records where the owner
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User name indicated that it is a reverse lookup of a hostname
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Check master zones for records that are treated as different
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User by DNSSEC but are semantically equal in plain DNS. The
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User default is to <span><strong class="command">warn</strong></span>. Other possible
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews values are <span><strong class="command">fail</strong></span> and
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">ignore</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews Check whether the MX record appears to refer to a IP address.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The default is to <span><strong class="command">warn</strong></span>. Other possible
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User values are <span><strong class="command">fail</strong></span> and
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">ignore</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User This option is used to check for non-terminal wildcards.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User The use of non-terminal wildcards is almost always as a
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User result of a failure
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User to understand the wildcard matching algorithm (RFC 1034).
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User for non-terminal wildcards and issue a warning.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Perform post load zone integrity checks on master
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User zones. This checks that MX and SRV records refer
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User to address (A or AAAA) records and that glue
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User address records exist for delegated zones. For
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User MX and SRV records only in-zone hostnames are
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User checked (for out-of-zone hostnames use
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User <span><strong class="command">named-checkzone</strong></span>).
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User For NS records only names below top of zone are
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User checked (for out-of-zone names and glue consistency
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews checks use <span><strong class="command">named-checkzone</strong></span>).
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The default is <span><strong class="command">yes</strong></span>.
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews The use of the SPF record for publishing Sender
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Policy Framework is deprecated as the migration
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User from using TXT records to SPF records was abandoned.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Enabling this option also checks that a TXT Sender
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User Policy Framework record exists (starts with "v=spf1")
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User if there is an SPF record. Warnings are emitted if the
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User TXT record does not exist and can be suppressed with
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews <span><strong class="command">check-spf</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
e9ab17d95e4288ab5ddedb7c89a9588c13c74bddMark Andrews If <span><strong class="command">check-integrity</strong></span> is set then
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User fail, warn or ignore MX records that refer
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User If <span><strong class="command">check-integrity</strong></span> is set then
9f6827a4afb75224214ea96452e787e7f710b8b6Tinderbox User fail, warn or ignore SRV records that refer
017d755d7a606dfb1e02a9d6e2b29e49e39fde16Tinderbox User to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater When performing integrity checks, also check that
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User If <span><strong class="command">check-integrity</strong></span> is set then
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User check that there is a TXT Sender Policy Framework
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User record present (starts with "v=spf1") if there is an
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User SPF record present. The default is
be41770245bd56746fbb61f9b5ba0aca683f318eTinderbox User <span><strong class="command">warn</strong></span>.
4c9f230f7ca5b2b08ea8fd7a6944135801dbe152Tinderbox User<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
bb5fe714ce8625e6744dd84526828c36bcff12f6Tinderbox User When returning authoritative negative responses to
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User SOA queries set the TTL of the SOA record returned in
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User the authority section to zero.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User The default is <span><strong class="command">yes</strong></span>.
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User When caching a negative response to a SOA query
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User set the TTL to zero.
af9dbf1ccdd53933aaae9300d13ce0965d39b067Evan Hunt The default is <span><strong class="command">no</strong></span>.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
6508846efcd15de6b43b7da44c0bfcd665947630Tinderbox User When set to the default value of <code class="literal">yes</code>,
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User check the KSK bit in each key to determine how the key
3e9c07abfd4ad76b1f8085f0f96f5646f2d9e219Tinderbox User should be used when generating RRSIGs for a secure zone.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Ordinarily, zone-signing keys (that is, keys without the
7ac34650fa344f42211d6da744ae486b0145a083Tinderbox User KSK bit set) are used to sign the entire zone, while
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User key-signing keys (keys with the KSK bit set) are only
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews used to sign the DNSKEY RRset at the zone apex.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews However, if this option is set to <code class="literal">no</code>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews then the KSK bit is ignored; KSKs are treated as if they
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews were ZSKs and are used to sign the entire zone. This is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
27739dd25026283c24645c8a1044b95ef9eb5ac6Tinderbox User command line option.
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">keep-response-order</strong></span></span></dt>
a response contains the names "example.com" and
(i.e., records of type NS, MX, CNAME, etc) will always
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">startup-notify-rate</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
<a name="fetches-per-zone"></a><span class="term"><span><strong class="command">fetches-per-zone</strong></span></span>
<a name="fetches-per-server"></a><span class="term"><span><strong class="command">fetches-per-server</strong></span></span>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
a zone-signing process, i.e., whether it is still active
<span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
IPv4 address as in IN-ADDR.ARPA.
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
wildcard such as *.example.com.
<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span>
<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME . ; NXDOMAIN policy
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
112.zz.2001.rpz-client-ip CNAME rpz-drop.
8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
; force some DNS clients and responses in the example.com zone to TCP
16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
example.com CNAME rpz-tcp-only.
*.example.com CNAME rpz-tcp-only.
<span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
This controls flooding using random.wild.example.com.
<span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
<span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
<span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
With a redirect zone (<span><strong class="command">zone "." { type redirect; };</strong></span>), the
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> nocookie-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
<span><strong class="command">edns-udp-size</strong></span> in <span><strong class="command">options</strong></span>
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2593078"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
<a href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
<a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
<a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
<a href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2593580"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2593634"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2594001"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2596017"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
zone example.com {
file "example-external.db";
zone example.com {
Zone level acls (e.g. allow-query, allow-transfer) and
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2603611"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2603627"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2603688"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2603757"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2603794"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2608540"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>