Bv9ARM.ch06.html revision a404eb87dc8f91fe81bedce8bb3957fc3c7684a5
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Copyright (C) 2000-2003 Internet Software Consortium.
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Permission to use, copy, modify, and distribute this software for any
c869993e79c1eafbec61a56bf6cea848fe754c71xy - purpose with or without fee is hereby granted, provided that the above
c869993e79c1eafbec61a56bf6cea848fe754c71xy - copyright notice and this permission notice appear in all copies.
c869993e79c1eafbec61a56bf6cea848fe754c71xy - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c869993e79c1eafbec61a56bf6cea848fe754c71xy - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c869993e79c1eafbec61a56bf6cea848fe754c71xy - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c869993e79c1eafbec61a56bf6cea848fe754c71xy - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c869993e79c1eafbec61a56bf6cea848fe754c71xy - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c869993e79c1eafbec61a56bf6cea848fe754c71xy - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c869993e79c1eafbec61a56bf6cea848fe754c71xy - PERFORMANCE OF THIS SOFTWARE.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<!-- $Id: Bv9ARM.ch06.html,v 1.153 2007/04/24 06:19:25 marka Exp $ -->
c869993e79c1eafbec61a56bf6cea848fe754c71xy<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573502">Comment Syntax</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574115"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574305"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574802"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574817"><span><strong class="command">include</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574840"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574861"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574952"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575078"><span><strong class="command">logging</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576428"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576502"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576566"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576610"><span><strong class="command">masters</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576625"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585504"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585553"><span><strong class="command">trusted-keys</strong></span> Statement Definition
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585633"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587097"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589333">Zone File</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591286">Discussion of MX Records</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591974">Inverse Mapping in IPv4</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592101">Other Zone File Directives</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592358"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
c869993e79c1eafbec61a56bf6cea848fe754c71xy to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
c869993e79c1eafbec61a56bf6cea848fe754c71xy of configuration, such as views. <acronym class="acronym">BIND</acronym>
c869993e79c1eafbec61a56bf6cea848fe754c71xy 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl 9, although more complex configurations should be reviewed to check
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl if they can be more efficiently implemented using the new features
c869993e79c1eafbec61a56bf6cea848fe754c71xy <acronym class="acronym">BIND</acronym> 4 configuration files can be
c869993e79c1eafbec61a56bf6cea848fe754c71xy converted to the new format
c869993e79c1eafbec61a56bf6cea848fe754c71xy using the shell script
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy file documentation:
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The name of an <code class="varname">address_match_list</code> as
c869993e79c1eafbec61a56bf6cea848fe754c71xy defined by the <span><strong class="command">acl</strong></span> statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A list of one or more
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A named list of one or more <code class="varname">ip_addr</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy A <code class="varname">masters_list</code> may include other
c869993e79c1eafbec61a56bf6cea848fe754c71xy A quoted string which will be used as
c869993e79c1eafbec61a56bf6cea848fe754c71xy a DNS name, for example "<code class="literal">my.test.domain</code>".
c869993e79c1eafbec61a56bf6cea848fe754c71xy One to four integers valued 0 through
c869993e79c1eafbec61a56bf6cea848fe754c71xy 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy An IPv4 address with exactly four elements
c869993e79c1eafbec61a56bf6cea848fe754c71xy An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy IPv6 scoped addresses that have ambiguity on their
c869993e79c1eafbec61a56bf6cea848fe754c71xy scope zones must be disambiguated by an appropriate
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone ID with the percent character (`%') as
c869993e79c1eafbec61a56bf6cea848fe754c71xy delimiter. It is strongly recommended to use
c869993e79c1eafbec61a56bf6cea848fe754c71xy string zone names rather than numeric identifiers,
c869993e79c1eafbec61a56bf6cea848fe754c71xy in order to be robust against system configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy changes. However, since there is no standard
c869993e79c1eafbec61a56bf6cea848fe754c71xy mapping for such names and identifier values,
c869993e79c1eafbec61a56bf6cea848fe754c71xy currently only interface names as link identifiers
c869993e79c1eafbec61a56bf6cea848fe754c71xy are supported, assuming one-to-one mapping between
c869993e79c1eafbec61a56bf6cea848fe754c71xy interfaces and links. For example, a link-local
c869993e79c1eafbec61a56bf6cea848fe754c71xy address <span><strong class="command">fe80::1</strong></span> on the link
c869993e79c1eafbec61a56bf6cea848fe754c71xy attached to the interface <span><strong class="command">ne0</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that on most systems link-local addresses
c869993e79c1eafbec61a56bf6cea848fe754c71xy always have the ambiguity, and need to be
c869993e79c1eafbec61a56bf6cea848fe754c71xy disambiguated.
c869993e79c1eafbec61a56bf6cea848fe754c71xy An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy through 65535, with values
c869993e79c1eafbec61a56bf6cea848fe754c71xy below 1024 typically restricted to use by processes running
c869993e79c1eafbec61a56bf6cea848fe754c71xy In some cases, an asterisk (`*') character can be used as a
c869993e79c1eafbec61a56bf6cea848fe754c71xy placeholder to
c869993e79c1eafbec61a56bf6cea848fe754c71xy select a random high-numbered port.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl An IP network specified as an <code class="varname">ip_addr</code>,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl followed by a slash (`/') and then the number of bits in the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl may omitted.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl For example, <span><strong class="command">127/8</strong></span> is the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl network <span><strong class="command">127.0.0.0</strong></span> with
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When specifying a prefix involving a IPv6 scoped address
c869993e79c1eafbec61a56bf6cea848fe754c71xy the scope may be omitted. In that case the prefix will
c869993e79c1eafbec61a56bf6cea848fe754c71xy match packets from any scope.
c869993e79c1eafbec61a56bf6cea848fe754c71xy the name of a shared key, to be used for transaction
c869993e79c1eafbec61a56bf6cea848fe754c71xy A list of one or more
c869993e79c1eafbec61a56bf6cea848fe754c71xy separated by semicolons and ending with a semicolon.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A non-negative 32-bit integer
c869993e79c1eafbec61a56bf6cea848fe754c71xy (i.e., a number between 0 and 4294967295, inclusive).
c869993e79c1eafbec61a56bf6cea848fe754c71xy Its acceptable value might further
c869993e79c1eafbec61a56bf6cea848fe754c71xy be limited by the context in which it is used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A quoted string which will be used as
c869993e79c1eafbec61a56bf6cea848fe754c71xy a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl A number, the word <strong class="userinput"><code>unlimited</code></strong>,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl or the word <strong class="userinput"><code>default</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
c869993e79c1eafbec61a56bf6cea848fe754c71xy use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
c869993e79c1eafbec61a56bf6cea848fe754c71xy the limit that was in force when the server was started.
c869993e79c1eafbec61a56bf6cea848fe754c71xy followed by a scaling factor:
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy for kilobytes,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy for megabytes, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
c869993e79c1eafbec61a56bf6cea848fe754c71xy which scale by 1024, 1024*1024, and 1024*1024*1024
c869993e79c1eafbec61a56bf6cea848fe754c71xy respectively.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The value must be representable as a 64-bit unsigned integer
c869993e79c1eafbec61a56bf6cea848fe754c71xy (0 to 18446744073709551615, inclusive).
c869993e79c1eafbec61a56bf6cea848fe754c71xy to safely set a really large number.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
c869993e79c1eafbec61a56bf6cea848fe754c71xy also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy One of <strong class="userinput"><code>yes</code></strong>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy are restricted to slave and stub zones.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> address_match_list_element; ... </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
c869993e79c1eafbec61a56bf6cea848fe754c71xy key key_id | acl_name | { address_match_list } )
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2573383"></a>Definition and Usage</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Address match lists are primarily used to determine access
c869993e79c1eafbec61a56bf6cea848fe754c71xy control for various server operations. They are also used in
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statements. The elements
c869993e79c1eafbec61a56bf6cea848fe754c71xy which constitute an address match list can be any of the
c869993e79c1eafbec61a56bf6cea848fe754c71xy following:
c869993e79c1eafbec61a56bf6cea848fe754c71xy a key ID, as defined by the <span><strong class="command">key</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<li>the name of an address match list defined with
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">acl</strong></span> statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy Elements can be negated with a leading exclamation mark (`!'),
c869993e79c1eafbec61a56bf6cea848fe754c71xy and the match list names "any", "none", "localhost", and
c869993e79c1eafbec61a56bf6cea848fe754c71xy "localnets"
c869993e79c1eafbec61a56bf6cea848fe754c71xy are predefined. More information on those names can be found in
c869993e79c1eafbec61a56bf6cea848fe754c71xy the description of the acl statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The addition of the key clause made the name of this syntactic
c869993e79c1eafbec61a56bf6cea848fe754c71xy element something of a misnomer, since security keys can be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy to validate access without regard to a host or network address.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Nonetheless,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the term "address match list" is still used throughout the
c869993e79c1eafbec61a56bf6cea848fe754c71xy documentation.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When a given IP address or prefix is compared to an address
c869993e79c1eafbec61a56bf6cea848fe754c71xy match list, the list is traversed in order until an element
c869993e79c1eafbec61a56bf6cea848fe754c71xy The interpretation of a match depends on whether the list is being
c869993e79c1eafbec61a56bf6cea848fe754c71xy for access control, defining listen-on ports, or in a sortlist,
c869993e79c1eafbec61a56bf6cea848fe754c71xy and whether the element was negated.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When used as an access control list, a non-negated match
c869993e79c1eafbec61a56bf6cea848fe754c71xy allows access and a negated match denies access. If
c869993e79c1eafbec61a56bf6cea848fe754c71xy there is no match, access is denied. The clauses
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-notify</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-recursion</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-recursion-on</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-on</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-cache</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-cache-on</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-transfer</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-update</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-update-forwarding</strong></span>, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">blackhole</strong></span> all use address match
c869993e79c1eafbec61a56bf6cea848fe754c71xy lists. Similarly, the listen-on option will cause the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server to not accept queries on any of the machine's
c869993e79c1eafbec61a56bf6cea848fe754c71xy addresses which do not match the list.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Because of the first-match aspect of the algorithm, an element
c869993e79c1eafbec61a56bf6cea848fe754c71xy that defines a subset of another element in the list should come
c869993e79c1eafbec61a56bf6cea848fe754c71xy before the broader element, regardless of whether either is
c869993e79c1eafbec61a56bf6cea848fe754c71xy negated. For
c869993e79c1eafbec61a56bf6cea848fe754c71xy example, in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
c869993e79c1eafbec61a56bf6cea848fe754c71xy element is
c869993e79c1eafbec61a56bf6cea848fe754c71xy completely useless because the algorithm will match any lookup for
c869993e79c1eafbec61a56bf6cea848fe754c71xy Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
c869993e79c1eafbec61a56bf6cea848fe754c71xy that problem by having 1.2.3.13 blocked by the negation but all
c869993e79c1eafbec61a56bf6cea848fe754c71xy other 1.2.3.* hosts fall through.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2573502"></a>Comment Syntax</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
c869993e79c1eafbec61a56bf6cea848fe754c71xy comments to appear
c869993e79c1eafbec61a56bf6cea848fe754c71xy anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy file. To appeal to programmers of all kinds, they can be written
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2573616"></a>Definition and Usage</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Comments may appear anywhere that white space may appear in
c869993e79c1eafbec61a56bf6cea848fe754c71xy a <acronym class="acronym">BIND</acronym> configuration file.
c869993e79c1eafbec61a56bf6cea848fe754c71xy C-style comments start with the two characters /* (slash,
c869993e79c1eafbec61a56bf6cea848fe754c71xy star) and end with */ (star, slash). Because they are completely
c869993e79c1eafbec61a56bf6cea848fe754c71xy delimited with these characters, they can be used to comment only
c869993e79c1eafbec61a56bf6cea848fe754c71xy a portion of a line or to span multiple lines.
c869993e79c1eafbec61a56bf6cea848fe754c71xy C-style comments cannot be nested. For example, the following
c869993e79c1eafbec61a56bf6cea848fe754c71xy is not valid because the entire comment ends with the first */:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">/* This is the start of a comment.
c869993e79c1eafbec61a56bf6cea848fe754c71xy This is still part of the comment.
c869993e79c1eafbec61a56bf6cea848fe754c71xy/* This is an incorrect attempt at nesting a comment. */
c869993e79c1eafbec61a56bf6cea848fe754c71xy This is no longer in any comment. */
c869993e79c1eafbec61a56bf6cea848fe754c71xy C++-style comments start with the two characters // (slash,
c869993e79c1eafbec61a56bf6cea848fe754c71xy slash) and continue to the end of the physical line. They cannot
c869993e79c1eafbec61a56bf6cea848fe754c71xy be continued across multiple physical lines; to have one logical
c869993e79c1eafbec61a56bf6cea848fe754c71xy comment span multiple lines, each line must use the // pair.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">// This is the start of a comment. The next line
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl// is a new comment, even though it is logically
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl// part of the previous comment.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Shell-style (or perl-style, if you prefer) comments start
c869993e79c1eafbec61a56bf6cea848fe754c71xy with the character <code class="literal">#</code> (number sign)
c869993e79c1eafbec61a56bf6cea848fe754c71xy and continue to the end of the
c869993e79c1eafbec61a56bf6cea848fe754c71xy physical line, as in C++ comments.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"># This is the start of a comment. The next line
c869993e79c1eafbec61a56bf6cea848fe754c71xy# is a new comment, even though it is logically
c869993e79c1eafbec61a56bf6cea848fe754c71xy# part of the previous comment.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy You cannot use the semicolon (`;') character
c869993e79c1eafbec61a56bf6cea848fe754c71xy to start a comment such as you would in a zone file. The
c869993e79c1eafbec61a56bf6cea848fe754c71xy semicolon indicates the end of a configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy A <acronym class="acronym">BIND</acronym> 9 configuration consists of
c869993e79c1eafbec61a56bf6cea848fe754c71xy statements and comments.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Statements end with a semicolon. Statements and comments are the
c869993e79c1eafbec61a56bf6cea848fe754c71xy only elements that can appear without enclosing braces. Many
c869993e79c1eafbec61a56bf6cea848fe754c71xy statements contain a block of sub-statements, which are also
c869993e79c1eafbec61a56bf6cea848fe754c71xy terminated with a semicolon.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The following statements are supported:
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy defines a named IP address
c869993e79c1eafbec61a56bf6cea848fe754c71xy matching list, for access control and other uses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">controls</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy declares control channels to be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy by the <span><strong class="command">rndc</strong></span> utility.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">include</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy includes a file.
c869993e79c1eafbec61a56bf6cea848fe754c71xy specifies key information for use in
c869993e79c1eafbec61a56bf6cea848fe754c71xy authentication and authorization using TSIG.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">logging</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy specifies what the server logs, and where
c869993e79c1eafbec61a56bf6cea848fe754c71xy the log messages are sent.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">lwres</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy configures <span><strong class="command">named</strong></span> to
c869993e79c1eafbec61a56bf6cea848fe754c71xy also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">masters</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy defines a named masters list for
c869993e79c1eafbec61a56bf6cea848fe754c71xy inclusion in stub and slave zone masters clauses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">options</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy controls global server configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy options and sets defaults for other statements.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">server</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy sets certain configuration options on
c869993e79c1eafbec61a56bf6cea848fe754c71xy a per-server basis.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">trusted-keys</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy defines trusted DNSSEC keys.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">view</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy defines a view.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">zone</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy defines a zone.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">logging</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">options</strong></span> statements may only occur once
c869993e79c1eafbec61a56bf6cea848fe754c71xy configuration.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574115"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
c869993e79c1eafbec61a56bf6cea848fe754c71xy address_match_list
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">acl</strong></span> statement assigns a symbolic
c869993e79c1eafbec61a56bf6cea848fe754c71xy name to an address match list. It gets its name from a primary
c869993e79c1eafbec61a56bf6cea848fe754c71xy use of address match lists: Access Control Lists (ACLs).
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that an address match list's name must be defined
c869993e79c1eafbec61a56bf6cea848fe754c71xy with <span><strong class="command">acl</strong></span> before it can be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy elsewhere; no
c869993e79c1eafbec61a56bf6cea848fe754c71xy forward references are allowed.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The following ACLs are built-in:
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Matches all hosts.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">none</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Matches no hosts.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">localhost</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Matches the IPv4 and IPv6 addresses of all network
c869993e79c1eafbec61a56bf6cea848fe754c71xy interfaces on the system.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">localnets</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Matches any host on an IPv4 or IPv6 network
c869993e79c1eafbec61a56bf6cea848fe754c71xy for which the system has an interface.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Some systems do not provide a way to determine the prefix
c869993e79c1eafbec61a56bf6cea848fe754c71xy lengths of
c869993e79c1eafbec61a56bf6cea848fe754c71xy local IPv6 addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy In such a case, <span><strong class="command">localnets</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy only matches the local
c869993e79c1eafbec61a56bf6cea848fe754c71xy IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574305"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"><span><strong class="command">controls</strong></span> {
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
c869993e79c1eafbec61a56bf6cea848fe754c71xy keys { <em class="replaceable"><code>key_list</code></em> }; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ inet ...; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ unix ...; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">controls</strong></span> statement declares control
c869993e79c1eafbec61a56bf6cea848fe754c71xy channels to be used by system administrators to control the
c869993e79c1eafbec61a56bf6cea848fe754c71xy operation of the name server. These control channels are
c869993e79c1eafbec61a56bf6cea848fe754c71xy used by the <span><strong class="command">rndc</strong></span> utility to send
c869993e79c1eafbec61a56bf6cea848fe754c71xy commands to and retrieve non-DNS results from a name server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy An <span><strong class="command">inet</strong></span> control channel is a TCP socket
c869993e79c1eafbec61a56bf6cea848fe754c71xy listening at the specified <span><strong class="command">ip_port</strong></span> on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
c869993e79c1eafbec61a56bf6cea848fe754c71xy address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
c869993e79c1eafbec61a56bf6cea848fe754c71xy interpreted as the IPv4 wildcard address; connections will be
c869993e79c1eafbec61a56bf6cea848fe754c71xy accepted on any of the system's IPv4 addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy To listen on the IPv6 wildcard address,
c869993e79c1eafbec61a56bf6cea848fe754c71xy use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If you will only use <span><strong class="command">rndc</strong></span> on the local host,
c869993e79c1eafbec61a56bf6cea848fe754c71xy using the loopback address (<code class="literal">127.0.0.1</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy or <code class="literal">::1</code>) is recommended for maximum security.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no port is specified, port 953 is used. The asterisk
c869993e79c1eafbec61a56bf6cea848fe754c71xy "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The ability to issue commands over the control channel is
c869993e79c1eafbec61a56bf6cea848fe754c71xy restricted by the <span><strong class="command">allow</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">keys</strong></span> clauses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Connections to the control channel are permitted based on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">address_match_list</strong></span>. This is for simple
c869993e79c1eafbec61a56bf6cea848fe754c71xy IP address based filtering only; any <span><strong class="command">key_id</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy elements of the <span><strong class="command">address_match_list</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy are ignored.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
c869993e79c1eafbec61a56bf6cea848fe754c71xy socket listening at the specified path in the file system.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note on some platforms (SunOS and Solaris) the permissions
c869993e79c1eafbec61a56bf6cea848fe754c71xy (<span><strong class="command">perm</strong></span>) are applied to the parent directory
c869993e79c1eafbec61a56bf6cea848fe754c71xy as the permissions on the socket itself are ignored.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The primary authorization mechanism of the command
c869993e79c1eafbec61a56bf6cea848fe754c71xy channel is the <span><strong class="command">key_list</strong></span>, which
c869993e79c1eafbec61a56bf6cea848fe754c71xy contains a list of <span><strong class="command">key_id</strong></span>s.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy is authorized to execute commands over the control channel.
c869993e79c1eafbec61a56bf6cea848fe754c71xy See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy for information about configuring keys in <span><strong class="command">rndc</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no <span><strong class="command">controls</strong></span> statement is present,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span> will set up a default
c869993e79c1eafbec61a56bf6cea848fe754c71xy control channel listening on the loopback address 127.0.0.1
c869993e79c1eafbec61a56bf6cea848fe754c71xy and its IPv6 counterpart ::1.
c869993e79c1eafbec61a56bf6cea848fe754c71xy In this case, and also when the <span><strong class="command">controls</strong></span> statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy is present but does not have a <span><strong class="command">keys</strong></span> clause,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span> will attempt to load the command channel key
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy was specified as when <acronym class="acronym">BIND</acronym> was built).
c869993e79c1eafbec61a56bf6cea848fe754c71xy To create a <code class="filename">rndc.key</code> file, run
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>rndc-confgen -a</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <code class="filename">rndc.key</code> feature was created to
c869993e79c1eafbec61a56bf6cea848fe754c71xy ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
c869993e79c1eafbec61a56bf6cea848fe754c71xy which did not have digital signatures on its command channel
c869993e79c1eafbec61a56bf6cea848fe754c71xy messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
c869993e79c1eafbec61a56bf6cea848fe754c71xy configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
c869993e79c1eafbec61a56bf6cea848fe754c71xy and still have <span><strong class="command">rndc</strong></span> work the same way
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
c869993e79c1eafbec61a56bf6cea848fe754c71xy command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
c869993e79c1eafbec61a56bf6cea848fe754c71xy installed.
c869993e79c1eafbec61a56bf6cea848fe754c71xy is only intended to allow the backward-compatible usage of
c869993e79c1eafbec61a56bf6cea848fe754c71xy <acronym class="acronym">BIND</acronym> 8 configuration files, this
c869993e79c1eafbec61a56bf6cea848fe754c71xy feature does not
c869993e79c1eafbec61a56bf6cea848fe754c71xy have a high degree of configurability. You cannot easily change
c869993e79c1eafbec61a56bf6cea848fe754c71xy the key name or the size of the secret, so you should make a
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">rndc.conf</code> with your own key if you
c869993e79c1eafbec61a56bf6cea848fe754c71xy wish to change
c869993e79c1eafbec61a56bf6cea848fe754c71xy those things. The <code class="filename">rndc.key</code> file
c869993e79c1eafbec61a56bf6cea848fe754c71xy also has its
c869993e79c1eafbec61a56bf6cea848fe754c71xy permissions set such that only the owner of the file (the user that
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span> is running as) can access it.
c869993e79c1eafbec61a56bf6cea848fe754c71xy desire greater flexibility in allowing other users to access
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">rndc</strong></span> commands, then you need to create
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">rndc.conf</code> file and make it group
c869993e79c1eafbec61a56bf6cea848fe754c71xy readable by a group
c869993e79c1eafbec61a56bf6cea848fe754c71xy that contains the users who should have access.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl To disable the command channel, use an empty
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">controls</strong></span> statement:
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">controls { };</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574802"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574817"></a><span><strong class="command">include</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">include</strong></span> statement inserts the
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified file at the point where the <span><strong class="command">include</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl statement is encountered. The <span><strong class="command">include</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement facilitates the administration of configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy by permitting the reading or writing of some things but not
c869993e79c1eafbec61a56bf6cea848fe754c71xy others. For example, the statement could include private keys
c869993e79c1eafbec61a56bf6cea848fe754c71xy that are readable only by the name server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574840"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
c869993e79c1eafbec61a56bf6cea848fe754c71xy algorithm <em class="replaceable"><code>string</code></em>;
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2574861"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">key</strong></span> statement defines a shared
c869993e79c1eafbec61a56bf6cea848fe754c71xy secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy or the command channel
c869993e79c1eafbec61a56bf6cea848fe754c71xy (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage”</a>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">key</strong></span> statement can occur at the
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the configuration file or inside a <span><strong class="command">view</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement. Keys defined in top-level <span><strong class="command">key</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statements can be used in all views. Keys intended for use in
c869993e79c1eafbec61a56bf6cea848fe754c71xy a <span><strong class="command">controls</strong></span> statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage”</a>)
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl must be defined at the top level.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The <em class="replaceable"><code>key_id</code></em>, also known as the
c869993e79c1eafbec61a56bf6cea848fe754c71xy key name, is a domain name uniquely identifying the key. It can
c869993e79c1eafbec61a56bf6cea848fe754c71xy be used in a <span><strong class="command">server</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement to cause requests sent to that
c869993e79c1eafbec61a56bf6cea848fe754c71xy server to be signed with this key, or in address match lists to
c869993e79c1eafbec61a56bf6cea848fe754c71xy verify that incoming requests have been signed with a key
c869993e79c1eafbec61a56bf6cea848fe754c71xy matching this name, algorithm, and secret.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <em class="replaceable"><code>algorithm_id</code></em> is a string
c869993e79c1eafbec61a56bf6cea848fe754c71xy that specifies a security/authentication algorithm. Named
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy and <code class="literal">hmac-sha512</code> TSIG authentication.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Truncated hashes are supported by appending the minimum
c869993e79c1eafbec61a56bf6cea848fe754c71xy number of required bits preceeded by a dash, e.g.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <em class="replaceable"><code>secret_string</code></em> is the secret
c869993e79c1eafbec61a56bf6cea848fe754c71xy to be used by the algorithm, and is treated as a base-64
c869993e79c1eafbec61a56bf6cea848fe754c71xy encoded string.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<a name="id2574952"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<pre class="programlisting"><span><strong class="command">logging</strong></span> {
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
c869993e79c1eafbec61a56bf6cea848fe754c71xy <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<a name="id2575078"></a><span><strong class="command">logging</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">logging</strong></span> statement configures a
c869993e79c1eafbec61a56bf6cea848fe754c71xy variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
c869993e79c1eafbec61a56bf6cea848fe754c71xy associates output methods, format options and severity levels with
c869993e79c1eafbec61a56bf6cea848fe754c71xy a name that can then be used with the <span><strong class="command">category</strong></span> phrase
c869993e79c1eafbec61a56bf6cea848fe754c71xy to select how various classes of messages are logged.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Only one <span><strong class="command">logging</strong></span> statement is used to
c869993e79c1eafbec61a56bf6cea848fe754c71xy as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the logging configuration will be:
c869993e79c1eafbec61a56bf6cea848fe754c71xy category default { default_syslog; default_debug; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy category unmatched { null; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy In <acronym class="acronym">BIND</acronym> 9, the logging configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy is only established when
c869993e79c1eafbec61a56bf6cea848fe754c71xy the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
c869993e79c1eafbec61a56bf6cea848fe754c71xy established as soon as the <span><strong class="command">logging</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy was parsed. When the server is starting up, all logging messages
c869993e79c1eafbec61a56bf6cea848fe754c71xy regarding syntax errors in the configuration file go to the default
c869993e79c1eafbec61a56bf6cea848fe754c71xy channels, or to standard error if the "<code class="option">-g</code>" option
c869993e79c1eafbec61a56bf6cea848fe754c71xy was specified.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2575130"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
c869993e79c1eafbec61a56bf6cea848fe754c71xy you can make as many of them as you want.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Every channel definition must include a destination clause that
c869993e79c1eafbec61a56bf6cea848fe754c71xy says whether messages selected for the channel go to a file, to a
c869993e79c1eafbec61a56bf6cea848fe754c71xy particular syslog facility, to the standard error stream, or are
c869993e79c1eafbec61a56bf6cea848fe754c71xy discarded. It can optionally also limit the message severity level
c869993e79c1eafbec61a56bf6cea848fe754c71xy that will be accepted by the channel (the default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">info</strong></span>), and whether to include a
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span>-generated time stamp, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy category name
c869993e79c1eafbec61a56bf6cea848fe754c71xy and/or severity level (the default is not to include any).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">null</strong></span> destination clause
c869993e79c1eafbec61a56bf6cea848fe754c71xy causes all messages sent to the channel to be discarded;
c869993e79c1eafbec61a56bf6cea848fe754c71xy in that case, other options for the channel are meaningless.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">file</strong></span> destination clause directs
c869993e79c1eafbec61a56bf6cea848fe754c71xy the channel
c869993e79c1eafbec61a56bf6cea848fe754c71xy to a disk file. It can include limitations
c869993e79c1eafbec61a56bf6cea848fe754c71xy both on how large the file is allowed to become, and how many
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the file will be saved each time the file is opened.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If you use the <span><strong class="command">versions</strong></span> log file
c869993e79c1eafbec61a56bf6cea848fe754c71xy option, then
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span> will retain that many backup
c869993e79c1eafbec61a56bf6cea848fe754c71xy versions of the file by
c869993e79c1eafbec61a56bf6cea848fe754c71xy renaming them when opening. For example, if you choose to keep
c869993e79c1eafbec61a56bf6cea848fe754c71xy three old versions
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the file <code class="filename">lamers.log</code>, then just
c869993e79c1eafbec61a56bf6cea848fe754c71xy before it is opened
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
c869993e79c1eafbec61a56bf6cea848fe754c71xy to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy You can say <span><strong class="command">versions unlimited</strong></span> to
c869993e79c1eafbec61a56bf6cea848fe754c71xy the number of versions.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If a <span><strong class="command">size</strong></span> option is associated with
c869993e79c1eafbec61a56bf6cea848fe754c71xy the log file,
c869993e79c1eafbec61a56bf6cea848fe754c71xy then renaming is only done when the file being opened exceeds the
c869993e79c1eafbec61a56bf6cea848fe754c71xy indicated size. No backup versions are kept by default; any
c869993e79c1eafbec61a56bf6cea848fe754c71xy log file is simply appended.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">size</strong></span> option for files is used
c869993e79c1eafbec61a56bf6cea848fe754c71xy to limit log
c869993e79c1eafbec61a56bf6cea848fe754c71xy growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
c869993e79c1eafbec61a56bf6cea848fe754c71xy stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
c869993e79c1eafbec61a56bf6cea848fe754c71xy associated with it. If backup versions are kept, the files are
c869993e79c1eafbec61a56bf6cea848fe754c71xy described above and a new one begun. If there is no
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">versions</strong></span> option, no more data will
c869993e79c1eafbec61a56bf6cea848fe754c71xy be written to the log
c869993e79c1eafbec61a56bf6cea848fe754c71xy until some out-of-band mechanism removes or truncates the log to
c869993e79c1eafbec61a56bf6cea848fe754c71xy less than the
c869993e79c1eafbec61a56bf6cea848fe754c71xy maximum size. The default behavior is not to limit the size of
c869993e79c1eafbec61a56bf6cea848fe754c71xy Example usage of the <span><strong class="command">size</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">versions</strong></span> options:
c869993e79c1eafbec61a56bf6cea848fe754c71xy file "example.log" versions 3 size 20m;
c869993e79c1eafbec61a56bf6cea848fe754c71xy print-time yes;
c869993e79c1eafbec61a56bf6cea848fe754c71xy print-category yes;
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">syslog</strong></span> destination clause
c869993e79c1eafbec61a56bf6cea848fe754c71xy directs the
c869993e79c1eafbec61a56bf6cea848fe754c71xy channel to the system log. Its argument is a
c869993e79c1eafbec61a56bf6cea848fe754c71xy syslog facility as described in the <span><strong class="command">syslog</strong></span> man
c869993e79c1eafbec61a56bf6cea848fe754c71xy page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">local7</strong></span>, however not all facilities
c869993e79c1eafbec61a56bf6cea848fe754c71xy are supported on
c869993e79c1eafbec61a56bf6cea848fe754c71xy all operating systems.
c869993e79c1eafbec61a56bf6cea848fe754c71xy How <span><strong class="command">syslog</strong></span> will handle messages
c869993e79c1eafbec61a56bf6cea848fe754c71xy this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
c869993e79c1eafbec61a56bf6cea848fe754c71xy page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
c869993e79c1eafbec61a56bf6cea848fe754c71xy only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
c869993e79c1eafbec61a56bf6cea848fe754c71xy then this clause is silently ignored.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
c869993e79c1eafbec61a56bf6cea848fe754c71xy "priorities", except that they can also be used if you are writing
c869993e79c1eafbec61a56bf6cea848fe754c71xy straight to a file rather than using <span><strong class="command">syslog</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Messages which are not at least of the severity level given will
c869993e79c1eafbec61a56bf6cea848fe754c71xy not be selected for the channel; messages of higher severity
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be accepted.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
c869993e79c1eafbec61a56bf6cea848fe754c71xy will also determine what eventually passes through. For example,
c869993e79c1eafbec61a56bf6cea848fe754c71xy defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl cause messages of severity <span><strong class="command">info</strong></span> and
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
c869993e79c1eafbec61a56bf6cea848fe754c71xy messages of only <span><strong class="command">warning</strong></span> or higher,
c869993e79c1eafbec61a56bf6cea848fe754c71xy then <span><strong class="command">syslogd</strong></span> would
c869993e79c1eafbec61a56bf6cea848fe754c71xy print all messages it received from the channel.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">stderr</strong></span> destination clause
c869993e79c1eafbec61a56bf6cea848fe754c71xy directs the
c869993e79c1eafbec61a56bf6cea848fe754c71xy channel to the server's standard error stream. This is intended
c869993e79c1eafbec61a56bf6cea848fe754c71xy use when the server is running as a foreground process, for
c869993e79c1eafbec61a56bf6cea848fe754c71xy when debugging a configuration.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The server can supply extensive debugging information when
c869993e79c1eafbec61a56bf6cea848fe754c71xy it is in debugging mode. If the server's global debug level is
c869993e79c1eafbec61a56bf6cea848fe754c71xy than zero, then debugging mode will be active. The global debug
c869993e79c1eafbec61a56bf6cea848fe754c71xy level is set either by starting the <span><strong class="command">named</strong></span> server
c869993e79c1eafbec61a56bf6cea848fe754c71xy with the <code class="option">-d</code> flag followed by a positive integer,
c869993e79c1eafbec61a56bf6cea848fe754c71xy or by running <span><strong class="command">rndc trace</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The global debug level
c869993e79c1eafbec61a56bf6cea848fe754c71xy can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
c869993e79c1eafbec61a56bf6cea848fe754c71xynotrace</strong></span>. All debugging messages in the server have a debug
c869993e79c1eafbec61a56bf6cea848fe754c71xy level, and higher debug levels give more detailed output. Channels
c869993e79c1eafbec61a56bf6cea848fe754c71xy that specify a specific debug severity, for example:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">channel specific_debug_level {
c869993e79c1eafbec61a56bf6cea848fe754c71xy file "foo";
c869993e79c1eafbec61a56bf6cea848fe754c71xy severity debug 3;
c869993e79c1eafbec61a56bf6cea848fe754c71xy will get debugging output of level 3 or less any time the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server is in debugging mode, regardless of the global debugging
c869993e79c1eafbec61a56bf6cea848fe754c71xy level. Channels with <span><strong class="command">dynamic</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy severity use the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server's global debug level to determine what messages to print.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">print-time</strong></span> has been turned on,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the date and time will be logged. <span><strong class="command">print-time</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy be specified for a <span><strong class="command">syslog</strong></span> channel,
c869993e79c1eafbec61a56bf6cea848fe754c71xy but is usually
c869993e79c1eafbec61a56bf6cea848fe754c71xy pointless since <span><strong class="command">syslog</strong></span> also prints
c869993e79c1eafbec61a56bf6cea848fe754c71xy the date and
c869993e79c1eafbec61a56bf6cea848fe754c71xy time. If <span><strong class="command">print-category</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy requested, then the
c869993e79c1eafbec61a56bf6cea848fe754c71xy category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
c869993e79c1eafbec61a56bf6cea848fe754c71xy be used in any combination, and will always be printed in the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl order: time, category, severity. Here is an example where all
c869993e79c1eafbec61a56bf6cea848fe754c71xy three <span><strong class="command">print-</strong></span> options
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy There are four predefined channels that are used for
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named</strong></span>'s default logging as follows.
c869993e79c1eafbec61a56bf6cea848fe754c71xy How they are
c869993e79c1eafbec61a56bf6cea848fe754c71xy used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy syslog daemon; // send to syslog's daemon
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl // facility
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl severity info; // only send priority info
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl // and higher
8bb4b220fdb894543e41a5f9037898cf3c3f312bglchannel default_debug {
c869993e79c1eafbec61a56bf6cea848fe754c71xy // the working directory
c869993e79c1eafbec61a56bf6cea848fe754c71xy // Note: stderr is used instead
c869993e79c1eafbec61a56bf6cea848fe754c71xy // if the server is started
c869993e79c1eafbec61a56bf6cea848fe754c71xy // with the '-f' option.
c869993e79c1eafbec61a56bf6cea848fe754c71xy severity dynamic; // log at the server's
c869993e79c1eafbec61a56bf6cea848fe754c71xy // current debug level
c869993e79c1eafbec61a56bf6cea848fe754c71xychannel default_stderr {
c869993e79c1eafbec61a56bf6cea848fe754c71xy stderr; // writes to stderr
c869993e79c1eafbec61a56bf6cea848fe754c71xy severity info; // only send priority info
c869993e79c1eafbec61a56bf6cea848fe754c71xy // and higher
c869993e79c1eafbec61a56bf6cea848fe754c71xychannel null {
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl null; // toss anything sent to
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl // this channel
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">default_debug</strong></span> channel has the
c869993e79c1eafbec61a56bf6cea848fe754c71xy property that it only produces output when the server's debug
c869993e79c1eafbec61a56bf6cea848fe754c71xy nonzero. It normally writes to a file called <code class="filename">named.run</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the server's working directory.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For security reasons, when the "<code class="option">-u</code>"
c869993e79c1eafbec61a56bf6cea848fe754c71xy command line option is used, the <code class="filename">named.run</code> file
c869993e79c1eafbec61a56bf6cea848fe754c71xy is created only after <span><strong class="command">named</strong></span> has
c869993e79c1eafbec61a56bf6cea848fe754c71xy changed to the
c869993e79c1eafbec61a56bf6cea848fe754c71xy new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy starting up and still running as root is discarded. If you need
c869993e79c1eafbec61a56bf6cea848fe754c71xy to capture this output, you must run the server with the "<code class="option">-g</code>"
c869993e79c1eafbec61a56bf6cea848fe754c71xy option and redirect standard error to a file.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Once a channel is defined, it cannot be redefined. Thus you
c869993e79c1eafbec61a56bf6cea848fe754c71xy cannot alter the built-in channels directly, but you can modify
c869993e79c1eafbec61a56bf6cea848fe754c71xy the default logging by pointing categories at channels you have
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy There are many categories, so you can send the logs you want
c869993e79c1eafbec61a56bf6cea848fe754c71xy to see wherever you want, without seeing logs you don't want. If
c869993e79c1eafbec61a56bf6cea848fe754c71xy you don't specify a list of channels for a category, then log
c869993e79c1eafbec61a56bf6cea848fe754c71xy in that category will be sent to the <span><strong class="command">default</strong></span> category
c869993e79c1eafbec61a56bf6cea848fe754c71xy instead. If you don't specify a default category, the following
c869993e79c1eafbec61a56bf6cea848fe754c71xy "default default" is used:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">category default { default_syslog; default_debug; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy As an example, let's say you want to log security events to
c869993e79c1eafbec61a56bf6cea848fe754c71xy a file, but you also want keep the default logging behavior. You'd
c869993e79c1eafbec61a56bf6cea848fe754c71xy specify the following:
c869993e79c1eafbec61a56bf6cea848fe754c71xy file "my_security_file";
fa25784ca4b51c206177d891a654f1d36a25d41fxy severity info;
c869993e79c1eafbec61a56bf6cea848fe754c71xycategory security {
c869993e79c1eafbec61a56bf6cea848fe754c71xy my_security_channel;
c869993e79c1eafbec61a56bf6cea848fe754c71xy default_syslog;
fa25784ca4b51c206177d891a654f1d36a25d41fxy default_debug;
c869993e79c1eafbec61a56bf6cea848fe754c71xy To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
c869993e79c1eafbec61a56bf6cea848fe754c71xycategory notify { null; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy Following are the available categories and brief descriptions
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the types of log information they contain. More
c869993e79c1eafbec61a56bf6cea848fe754c71xy categories may be added in future <acronym class="acronym">BIND</acronym> releases.
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">default</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default category defines the logging
c869993e79c1eafbec61a56bf6cea848fe754c71xy options for those categories where no specific
c869993e79c1eafbec61a56bf6cea848fe754c71xy configuration has been
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">general</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The catch-all. Many things still aren't
c869993e79c1eafbec61a56bf6cea848fe754c71xy classified into categories, and they all end up here.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">database</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Messages relating to the databases used
c869993e79c1eafbec61a56bf6cea848fe754c71xy internally by the name server to store zone and cache
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">security</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Approval and denial of requests.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">config</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Configuration file parsing and processing.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">resolver</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNS resolution, such as the recursive
c869993e79c1eafbec61a56bf6cea848fe754c71xy lookups performed on behalf of clients by a caching name
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">xfer-in</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Zone transfers the server is receiving.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">xfer-out</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Zone transfers the server is sending.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">notify</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The NOTIFY protocol.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">client</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Processing of client requests.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <p><span><strong class="command">unmatched</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Messages that named was unable to determine the
c869993e79c1eafbec61a56bf6cea848fe754c71xy class of or for which there was no matching <span><strong class="command">view</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
c869993e79c1eafbec61a56bf6cea848fe754c71xy This category is best sent to a file or stderr, by
c869993e79c1eafbec61a56bf6cea848fe754c71xy default it is sent to
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">null</strong></span> channel.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">network</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Network operations.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">update</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Dynamic updates.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">update-security</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Approval and denial of update requests.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">queries</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specify where queries should be logged to.
c869993e79c1eafbec61a56bf6cea848fe754c71xy At startup, specifying the category <span><strong class="command">queries</strong></span> will also
c869993e79c1eafbec61a56bf6cea848fe754c71xy enable query logging unless <span><strong class="command">querylog</strong></span> option has been
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified.
c869993e79c1eafbec61a56bf6cea848fe754c71xy the query log entry reports the client's IP
c869993e79c1eafbec61a56bf6cea848fe754c71xy address and port number, and the query name,
c869993e79c1eafbec61a56bf6cea848fe754c71xy class and type. It also reports whether the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Recursion Desired flag was set (+ if set, -
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl if not set), if the query was signed (S),
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl EDNS was in use (E), if DO (DNSSSEC ok) was
c869993e79c1eafbec61a56bf6cea848fe754c71xy set (D), or if CD (checking disabled) was set
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">dispatch</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Dispatching of incoming packets to the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server modules where they are to be processed.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">dnssec</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNSSEC and TSIG protocol processing.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">lame-servers</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Lame servers. These are misconfigurations
c869993e79c1eafbec61a56bf6cea848fe754c71xy in remote servers, discovered by BIND 9 when trying to
c869993e79c1eafbec61a56bf6cea848fe754c71xy those servers during resolution.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">delegation-only</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Delegation only. Logs queries that have have
c869993e79c1eafbec61a56bf6cea848fe754c71xy been forced to NXDOMAIN as the result of a
c869993e79c1eafbec61a56bf6cea848fe754c71xy delegation-only zone or
c869993e79c1eafbec61a56bf6cea848fe754c71xy a <span><strong class="command">delegation-only</strong></span> in a
c869993e79c1eafbec61a56bf6cea848fe754c71xy hint or stub zone declaration.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2576428"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This is the grammar of the <span><strong class="command">lwres</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement in the <code class="filename">named.conf</code> file:
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2576502"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">lwres</strong></span> statement configures the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server to also act as a lightweight resolver server. (See
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be be multiple
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">lwres</strong></span> statements configuring
c869993e79c1eafbec61a56bf6cea848fe754c71xy lightweight resolver servers with different properties.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">listen-on</strong></span> statement specifies a
c869993e79c1eafbec61a56bf6cea848fe754c71xy addresses (and ports) that this instance of a lightweight resolver
c869993e79c1eafbec61a56bf6cea848fe754c71xy should accept requests on. If no port is specified, port 921 is
c869993e79c1eafbec61a56bf6cea848fe754c71xy If this statement is omitted, requests will be accepted on
c869993e79c1eafbec61a56bf6cea848fe754c71xy 127.0.0.1,
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">view</strong></span> statement binds this
c869993e79c1eafbec61a56bf6cea848fe754c71xy instance of a
c869993e79c1eafbec61a56bf6cea848fe754c71xy lightweight resolver daemon to a view in the DNS namespace, so that
c869993e79c1eafbec61a56bf6cea848fe754c71xy response will be constructed in the same manner as a normal DNS
c869993e79c1eafbec61a56bf6cea848fe754c71xy matching this view. If this statement is omitted, the default view
c869993e79c1eafbec61a56bf6cea848fe754c71xy used, and if there is no default view, an error is triggered.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">search</strong></span> statement is equivalent to
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">search</strong></span> statement in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">/etc/resolv.conf</code>. It provides a
c869993e79c1eafbec61a56bf6cea848fe754c71xy list of domains
c869993e79c1eafbec61a56bf6cea848fe754c71xy which are appended to relative names in queries.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">ndots</strong></span> statement is equivalent to
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">ndots</strong></span> statement in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">/etc/resolv.conf</code>. It indicates the
c869993e79c1eafbec61a56bf6cea848fe754c71xy number of dots in a relative domain name that should result in an
c869993e79c1eafbec61a56bf6cea848fe754c71xy exact match lookup before search path elements are appended.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2576566"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2576610"></a><span><strong class="command">masters</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy lists allow for a common set of masters to be easily used by
c869993e79c1eafbec61a56bf6cea848fe754c71xy multiple stub and slave zones.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2576625"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This is the grammar of the <span><strong class="command">options</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement in the <code class="filename">named.conf</code> file:
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
d556530cda421a2e47778c115a8d39f8571f104cxy [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
c869993e79c1eafbec61a56bf6cea848fe754c71xy ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
c869993e79c1eafbec61a56bf6cea848fe754c71xy <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
c869993e79c1eafbec61a56bf6cea848fe754c71xy ... }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
c869993e79c1eafbec61a56bf6cea848fe754c71xy ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
fa25784ca4b51c206177d891a654f1d36a25d41fxy [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">options</strong></span> statement sets up global
c869993e79c1eafbec61a56bf6cea848fe754c71xy to be used by <acronym class="acronym">BIND</acronym>. This statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy may appear only
c869993e79c1eafbec61a56bf6cea848fe754c71xy once in a configuration file. If there is no <span><strong class="command">options</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement, an options block with each option set to its default will
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The working directory of the server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Any non-absolute pathnames in the configuration file will be
c869993e79c1eafbec61a56bf6cea848fe754c71xy as relative to this directory. The default location for most
c869993e79c1eafbec61a56bf6cea848fe754c71xy output files (e.g. <code class="filename">named.run</code>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy is this directory.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If a directory is not specified, the working directory
c869993e79c1eafbec61a56bf6cea848fe754c71xy defaults to `<code class="filename">.</code>', the directory from
c869993e79c1eafbec61a56bf6cea848fe754c71xy which the server
c869993e79c1eafbec61a56bf6cea848fe754c71xy was started. The directory specified should be an absolute
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When performing dynamic update of secure zones, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy directory where the public and private key files should be
c869993e79c1eafbec61a56bf6cea848fe754c71xy if different than the current working directory. The
c869993e79c1eafbec61a56bf6cea848fe754c71xy directory specified
c869993e79c1eafbec61a56bf6cea848fe754c71xy must be an absolute path.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span class="emphasis"><em>This option is obsolete.</em></span> It
c869993e79c1eafbec61a56bf6cea848fe754c71xy was used in <acronym class="acronym">BIND</acronym> 8 to specify
c869993e79c1eafbec61a56bf6cea848fe754c71xy the pathname to the <span><strong class="command">named-xfer</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy program. In <acronym class="acronym">BIND</acronym> 9, no separate
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">named-xfer</strong></span> program is needed;
c869993e79c1eafbec61a56bf6cea848fe754c71xy its functionality is built into the name server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The security credential with which the server should
c869993e79c1eafbec61a56bf6cea848fe754c71xy authenticate keys requested by the GSS-TSIG protocol.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Currently only Kerberos 5 authentication is available
c869993e79c1eafbec61a56bf6cea848fe754c71xy and the credential is a Kerberos principal which
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server can aquire through the default system
c869993e79c1eafbec61a56bf6cea848fe754c71xy key file, normally <code class="filename">/etc/krb5.keytab</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Normally this principal is of the form
c869993e79c1eafbec61a56bf6cea848fe754c71xy "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
c869993e79c1eafbec61a56bf6cea848fe754c71xy To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy must also be set.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The domain appended to the names of all shared keys
c869993e79c1eafbec61a56bf6cea848fe754c71xy generated with <span><strong class="command">TKEY</strong></span>. When a
c869993e79c1eafbec61a56bf6cea848fe754c71xy client requests a <span><strong class="command">TKEY</strong></span> exchange,
c869993e79c1eafbec61a56bf6cea848fe754c71xy it may or may not specify the desired name for the
c869993e79c1eafbec61a56bf6cea848fe754c71xy key. If present, the name of the shared key will
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be <code class="varname">client specified part</code> +
c869993e79c1eafbec61a56bf6cea848fe754c71xy name of the shared key will be <code class="varname">random hex
c869993e79c1eafbec61a56bf6cea848fe754c71xy digits</code> + <code class="varname">tkey-domain</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy In most cases, the <span><strong class="command">domainname</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy should be the server's domain name, or an otherwise
c869993e79c1eafbec61a56bf6cea848fe754c71xy non-existent subdomain like
c869993e79c1eafbec61a56bf6cea848fe754c71xy "_tkey.<code class="varname">domainname</code>". If you are
c869993e79c1eafbec61a56bf6cea848fe754c71xy using GSS-TSIG, this variable must be defined.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The Diffie-Hellman key used by the server
c869993e79c1eafbec61a56bf6cea848fe754c71xy to generate shared keys with clients using the Diffie-Hellman
c869993e79c1eafbec61a56bf6cea848fe754c71xy of <span><strong class="command">TKEY</strong></span>. The server must be
c869993e79c1eafbec61a56bf6cea848fe754c71xy able to load the
c869993e79c1eafbec61a56bf6cea848fe754c71xy public and private keys from files in the working directory.
c869993e79c1eafbec61a56bf6cea848fe754c71xy most cases, the keyname should be the server's host name.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This is for testing only. Do not use.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The pathname of the file the server dumps
c869993e79c1eafbec61a56bf6cea848fe754c71xy the database to when instructed to do so with
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">rndc dumpdb</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If not specified, the default is <code class="filename">named_dump.db</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The pathname of the file the server writes memory
c869993e79c1eafbec61a56bf6cea848fe754c71xy usage statistics to on exit. If not specified,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The pathname of the file the server writes its process ID
c869993e79c1eafbec61a56bf6cea848fe754c71xy in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The pid-file is used by programs that want to send signals to
c869993e79c1eafbec61a56bf6cea848fe754c71xy the running
c869993e79c1eafbec61a56bf6cea848fe754c71xy name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
c869993e79c1eafbec61a56bf6cea848fe754c71xy use of a PID file — no file will be written and any
c869993e79c1eafbec61a56bf6cea848fe754c71xy existing one will be removed. Note that <span><strong class="command">none</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy is a keyword, not a file name, and therefore is not enclosed
c869993e79c1eafbec61a56bf6cea848fe754c71xy double quotes.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The pathname of the file the server appends statistics
c869993e79c1eafbec61a56bf6cea848fe754c71xy to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If not specified, the default is <code class="filename">named.stats</code> in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server's current directory. The format of the file is
c869993e79c1eafbec61a56bf6cea848fe754c71xy in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy receiving and sending DNS protocol traffic.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is 53. This option is mainly intended for server
c869993e79c1eafbec61a56bf6cea848fe754c71xy a server using a port other than 53 will not be able to
c869993e79c1eafbec61a56bf6cea848fe754c71xy communicate with
c869993e79c1eafbec61a56bf6cea848fe754c71xy the global DNS.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The source of entropy to be used by the server. Entropy is
c869993e79c1eafbec61a56bf6cea848fe754c71xy primarily needed
c869993e79c1eafbec61a56bf6cea848fe754c71xy for DNSSEC operations, such as TKEY transactions and dynamic
c869993e79c1eafbec61a56bf6cea848fe754c71xy update of signed
c869993e79c1eafbec61a56bf6cea848fe754c71xy zones. This options specifies the device (or file) from which
c869993e79c1eafbec61a56bf6cea848fe754c71xy entropy. If this is a file, operations requiring entropy will
c869993e79c1eafbec61a56bf6cea848fe754c71xy fail when the
c869993e79c1eafbec61a56bf6cea848fe754c71xy file has been exhausted. If not specified, the default value
c869993e79c1eafbec61a56bf6cea848fe754c71xy (or equivalent) when present, and none otherwise. The
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">random-device</strong></span> option takes
c869993e79c1eafbec61a56bf6cea848fe754c71xy effect during
c869993e79c1eafbec61a56bf6cea848fe754c71xy the initial configuration load at server startup time and
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl is ignored on subsequent reloads.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If specified, the listed type (A or AAAA) will be emitted
c869993e79c1eafbec61a56bf6cea848fe754c71xy before other glue
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the additional section of a query response.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is not to prefer any type (NONE).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
c869993e79c1eafbec61a56bf6cea848fe754c71xy with an optional
c869993e79c1eafbec61a56bf6cea848fe754c71xy exclude list.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
c869993e79c1eafbec61a56bf6cea848fe754c71xy and "MUSEUM").
c869993e79c1eafbec61a56bf6cea848fe754c71xy root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Disable the specified DNSSEC algorithms at and below the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl specified name.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Multiple <span><strong class="command">disable-algorithms</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statements are allowed.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Only the most specific will be applied.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When set, <span><strong class="command">dnssec-lookaside</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy provides the
c869993e79c1eafbec61a56bf6cea848fe754c71xy validator with an alternate method to validate DNSKEY records
c869993e79c1eafbec61a56bf6cea848fe754c71xy top of a zone. When a DNSKEY is at or below a domain
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified by the
c869993e79c1eafbec61a56bf6cea848fe754c71xy deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy the normal dnssec validation
c869993e79c1eafbec61a56bf6cea848fe754c71xy has left the key untrusted, the trust-anchor will be append to
c869993e79c1eafbec61a56bf6cea848fe754c71xy name and a DLV record will be looked up to see if it can
c869993e79c1eafbec61a56bf6cea848fe754c71xy validate the
c869993e79c1eafbec61a56bf6cea848fe754c71xy key. If the DLV record validates a DNSKEY (similarly to the
c869993e79c1eafbec61a56bf6cea848fe754c71xy record does) the DNSKEY RRset is deemed to be trusted.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specify hierarchies which must be or may not be secure (signed and
c869993e79c1eafbec61a56bf6cea848fe754c71xy validated).
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, then named will only accept
c869993e79c1eafbec61a56bf6cea848fe754c71xy answers if they
c869993e79c1eafbec61a56bf6cea848fe754c71xy are secure.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl allowing for insecure answers to be accepted.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">dnssec-lookaside</strong></span> must be
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
c869993e79c1eafbec61a56bf6cea848fe754c71xy is always set on NXDOMAIN responses, even if the server is
c869993e79c1eafbec61a56bf6cea848fe754c71xy not actually
c869993e79c1eafbec61a56bf6cea848fe754c71xy authoritative. The default is <strong class="userinput"><code>no</code></strong>;
c869993e79c1eafbec61a56bf6cea848fe754c71xy a change from <acronym class="acronym">BIND</acronym> 8. If you
c869993e79c1eafbec61a56bf6cea848fe754c71xy are using very old DNS software, you
c869993e79c1eafbec61a56bf6cea848fe754c71xy may need to set it to <strong class="userinput"><code>yes</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option was used in <acronym class="acronym">BIND</acronym>
c869993e79c1eafbec61a56bf6cea848fe754c71xy 8 to enable checking
c869993e79c1eafbec61a56bf6cea848fe754c71xy for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
c869993e79c1eafbec61a56bf6cea848fe754c71xy the checks.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, then the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server treats all zones as if they are doing zone transfers
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl a dial-on-demand dialup link, which can be brought up by
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl originating from this server. This has different effects
c869993e79c1eafbec61a56bf6cea848fe754c71xy to zone type and concentrates the zone maintenance so that
c869993e79c1eafbec61a56bf6cea848fe754c71xy happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy hopefully during the one call. It also suppresses some of
c869993e79c1eafbec61a56bf6cea848fe754c71xy the normal
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">dialup</strong></span> option
c869993e79c1eafbec61a56bf6cea848fe754c71xy may also be specified in the <span><strong class="command">view</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">zone</strong></span> statements,
c869993e79c1eafbec61a56bf6cea848fe754c71xy in which case it overrides the global <span><strong class="command">dialup</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If the zone is a master zone, then the server will send out a
c869993e79c1eafbec61a56bf6cea848fe754c71xy request to all the slaves (default). This should trigger the
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone serial
c869993e79c1eafbec61a56bf6cea848fe754c71xy number check in the slave (providing it supports NOTIFY)
c869993e79c1eafbec61a56bf6cea848fe754c71xy allowing the slave
c869993e79c1eafbec61a56bf6cea848fe754c71xy to verify the zone while the connection is active.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The set of servers to which NOTIFY is sent can be controlled
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone is a slave or stub zone, then the server will suppress
c869993e79c1eafbec61a56bf6cea848fe754c71xy the regular
c869993e79c1eafbec61a56bf6cea848fe754c71xy "zone up to date" (refresh) queries and only perform them
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">heartbeat-interval</strong></span> expires in
c869993e79c1eafbec61a56bf6cea848fe754c71xy addition to sending
c869993e79c1eafbec61a56bf6cea848fe754c71xy NOTIFY requests.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Finer control can be achieved by using
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
c869993e79c1eafbec61a56bf6cea848fe754c71xy messages and
c869993e79c1eafbec61a56bf6cea848fe754c71xy suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy which suppresses normal refresh processing and sends refresh
c869993e79c1eafbec61a56bf6cea848fe754c71xy when the <span><strong class="command">heartbeat-interval</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy expires, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>passive</code></strong> which just disables normal
c869993e79c1eafbec61a56bf6cea848fe754c71xy processing.
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy dialup mode
c869993e79c1eafbec61a56bf6cea848fe754c71xy normal refresh
c869993e79c1eafbec61a56bf6cea848fe754c71xy heart-beat refresh
c869993e79c1eafbec61a56bf6cea848fe754c71xy heart-beat notify
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">no</strong></span> (default)</p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">notify</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">refresh</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">passive</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">notify-passive</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that normal NOTIFY processing is not affected by
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy In <acronym class="acronym">BIND</acronym> 8, this option
c869993e79c1eafbec61a56bf6cea848fe754c71xy enabled simulating the obsolete DNS query type
c869993e79c1eafbec61a56bf6cea848fe754c71xy IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
c869993e79c1eafbec61a56bf6cea848fe754c71xy IQUERY simulation.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option is obsolete.
c869993e79c1eafbec61a56bf6cea848fe754c71xy In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy caused the server to attempt to fetch glue resource records
c869993e79c1eafbec61a56bf6cea848fe754c71xy didn't have when constructing the additional
c869993e79c1eafbec61a56bf6cea848fe754c71xy data section of a response. This is now considered a bad
c869993e79c1eafbec61a56bf6cea848fe754c71xy and BIND 9 never does it.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When the nameserver exits due receiving SIGTERM,
c869993e79c1eafbec61a56bf6cea848fe754c71xy flush or do not flush any pending zone writes. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option was incorrectly implemented
c869993e79c1eafbec61a56bf6cea848fe754c71xy in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy To achieve the intended effect
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
c869993e79c1eafbec61a56bf6cea848fe754c71xy the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy In BIND 8, this enables keeping of
c869993e79c1eafbec61a56bf6cea848fe754c71xy statistics for every host that the name server interacts
c869993e79c1eafbec61a56bf6cea848fe754c71xy Not implemented in BIND 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span class="emphasis"><em>This option is obsolete</em></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It was used in <acronym class="acronym">BIND</acronym> 8 to
c869993e79c1eafbec61a56bf6cea848fe754c71xy determine whether a transaction log was
c869993e79c1eafbec61a56bf6cea848fe754c71xy kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
c869993e79c1eafbec61a56bf6cea848fe754c71xy log whenever possible. If you need to disable outgoing
c869993e79c1eafbec61a56bf6cea848fe754c71xy incremental zone
c869993e79c1eafbec61a56bf6cea848fe754c71xy transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, then when generating
c869993e79c1eafbec61a56bf6cea848fe754c71xy responses the server will only add records to the authority
c869993e79c1eafbec61a56bf6cea848fe754c71xy and additional data sections when they are required (e.g.
c869993e79c1eafbec61a56bf6cea848fe754c71xy delegations, negative responses). This may improve the
c869993e79c1eafbec61a56bf6cea848fe754c71xy performance of the server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
c869993e79c1eafbec61a56bf6cea848fe754c71xy a domain name to have multiple CNAME records in violation of
c869993e79c1eafbec61a56bf6cea848fe754c71xy the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
c869993e79c1eafbec61a56bf6cea848fe754c71xy always strictly enforces the CNAME rules both in master
c869993e79c1eafbec61a56bf6cea848fe754c71xy files and dynamic updates.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong> (the default),
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNS NOTIFY messages are sent when a zone the server is
c869993e79c1eafbec61a56bf6cea848fe754c71xy authoritative for
c869993e79c1eafbec61a56bf6cea848fe754c71xy changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
c869993e79c1eafbec61a56bf6cea848fe754c71xy sent to the
c869993e79c1eafbec61a56bf6cea848fe754c71xy servers listed in the zone's NS records (except the master
c869993e79c1eafbec61a56bf6cea848fe754c71xy server identified
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the SOA MNAME field), and to any servers listed in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">also-notify</strong></span> option.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>master-only</code></strong>, notifies are only
c869993e79c1eafbec61a56bf6cea848fe754c71xy for master zones.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
c869993e79c1eafbec61a56bf6cea848fe754c71xy servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">notify</strong></span> option may also be
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified in the <span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement,
c869993e79c1eafbec61a56bf6cea848fe754c71xy in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It would only be necessary to turn off this option if it
c869993e79c1eafbec61a56bf6cea848fe754c71xy caused slaves
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, and a
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNS query requests recursion, then the server will attempt
c869993e79c1eafbec61a56bf6cea848fe754c71xy all the work required to answer the query. If recursion is
c869993e79c1eafbec61a56bf6cea848fe754c71xy and the server does not already know the answer, it will
c869993e79c1eafbec61a56bf6cea848fe754c71xy referral response. The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
c869993e79c1eafbec61a56bf6cea848fe754c71xy clients from getting data from the server's cache; it only
c869993e79c1eafbec61a56bf6cea848fe754c71xy prevents new data from being cached as an effect of client
c869993e79c1eafbec61a56bf6cea848fe754c71xy Caching may still occur as an effect the server's internal
c869993e79c1eafbec61a56bf6cea848fe754c71xy operation, such as NOTIFY address lookups.
c869993e79c1eafbec61a56bf6cea848fe754c71xy See also <span><strong class="command">fetch-glue</strong></span> above.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Setting this to <strong class="userinput"><code>yes</code></strong> will
c869993e79c1eafbec61a56bf6cea848fe754c71xy cause the server to send NS records along with the SOA
c869993e79c1eafbec61a56bf6cea848fe754c71xy record for negative
c869993e79c1eafbec61a56bf6cea848fe754c71xy answers. The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Not yet implemented in <acronym class="acronym">BIND</acronym>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span class="emphasis"><em>This option is obsolete</em></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <acronym class="acronym">BIND</acronym> 9 always allocates query
c869993e79c1eafbec61a56bf6cea848fe754c71xy IDs from a pool.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, the server will collect
c869993e79c1eafbec61a56bf6cea848fe754c71xy statistical data on all zones (unless specifically turned
c869993e79c1eafbec61a56bf6cea848fe754c71xy on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the <span><strong class="command">zone</strong></span> statement).
c869993e79c1eafbec61a56bf6cea848fe754c71xy These statistics may be accessed
c869993e79c1eafbec61a56bf6cea848fe754c71xy using <span><strong class="command">rndc stats</strong></span>, which will
c869993e79c1eafbec61a56bf6cea848fe754c71xy dump them to the file listed
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the <span><strong class="command">statistics-file</strong></span>. See
c869993e79c1eafbec61a56bf6cea848fe754c71xy also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span class="emphasis"><em>This option is obsolete</em></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If you need to disable IXFR to a particular server or
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl servers see
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl the information on the <span><strong class="command">provide-ixfr</strong></span> option
c869993e79c1eafbec61a56bf6cea848fe754c71xy in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy See the description of
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">provide-ixfr</strong></span> in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl See the description of
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">request-ixfr</strong></span> in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usage”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option was used in <acronym class="acronym">BIND</acronym>
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
c869993e79c1eafbec61a56bf6cea848fe754c71xy as a space or tab character,
c869993e79c1eafbec61a56bf6cea848fe754c71xy to facilitate loading of zone files on a UNIX system that
c869993e79c1eafbec61a56bf6cea848fe754c71xy were generated
c869993e79c1eafbec61a56bf6cea848fe754c71xy on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
c869993e79c1eafbec61a56bf6cea848fe754c71xy and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
c869993e79c1eafbec61a56bf6cea848fe754c71xy are always accepted,
c869993e79c1eafbec61a56bf6cea848fe754c71xy and the option is ignored.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy These options control the behavior of an authoritative
c869993e79c1eafbec61a56bf6cea848fe754c71xy server when
c869993e79c1eafbec61a56bf6cea848fe754c71xy answering queries which have additional data, or when
c869993e79c1eafbec61a56bf6cea848fe754c71xy following CNAME
c869993e79c1eafbec61a56bf6cea848fe754c71xy and DNAME chains.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When both of these options are set to <strong class="userinput"><code>yes</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy (the default) and a
c869993e79c1eafbec61a56bf6cea848fe754c71xy query is being answered from authoritative data (a zone
c869993e79c1eafbec61a56bf6cea848fe754c71xy configured into the server), the additional data section of
c869993e79c1eafbec61a56bf6cea848fe754c71xy reply will be filled in using data from other authoritative
c869993e79c1eafbec61a56bf6cea848fe754c71xy and from the cache. In some situations this is undesirable,
c869993e79c1eafbec61a56bf6cea848fe754c71xy as when there is concern over the correctness of the cache,
c869993e79c1eafbec61a56bf6cea848fe754c71xy in servers where slave zones may be added and modified by
c869993e79c1eafbec61a56bf6cea848fe754c71xy untrusted third parties. Also, avoiding
c869993e79c1eafbec61a56bf6cea848fe754c71xy the search for this additional data will speed up server
c869993e79c1eafbec61a56bf6cea848fe754c71xy operations
c869993e79c1eafbec61a56bf6cea848fe754c71xy at the possible expense of additional queries to resolve
c869993e79c1eafbec61a56bf6cea848fe754c71xy what would
c869993e79c1eafbec61a56bf6cea848fe754c71xy otherwise be provided in the additional section.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
c869993e79c1eafbec61a56bf6cea848fe754c71xy records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
c869993e79c1eafbec61a56bf6cea848fe754c71xy if known, even though they are not in the example.com zone.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Setting these options to <span><strong class="command">no</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy disables this behavior and makes
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server only search for additional data in the zone it
c869993e79c1eafbec61a56bf6cea848fe754c71xy answers from.
c869993e79c1eafbec61a56bf6cea848fe754c71xy These options are intended for use in authoritative-only
c869993e79c1eafbec61a56bf6cea848fe754c71xy servers, or in authoritative-only views. Attempts to set
c869993e79c1eafbec61a56bf6cea848fe754c71xy them to <span><strong class="command">no</strong></span> without also
c869993e79c1eafbec61a56bf6cea848fe754c71xy specifying
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">recursion no</strong></span> will cause the
c869993e79c1eafbec61a56bf6cea848fe754c71xy ignore the options and log a warning message.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
c869993e79c1eafbec61a56bf6cea848fe754c71xy disables the use of the cache not only for additional data
c869993e79c1eafbec61a56bf6cea848fe754c71xy but also when looking up the answer. This is usually the
c869993e79c1eafbec61a56bf6cea848fe754c71xy behavior in an authoritative-only server where the
c869993e79c1eafbec61a56bf6cea848fe754c71xy correctness of
c869993e79c1eafbec61a56bf6cea848fe754c71xy the cached data is an issue.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When a name server is non-recursively queried for a name
c869993e79c1eafbec61a56bf6cea848fe754c71xy that is not
c869993e79c1eafbec61a56bf6cea848fe754c71xy below the apex of any served zone, it normally answers with
c869993e79c1eafbec61a56bf6cea848fe754c71xy "upwards referral" to the root servers or the servers of
c869993e79c1eafbec61a56bf6cea848fe754c71xy some other
c869993e79c1eafbec61a56bf6cea848fe754c71xy known parent of the query name. Since the data in an
c869993e79c1eafbec61a56bf6cea848fe754c71xy upwards referral
c869993e79c1eafbec61a56bf6cea848fe754c71xy comes from the cache, the server will not be able to provide
c869993e79c1eafbec61a56bf6cea848fe754c71xy referrals when <span><strong class="command">additional-from-cache no</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy has been specified. Instead, it will respond to such
c869993e79c1eafbec61a56bf6cea848fe754c71xy with REFUSED. This should not cause any problems since
c869993e79c1eafbec61a56bf6cea848fe754c71xy upwards referrals are not required for the resolution
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <strong class="userinput"><code>yes</code></strong>, then an
c869993e79c1eafbec61a56bf6cea848fe754c71xy IPv4-mapped IPv6 address will match any address match
c869993e79c1eafbec61a56bf6cea848fe754c71xy list entries that match the corresponding IPv4 address.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Enabling this option is sometimes useful on IPv6-enabled
c869993e79c1eafbec61a56bf6cea848fe754c71xy systems, to work around a kernel quirk that causes IPv4
c869993e79c1eafbec61a56bf6cea848fe754c71xy TCP connections such as zone transfers to be accepted
c869993e79c1eafbec61a56bf6cea848fe754c71xy on an IPv6 socket using mapped addresses, causing
c869993e79c1eafbec61a56bf6cea848fe754c71xy address match lists designed for IPv4 to fail to match.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The use of this option for any other purpose is discouraged.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone from its zone file or receives a new version of a slave
c869993e79c1eafbec61a56bf6cea848fe754c71xy file by a non-incremental zone transfer, it will compare
c869993e79c1eafbec61a56bf6cea848fe754c71xy the new version to the previous one and calculate a set
c869993e79c1eafbec61a56bf6cea848fe754c71xy of differences. The differences are then logged in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone's journal file such that the changes can be transmitted
c869993e79c1eafbec61a56bf6cea848fe754c71xy to downstream slaves as an incremental zone transfer.
c869993e79c1eafbec61a56bf6cea848fe754c71xy By allowing incremental zone transfers to be used for
c869993e79c1eafbec61a56bf6cea848fe754c71xy non-dynamic zones, this option saves bandwidth at the
c869993e79c1eafbec61a56bf6cea848fe754c71xy expense of increased CPU and memory consumption at the
c869993e79c1eafbec61a56bf6cea848fe754c71xy In particular, if the new version of a zone is completely
c869993e79c1eafbec61a56bf6cea848fe754c71xy different from the previous one, the set of differences
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be of a size comparable to the combined size of the
c869993e79c1eafbec61a56bf6cea848fe754c71xy old and new zone version, and the server will need to
c869993e79c1eafbec61a56bf6cea848fe754c71xy temporarily allocate memory to hold this complete
c869993e79c1eafbec61a56bf6cea848fe754c71xy difference set.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">ixfr-from-differences</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy also accepts <span><strong class="command">master</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">slave</strong></span> at the view and options
c869993e79c1eafbec61a56bf6cea848fe754c71xy levels which causes
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">ixfr-from-differences</strong></span> to apply to
c869993e79c1eafbec61a56bf6cea848fe754c71xy all <span><strong class="command">master</strong></span> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">slave</strong></span> zones respectively.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This should be set when you have multiple masters for a zone
c869993e79c1eafbec61a56bf6cea848fe754c71xy addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
c869993e79c1eafbec61a56bf6cea848fe754c71xy when the serial number on the master is less than what named
c869993e79c1eafbec61a56bf6cea848fe754c71xy has. The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy named behaves as if it does not support DNSSEC.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <strong class="userinput"><code>yes</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Enable DNSSEC validation in named.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
c869993e79c1eafbec61a56bf6cea848fe754c71xy set to <strong class="userinput"><code>yes</code></strong> to be effective.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Accept expired signatures when verifying DNSSEC signatures.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <strong class="userinput"><code>no</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specify whether query logging should be started when named
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">querylog</strong></span> is not specified,
c869993e79c1eafbec61a56bf6cea848fe754c71xy then the query logging
c869993e79c1eafbec61a56bf6cea848fe754c71xy is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option is used to restrict the character set and syntax
c869993e79c1eafbec61a56bf6cea848fe754c71xy certain domain names in master files and/or DNS responses
c869993e79c1eafbec61a56bf6cea848fe754c71xy from the network. The default varies according to usage
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For <span><strong class="command">slave</strong></span> zones the default
c869993e79c1eafbec61a56bf6cea848fe754c71xy For answers received from the network (<span><strong class="command">response</strong></span>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy the default is <span><strong class="command">ignore</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The rules for legal hostnames and mail domains are derived
c869993e79c1eafbec61a56bf6cea848fe754c71xy from RFC 952 and RFC 821 as modified by RFC 1123.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">check-names</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy applies to the owner names of A, AAA and MX records.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It also applies to the domain names in the RDATA of NS, SOA
c869993e79c1eafbec61a56bf6cea848fe754c71xy and MX records.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It also applies to the RDATA of PTR records where the owner
c869993e79c1eafbec61a56bf6cea848fe754c71xy name indicated that it is a reverse lookup of a hostname
c869993e79c1eafbec61a56bf6cea848fe754c71xy (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Check whether the MX record appears to refer to a IP address.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is to <span><strong class="command">warn</strong></span>. Other possible
c869993e79c1eafbec61a56bf6cea848fe754c71xy values are <span><strong class="command">fail</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option is used to check for non-terminal wildcards.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The use of non-terminal wildcards is almost always as a
c869993e79c1eafbec61a56bf6cea848fe754c71xy result of a failure
c869993e79c1eafbec61a56bf6cea848fe754c71xy to understand the wildcard matching algorithm (RFC 1034).
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option
c869993e79c1eafbec61a56bf6cea848fe754c71xy affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
c869993e79c1eafbec61a56bf6cea848fe754c71xy for non-terminal wildcards and issue a warning.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Perform post load zone integrity checks on master
c869993e79c1eafbec61a56bf6cea848fe754c71xy zones. This checks that MX and SRV records refer
c869993e79c1eafbec61a56bf6cea848fe754c71xy to address (A or AAAA) records and that glue
c869993e79c1eafbec61a56bf6cea848fe754c71xy address records exist for delegated zones. For
c869993e79c1eafbec61a56bf6cea848fe754c71xy MX and SRV records only in-zone hostnames are
c869993e79c1eafbec61a56bf6cea848fe754c71xy checked (for out-of-zone hostnames use named-checkzone).
c869993e79c1eafbec61a56bf6cea848fe754c71xy For NS records only names below top of zone are
c869993e79c1eafbec61a56bf6cea848fe754c71xy checked (for out-of-zone names and glue consistancy
c869993e79c1eafbec61a56bf6cea848fe754c71xy checks use named-checkzone). The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">check-integrity</strong></span> is set then
c869993e79c1eafbec61a56bf6cea848fe754c71xy fail, warn or ignore MX records that refer
c869993e79c1eafbec61a56bf6cea848fe754c71xy to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">check-integrity</strong></span> is set then
c869993e79c1eafbec61a56bf6cea848fe754c71xy fail, warn or ignore SRV records that refer
c869993e79c1eafbec61a56bf6cea848fe754c71xy to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When performing integrity checks, also check that
c869993e79c1eafbec61a56bf6cea848fe754c71xy sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When returning authoritative negative responses to
c869993e79c1eafbec61a56bf6cea848fe754c71xy SOA queries set the TTL of the SOA recored returned in
c869993e79c1eafbec61a56bf6cea848fe754c71xy the authority section to zero.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <span><strong class="command">yes</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When caching a negative response to a SOA query
c869993e79c1eafbec61a56bf6cea848fe754c71xy set the TTL to zero.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <span><strong class="command">no</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When regenerating the RRSIGs following a UPDATE
c869993e79c1eafbec61a56bf6cea848fe754c71xy request to a secure zone, check the KSK flag on
c869993e79c1eafbec61a56bf6cea848fe754c71xy the DNSKEY RR to determine if this key should be
c869993e79c1eafbec61a56bf6cea848fe754c71xy used to generate the RRSIG. This flag is ignored
c869993e79c1eafbec61a56bf6cea848fe754c71xy if there are not DNSKEY RRs both with and without
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <span><strong class="command">yes</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Try to refresh the zone using TCP if UDP queries fail.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <span><strong class="command">yes</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The forwarding facility can be used to create a large site-wide
c869993e79c1eafbec61a56bf6cea848fe754c71xy cache on a few servers, reducing traffic over links to external
c869993e79c1eafbec61a56bf6cea848fe754c71xy name servers. It can also be used to allow queries by servers that
c869993e79c1eafbec61a56bf6cea848fe754c71xy do not have direct access to the Internet, but wish to look up
c869993e79c1eafbec61a56bf6cea848fe754c71xy names anyway. Forwarding occurs only on those queries for which
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server is not authoritative and does not have the answer in
c869993e79c1eafbec61a56bf6cea848fe754c71xy its cache.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option is only meaningful if the
c869993e79c1eafbec61a56bf6cea848fe754c71xy forwarders list is not empty. A value of <code class="varname">first</code>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the default, causes the server to query the forwarders
c869993e79c1eafbec61a56bf6cea848fe754c71xy first — and
c869993e79c1eafbec61a56bf6cea848fe754c71xy if that doesn't answer the question, the server will then
c869993e79c1eafbec61a56bf6cea848fe754c71xy the answer itself. If <code class="varname">only</code> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server will only query the forwarders.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies the IP addresses to be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy for forwarding. The default is the empty list (no
c869993e79c1eafbec61a56bf6cea848fe754c71xy forwarding).
c869993e79c1eafbec61a56bf6cea848fe754c71xy Forwarding can also be configured on a per-domain basis, allowing
c869993e79c1eafbec61a56bf6cea848fe754c71xy for the global forwarding options to be overridden in a variety
c869993e79c1eafbec61a56bf6cea848fe754c71xy of ways. You can set particular domains to use different
c869993e79c1eafbec61a56bf6cea848fe754c71xy forwarders,
c869993e79c1eafbec61a56bf6cea848fe754c71xy or have a different <span><strong class="command">forward only/first</strong></span> behavior,
c869993e79c1eafbec61a56bf6cea848fe754c71xy or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
c869993e79c1eafbec61a56bf6cea848fe754c71xy Statement Grammar">the section called “<span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Statement Grammar”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2580737"></a>Dual-stack Servers</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Dual-stack servers are used as servers of last resort to work
c869993e79c1eafbec61a56bf6cea848fe754c71xy problems in reachability due the lack of support for either IPv4
c869993e79c1eafbec61a56bf6cea848fe754c71xy on the host machine.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies host names or addresses of machines with access to
c869993e79c1eafbec61a56bf6cea848fe754c71xy both IPv4 and IPv6 transports. If a hostname is used, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server must be able
c869993e79c1eafbec61a56bf6cea848fe754c71xy to resolve the name using only the transport it has. If the
c869993e79c1eafbec61a56bf6cea848fe754c71xy machine is dual
c869993e79c1eafbec61a56bf6cea848fe754c71xy stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
c869993e79c1eafbec61a56bf6cea848fe754c71xy access to a transport has been disabled on the command line
c869993e79c1eafbec61a56bf6cea848fe754c71xy (e.g. <span><strong class="command">named -4</strong></span>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="access_control"></a>Access Control</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Access to the server can be restricted based on the IP address
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
c869993e79c1eafbec61a56bf6cea848fe754c71xy details on how to specify IP address lists.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to
c869993e79c1eafbec61a56bf6cea848fe754c71xy notify this server, a slave, of zone changes in addition
c869993e79c1eafbec61a56bf6cea848fe754c71xy to the zone masters.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-notify</strong></span> may also be
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">zone</strong></span> statement, in which case
c869993e79c1eafbec61a56bf6cea848fe754c71xy it overrides the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">options allow-notify</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement. It is only meaningful
c869993e79c1eafbec61a56bf6cea848fe754c71xy for a slave zone. If not specified, the default is to
c869993e79c1eafbec61a56bf6cea848fe754c71xy process notify messages
c869993e79c1eafbec61a56bf6cea848fe754c71xy only from a zone's master.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to ask ordinary
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNS questions. <span><strong class="command">allow-query</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy also be specified in the <span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement, in which case it overrides the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">options allow-query</strong></span> statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If not specified, the default is to allow queries
c869993e79c1eafbec61a56bf6cea848fe754c71xy from all hosts.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-cache</strong></span> is now
c869993e79c1eafbec61a56bf6cea848fe754c71xy used to specify access to the cache.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which local addresses can accept ordinary
c869993e79c1eafbec61a56bf6cea848fe754c71xy DNS questions. This makes it possible, for instance,
c869993e79c1eafbec61a56bf6cea848fe754c71xy to allow queries on internal-facing interfaces but
c869993e79c1eafbec61a56bf6cea848fe754c71xy disallow them on external-facing ones, without
c869993e79c1eafbec61a56bf6cea848fe754c71xy necessarily knowing the internal network's addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-on</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy also be specified in the <span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement, in which case it overrides the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">options allow-query-on</strong></span> statement.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If not specified, the default is to allow queries
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl on all addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-query-cache</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy used to specify access to the cache.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to get answers
c869993e79c1eafbec61a56bf6cea848fe754c71xy from the cache. The default is the builtin acls
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">localnets</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which local addresses can give answers
c869993e79c1eafbec61a56bf6cea848fe754c71xy from the cache. If not specified, the default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy to allow cache queries on any address,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">localnets</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to make recursive
c869993e79c1eafbec61a56bf6cea848fe754c71xy queries through this server. If not specified,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the default is to allow recursive queries from
c869993e79c1eafbec61a56bf6cea848fe754c71xy the builtin acls <span><strong class="command">localnets</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that disallowing recursive queries for a
c869993e79c1eafbec61a56bf6cea848fe754c71xy host does not prevent the host from retrieving
c869993e79c1eafbec61a56bf6cea848fe754c71xy data that is already in the server's cache.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which local addresses can accept recursive
c869993e79c1eafbec61a56bf6cea848fe754c71xy queries. If not specified, the default is to allow
c869993e79c1eafbec61a56bf6cea848fe754c71xy recursive queries on all addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to
c869993e79c1eafbec61a56bf6cea848fe754c71xy submit Dynamic DNS updates for master zones. The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy updates from all hosts. Note that allowing updates based
c869993e79c1eafbec61a56bf6cea848fe754c71xy on the requestor's IP address is insecure; see
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to
c869993e79c1eafbec61a56bf6cea848fe754c71xy submit Dynamic DNS updates to slave zones to be forwarded to
c869993e79c1eafbec61a56bf6cea848fe754c71xy master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy means that no update forwarding will be performed. To
c869993e79c1eafbec61a56bf6cea848fe754c71xy update forwarding, specify
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>{ any; }</code></strong> is usually
c869993e79c1eafbec61a56bf6cea848fe754c71xy counterproductive, since
c869993e79c1eafbec61a56bf6cea848fe754c71xy the responsibility for update access control should rest
c869993e79c1eafbec61a56bf6cea848fe754c71xy master server, not the slaves.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that enabling the update forwarding feature on a slave
c869993e79c1eafbec61a56bf6cea848fe754c71xy may expose master servers relying on insecure IP address
c869993e79c1eafbec61a56bf6cea848fe754c71xy access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
c869993e79c1eafbec61a56bf6cea848fe754c71xy for more details.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy This option was introduced for the smooth transition from
c869993e79c1eafbec61a56bf6cea848fe754c71xy to A6 and from "nibble labels" to binary labels.
c869993e79c1eafbec61a56bf6cea848fe754c71xy However, since both A6 and binary labels were then
c869993e79c1eafbec61a56bf6cea848fe754c71xy deprecated,
c869993e79c1eafbec61a56bf6cea848fe754c71xy this option was also deprecated.
c869993e79c1eafbec61a56bf6cea848fe754c71xy It is now ignored with some warning messages.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies which hosts are allowed to
c869993e79c1eafbec61a56bf6cea848fe754c71xy receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy also be specified in the <span><strong class="command">zone</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement, in which
c869993e79c1eafbec61a56bf6cea848fe754c71xy case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If not specified, the default is to allow transfers to all
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies a list of addresses that the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server will not accept queries from or use to resolve a
c869993e79c1eafbec61a56bf6cea848fe754c71xy query. Queries
c869993e79c1eafbec61a56bf6cea848fe754c71xy from these addresses will not be responded to. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy The interfaces and ports that the server will answer queries
c869993e79c1eafbec61a56bf6cea848fe754c71xy from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
c869993e79c1eafbec61a56bf6cea848fe754c71xy an optional port, and an <code class="varname">address_match_list</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The server will listen on all interfaces allowed by the address
c869993e79c1eafbec61a56bf6cea848fe754c71xy match list. If a port is not specified, port 53 will be used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Multiple <span><strong class="command">listen-on</strong></span> statements are
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example,
c869993e79c1eafbec61a56bf6cea848fe754c71xy will enable the name server on port 53 for the IP address
c869993e79c1eafbec61a56bf6cea848fe754c71xy 5.6.7.8, and on port 1234 of an address on the machine in net
c869993e79c1eafbec61a56bf6cea848fe754c71xy 1.2 that is not 1.2.3.4.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no <span><strong class="command">listen-on</strong></span> is specified, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server will listen on port 53 on all interfaces.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">listen-on-v6</strong></span> option is used to
c869993e79c1eafbec61a56bf6cea848fe754c71xy specify the interfaces and the ports on which the server will
c869993e79c1eafbec61a56bf6cea848fe754c71xy for incoming queries sent using IPv6.
c869993e79c1eafbec61a56bf6cea848fe754c71xy as the <code class="varname">address_match_list</code> for the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">listen-on-v6</strong></span> option,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server does not bind a separate socket to each IPv6 interface
c869993e79c1eafbec61a56bf6cea848fe754c71xy address as it does for IPv4 if the operating system has enough API
c869993e79c1eafbec61a56bf6cea848fe754c71xy support for IPv6 (specifically if it conforms to RFC 3493 and RFC
c869993e79c1eafbec61a56bf6cea848fe754c71xy Instead, it listens on the IPv6 wildcard address.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If the system only has incomplete API support for IPv6, however,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the behavior is the same as that for IPv4.
c869993e79c1eafbec61a56bf6cea848fe754c71xy A list of particular IPv6 addresses can also be specified, in
c869993e79c1eafbec61a56bf6cea848fe754c71xy which case
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server listens on a separate socket for each specified
c869993e79c1eafbec61a56bf6cea848fe754c71xy regardless of whether the desired API is supported by the system.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Multiple <span><strong class="command">listen-on-v6</strong></span> options can
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example,
c869993e79c1eafbec61a56bf6cea848fe754c71xylisten-on-v6 port 1234 { !2001:db8::/32; any; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy will enable the name server on port 53 for any IPv6 addresses
c869993e79c1eafbec61a56bf6cea848fe754c71xy (with a single wildcard socket),
c869993e79c1eafbec61a56bf6cea848fe754c71xy and on port 1234 of IPv6 addresses that is not in the prefix
c869993e79c1eafbec61a56bf6cea848fe754c71xy 2001:db8::/32 (with separate sockets for each matched address.)
c869993e79c1eafbec61a56bf6cea848fe754c71xy To make the server not listen on any IPv6 address, use
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no <span><strong class="command">listen-on-v6</strong></span> option is
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server will not listen on any IPv6 address.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="query_address"></a>Query Address</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If the server doesn't know the answer to a question, it will
c869993e79c1eafbec61a56bf6cea848fe754c71xy query other name servers. <span><strong class="command">query-source</strong></span> specifies
c869993e79c1eafbec61a56bf6cea848fe754c71xy the address and port used for such queries. For queries sent over
c869993e79c1eafbec61a56bf6cea848fe754c71xy IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
c869993e79c1eafbec61a56bf6cea848fe754c71xy a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
c869993e79c1eafbec61a56bf6cea848fe754c71xy a pool of random unprivileged ports will be used. See the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">use-queryport-pool</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">queryport-pool-ports</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">queryport-pool-updateinterval</strong></span> options below for how the pool
c869993e79c1eafbec61a56bf6cea848fe754c71xy is configured.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">avoid-v4-udp-ports</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy to prevent named
c869993e79c1eafbec61a56bf6cea848fe754c71xy from selecting certain ports.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The defaults are:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting">query-source address * port *;
c869993e79c1eafbec61a56bf6cea848fe754c71xyquery-source-v6 address * port *;
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Enable the use of query port pools. By default query port
c869993e79c1eafbec61a56bf6cea848fe754c71xy pools are enabled unless there is a explicit port defined
c869993e79c1eafbec61a56bf6cea848fe754c71xy in <span><strong class="command">query-source</strong></span> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">query-source-v6</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specify how many pool ports to use. The default is 8.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specify how often, in minutes, that the queryport pool
c869993e79c1eafbec61a56bf6cea848fe754c71xy should be recreated (new ports selected). The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy is 15 minutes.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy The address specified in the <span><strong class="command">query-source</strong></span> option
c869993e79c1eafbec61a56bf6cea848fe754c71xy is used for both UDP and TCP queries, but the port applies only
c869993e79c1eafbec61a56bf6cea848fe754c71xy to UDP queries. TCP queries always use a random
c869993e79c1eafbec61a56bf6cea848fe754c71xy unprivileged port.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Solaris 2.5.1 and earlier does not support setting the source
c869993e79c1eafbec61a56bf6cea848fe754c71xy address for TCP sockets.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy See also <span><strong class="command">transfer-source</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">notify-source</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <acronym class="acronym">BIND</acronym> has mechanisms in place to
c869993e79c1eafbec61a56bf6cea848fe754c71xy facilitate zone transfers
c869993e79c1eafbec61a56bf6cea848fe754c71xy and set limits on the amount of load that transfers place on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy system. The following options apply to zone transfers.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Defines a global list of IP addresses of name servers
c869993e79c1eafbec61a56bf6cea848fe754c71xy that are also sent NOTIFY messages whenever a fresh copy of
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone is loaded, in addition to the servers listed in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone's NS records.
c869993e79c1eafbec61a56bf6cea848fe754c71xy This helps to ensure that copies of the zones will
c869993e79c1eafbec61a56bf6cea848fe754c71xy quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
c869993e79c1eafbec61a56bf6cea848fe754c71xy is given in a <span><strong class="command">zone</strong></span> statement,
c869993e79c1eafbec61a56bf6cea848fe754c71xy it will override
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">options also-notify</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement. When a <span><strong class="command">zone notify</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy is set to <span><strong class="command">no</strong></span>, the IP
c869993e79c1eafbec61a56bf6cea848fe754c71xy addresses in the global <span><strong class="command">also-notify</strong></span> list will
c869993e79c1eafbec61a56bf6cea848fe754c71xy not be sent NOTIFY messages for that zone. The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy list (no global notification list).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Inbound zone transfers running longer than
c869993e79c1eafbec61a56bf6cea848fe754c71xy this many minutes will be terminated. The default is 120
c869993e79c1eafbec61a56bf6cea848fe754c71xy (2 hours). The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Inbound zone transfers making no progress
c869993e79c1eafbec61a56bf6cea848fe754c71xy in this many minutes will be terminated. The default is 60
c869993e79c1eafbec61a56bf6cea848fe754c71xy (1 hour). The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Outbound zone transfers running longer than
c869993e79c1eafbec61a56bf6cea848fe754c71xy this many minutes will be terminated. The default is 120
c869993e79c1eafbec61a56bf6cea848fe754c71xy (2 hours). The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Outbound zone transfers making no progress
c869993e79c1eafbec61a56bf6cea848fe754c71xy in this many minutes will be terminated. The default is 60
c869993e79c1eafbec61a56bf6cea848fe754c71xy minutes (1
c869993e79c1eafbec61a56bf6cea848fe754c71xy hour). The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Slave servers will periodically query master servers
c869993e79c1eafbec61a56bf6cea848fe754c71xy to find out if zone serial numbers have changed. Each such
c869993e79c1eafbec61a56bf6cea848fe754c71xy query uses
c869993e79c1eafbec61a56bf6cea848fe754c71xy a minute amount of the slave server's network bandwidth. To
c869993e79c1eafbec61a56bf6cea848fe754c71xy amount of bandwidth used, BIND 9 limits the rate at which
c869993e79c1eafbec61a56bf6cea848fe754c71xy queries are
c869993e79c1eafbec61a56bf6cea848fe754c71xy sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
c869993e79c1eafbec61a56bf6cea848fe754c71xy an integer, is the maximum number of queries sent per
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is 20.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy In BIND 8, the <span><strong class="command">serial-queries</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy set the maximum number of concurrent serial number queries
c869993e79c1eafbec61a56bf6cea848fe754c71xy allowed to be outstanding at any given time.
c869993e79c1eafbec61a56bf6cea848fe754c71xy BIND 9 does not limit the number of outstanding
c869993e79c1eafbec61a56bf6cea848fe754c71xy serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Instead, it limits the rate at which the queries are sent
c869993e79c1eafbec61a56bf6cea848fe754c71xy as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Zone transfers can be sent using two different formats,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">one-answer</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">many-answers</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">transfer-format</strong></span> option is used
c869993e79c1eafbec61a56bf6cea848fe754c71xy on the master server to determine which format it sends.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">one-answer</strong></span> uses one DNS message per
c869993e79c1eafbec61a56bf6cea848fe754c71xy resource record transferred.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">many-answers</strong></span> packs as many resource
c869993e79c1eafbec61a56bf6cea848fe754c71xy records as possible into a message.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">many-answers</strong></span> is more efficient, but is
c869993e79c1eafbec61a56bf6cea848fe754c71xy only supported by relatively new slave servers,
c869993e79c1eafbec61a56bf6cea848fe754c71xy such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
c869993e79c1eafbec61a56bf6cea848fe754c71xy 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">many-answers</strong></span> format is also supported by
c869993e79c1eafbec61a56bf6cea848fe754c71xy recent Microsoft Windows nameservers.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <span><strong class="command">many-answers</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">transfer-format</strong></span> may be overridden on a
c869993e79c1eafbec61a56bf6cea848fe754c71xy per-server basis by using the <span><strong class="command">server</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum number of inbound zone transfers
c869993e79c1eafbec61a56bf6cea848fe754c71xy that can be running concurrently. The default value is <code class="literal">10</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Increasing <span><strong class="command">transfers-in</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy speed up the convergence
c869993e79c1eafbec61a56bf6cea848fe754c71xy of slave zones, but it also may increase the load on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy local system.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum number of outbound zone transfers
c869993e79c1eafbec61a56bf6cea848fe754c71xy that can be running concurrently. Zone transfer requests in
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the limit will be refused. The default value is <code class="literal">10</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum number of inbound zone transfers
c869993e79c1eafbec61a56bf6cea848fe754c71xy that can be concurrently transferring from a given remote
c869993e79c1eafbec61a56bf6cea848fe754c71xy name server.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Increasing <span><strong class="command">transfers-per-ns</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy speed up the convergence of slave zones, but it also may
c869993e79c1eafbec61a56bf6cea848fe754c71xy the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
c869993e79c1eafbec61a56bf6cea848fe754c71xy be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the <span><strong class="command">server</strong></span> statement.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">transfer-source</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy determines which local address will be bound to IPv4
c869993e79c1eafbec61a56bf6cea848fe754c71xy TCP connections used to fetch zones transferred
c869993e79c1eafbec61a56bf6cea848fe754c71xy inbound by the server. It also determines the
c869993e79c1eafbec61a56bf6cea848fe754c71xy source IPv4 address, and optionally the UDP port,
c869993e79c1eafbec61a56bf6cea848fe754c71xy used for the refresh queries and forwarded dynamic
c869993e79c1eafbec61a56bf6cea848fe754c71xy updates. If not set, it defaults to a system
c869993e79c1eafbec61a56bf6cea848fe754c71xy controlled value which will usually be the address
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the interface "closest to" the remote end. This
c869993e79c1eafbec61a56bf6cea848fe754c71xy address must appear in the remote end's
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">allow-transfer</strong></span> option for the
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone being transferred, if one is specified. This
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement sets the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">transfer-source</strong></span> for all zones,
c869993e79c1eafbec61a56bf6cea848fe754c71xy but can be overridden on a per-view or per-zone
c869993e79c1eafbec61a56bf6cea848fe754c71xy basis by including a
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">transfer-source</strong></span> statement within
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">view</strong></span> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">zone</strong></span> block in the configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Solaris 2.5.1 and earlier does not support setting the
c869993e79c1eafbec61a56bf6cea848fe754c71xy source address for TCP sockets.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The same as <span><strong class="command">transfer-source</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy except zone transfers are performed using IPv6.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy An alternate transfer source if the one listed in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">transfer-source</strong></span> fails and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">use-alt-transfer-source</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy If you do not wish the alternate transfer source
c869993e79c1eafbec61a56bf6cea848fe754c71xy to be used, you should set
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">use-alt-transfer-source</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy appropriately and you should not depend upon
c869993e79c1eafbec61a56bf6cea848fe754c71xy getting a answer back to the first refresh
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy An alternate transfer source if the one listed in
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">transfer-source-v6</strong></span> fails and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">use-alt-transfer-source</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Use the alternate transfer sources or not. If views are
c869993e79c1eafbec61a56bf6cea848fe754c71xy specified this defaults to <span><strong class="command">no</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy otherwise it defaults to
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">yes</strong></span> (for BIND 8
c869993e79c1eafbec61a56bf6cea848fe754c71xy compatibility).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">notify-source</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy determines which local source address, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy optionally UDP port, will be used to send NOTIFY
c869993e79c1eafbec61a56bf6cea848fe754c71xy messages. This address must appear in the slave
c869993e79c1eafbec61a56bf6cea848fe754c71xy server's <span><strong class="command">masters</strong></span> zone clause or
fa25784ca4b51c206177d891a654f1d36a25d41fxy in an <span><strong class="command">allow-notify</strong></span> clause. This
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement sets the <span><strong class="command">notify-source</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy for all zones, but can be overridden on a per-zone or
c869993e79c1eafbec61a56bf6cea848fe754c71xy per-view basis by including a
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">notify-source</strong></span> statement within
c869993e79c1eafbec61a56bf6cea848fe754c71xy the <span><strong class="command">zone</strong></span> or
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">view</strong></span> block in the configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Solaris 2.5.1 and earlier does not support setting the
c869993e79c1eafbec61a56bf6cea848fe754c71xy source address for TCP sockets.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Like <span><strong class="command">notify-source</strong></span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy but applies to notify messages sent to IPv6 addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2582244"></a>Bad UDP Port Lists</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
fa25784ca4b51c206177d891a654f1d36a25d41fxy of IPv4 and IPv6 UDP ports that will not be used as system
c869993e79c1eafbec61a56bf6cea848fe754c71xy assigned source ports for UDP sockets. These lists
c869993e79c1eafbec61a56bf6cea848fe754c71xy prevent named from choosing as its random source port a
c869993e79c1eafbec61a56bf6cea848fe754c71xy port that is blocked by your firewall. If a query went
c869993e79c1eafbec61a56bf6cea848fe754c71xy out with such a source port, the answer would not get by
c869993e79c1eafbec61a56bf6cea848fe754c71xy the firewall and the name server would have to query
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="id2582259"></a>Operating System Resource Limits</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The server's usage of many system resources can be limited.
fa25784ca4b51c206177d891a654f1d36a25d41fxy Scaled values are allowed when specifying resource limits. For
c869993e79c1eafbec61a56bf6cea848fe754c71xy example, <span><strong class="command">1G</strong></span> can be used instead of
fa25784ca4b51c206177d891a654f1d36a25d41fxy <span><strong class="command">1073741824</strong></span> to specify a limit of
c869993e79c1eafbec61a56bf6cea848fe754c71xy gigabyte. <span><strong class="command">unlimited</strong></span> requests
fa25784ca4b51c206177d891a654f1d36a25d41fxy unlimited use, or the
c869993e79c1eafbec61a56bf6cea848fe754c71xy maximum available amount. <span><strong class="command">default</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy uses the limit
fa25784ca4b51c206177d891a654f1d36a25d41fxy that was in force when the server was started. See the description
c869993e79c1eafbec61a56bf6cea848fe754c71xy of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
fa25784ca4b51c206177d891a654f1d36a25d41fxy The following options set operating system resource limits for
c869993e79c1eafbec61a56bf6cea848fe754c71xy the name server process. Some operating systems don't support
c869993e79c1eafbec61a56bf6cea848fe754c71xy any of the limits. On such systems, a warning will be issued if
c869993e79c1eafbec61a56bf6cea848fe754c71xy unsupported limit is used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum size of a core dump. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum amount of data memory the server
fa25784ca4b51c206177d891a654f1d36a25d41fxy may use. The default is <code class="literal">default</code>.
fa25784ca4b51c206177d891a654f1d36a25d41fxy This is a hard limit on server memory usage.
fa25784ca4b51c206177d891a654f1d36a25d41fxy If the server attempts to allocate memory in excess of this
fa25784ca4b51c206177d891a654f1d36a25d41fxy limit, the allocation will fail, which may in turn leave
fa25784ca4b51c206177d891a654f1d36a25d41fxy the server unable to perform DNS service. Therefore,
fa25784ca4b51c206177d891a654f1d36a25d41fxy this option is rarely useful as a way of limiting the
fa25784ca4b51c206177d891a654f1d36a25d41fxy amount of memory used by the server, but it can be used
fa25784ca4b51c206177d891a654f1d36a25d41fxy to raise an operating system data size limit that is
fa25784ca4b51c206177d891a654f1d36a25d41fxy too small by default. If you wish to limit the amount
fa25784ca4b51c206177d891a654f1d36a25d41fxy of memory used by the server, use the
fa25784ca4b51c206177d891a654f1d36a25d41fxy <span><strong class="command">max-cache-size</strong></span> and
fa25784ca4b51c206177d891a654f1d36a25d41fxy <span><strong class="command">recursive-clients</strong></span>
fa25784ca4b51c206177d891a654f1d36a25d41fxy options instead.
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The maximum number of files the server
fa25784ca4b51c206177d891a654f1d36a25d41fxy may have open concurrently. The default is <code class="literal">unlimited</code>.
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The maximum amount of stack memory the server
fa25784ca4b51c206177d891a654f1d36a25d41fxy may use. The default is <code class="literal">default</code>.
fa25784ca4b51c206177d891a654f1d36a25d41fxy<a name="id2582510"></a>Server Resource Limits</h4></div></div></div>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The following options set limits on the server's
fa25784ca4b51c206177d891a654f1d36a25d41fxy resource consumption that are enforced internally by the
fa25784ca4b51c206177d891a654f1d36a25d41fxy server rather than the operating system.
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy This option is obsolete; it is accepted
fa25784ca4b51c206177d891a654f1d36a25d41fxy and ignored for BIND 8 compatibility. The option
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">max-journal-size</strong></span> performs a
fa25784ca4b51c206177d891a654f1d36a25d41fxy similar function in BIND 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy Sets a maximum size for each journal file
c869993e79c1eafbec61a56bf6cea848fe754c71xy (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
fa25784ca4b51c206177d891a654f1d36a25d41fxy approaches
fa25784ca4b51c206177d891a654f1d36a25d41fxy the specified size, some of the oldest transactions in the
fa25784ca4b51c206177d891a654f1d36a25d41fxy will be automatically removed. The default is
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy In BIND 8, specifies the maximum number of host statistics
c869993e79c1eafbec61a56bf6cea848fe754c71xy entries to be kept.
fa25784ca4b51c206177d891a654f1d36a25d41fxy Not implemented in BIND 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum number of simultaneous recursive lookups
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server will perform on behalf of clients. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="literal">1000</code>. Because each recursing
c869993e79c1eafbec61a56bf6cea848fe754c71xy client uses a fair
c869993e79c1eafbec61a56bf6cea848fe754c71xy bit of memory, on the order of 20 kilobytes, the value of
fa25784ca4b51c206177d891a654f1d36a25d41fxy <span><strong class="command">recursive-clients</strong></span> option may
fa25784ca4b51c206177d891a654f1d36a25d41fxy have to be decreased
fa25784ca4b51c206177d891a654f1d36a25d41fxy on hosts with limited memory.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The maximum number of simultaneous client TCP
c869993e79c1eafbec61a56bf6cea848fe754c71xy connections that the server will accept.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The maximum amount of memory to use for the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server's cache, in bytes. When the amount of data in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy reaches this limit, the server will cause records to expire
c869993e79c1eafbec61a56bf6cea848fe754c71xy prematurely so that the limit is not exceeded. In a server
fa25784ca4b51c206177d891a654f1d36a25d41fxy multiple views, the limit applies separately to the cache of
c869993e79c1eafbec61a56bf6cea848fe754c71xy view. The default is <code class="literal">unlimited</code>, meaning that
fa25784ca4b51c206177d891a654f1d36a25d41fxy records are purged from the cache only when their TTLs
fa25784ca4b51c206177d891a654f1d36a25d41fxy<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The listen queue depth. The default and minimum is 3.
fa25784ca4b51c206177d891a654f1d36a25d41fxy If the kernel supports the accept filter "dataready" this
fa25784ca4b51c206177d891a654f1d36a25d41fxy also controls how
fa25784ca4b51c206177d891a654f1d36a25d41fxy many TCP connections that will be queued in kernel space
fa25784ca4b51c206177d891a654f1d36a25d41fxy waiting for
fa25784ca4b51c206177d891a654f1d36a25d41fxy some data before being passed to accept. Values less than 3
fa25784ca4b51c206177d891a654f1d36a25d41fxy silently raised.
fa25784ca4b51c206177d891a654f1d36a25d41fxy<a name="id2582644"></a>Periodic Task Intervals</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The server will remove expired resource records
fa25784ca4b51c206177d891a654f1d36a25d41fxy from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is 60 minutes. The maximum value is 28 days
c869993e79c1eafbec61a56bf6cea848fe754c71xy (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy If set to 0, no periodic cleaning will occur.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
fa25784ca4b51c206177d891a654f1d36a25d41fxy The server will perform zone maintenance tasks
c869993e79c1eafbec61a56bf6cea848fe754c71xy for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
c869993e79c1eafbec61a56bf6cea848fe754c71xy interval expires. The default is 60 minutes. Reasonable
fa25784ca4b51c206177d891a654f1d36a25d41fxy values are up
c869993e79c1eafbec61a56bf6cea848fe754c71xy to 1 day (1440 minutes). The maximum value is 28 days
c869993e79c1eafbec61a56bf6cea848fe754c71xy (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy If set to 0, no zone maintenance for these zones will occur.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The server will scan the network interface list
c869993e79c1eafbec61a56bf6cea848fe754c71xy every <span><strong class="command">interface-interval</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy minutes. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy is 60 minutes. The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy If set to 0, interface scanning will only occur when
c869993e79c1eafbec61a56bf6cea848fe754c71xy the configuration file is loaded. After the scan, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy server will
c869993e79c1eafbec61a56bf6cea848fe754c71xy begin listening for queries on any newly discovered
c869993e79c1eafbec61a56bf6cea848fe754c71xy interfaces (provided they are allowed by the
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">listen-on</strong></span> configuration), and
c869993e79c1eafbec61a56bf6cea848fe754c71xy stop listening on interfaces that have gone away.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Name server statistics will be logged
c869993e79c1eafbec61a56bf6cea848fe754c71xy every <span><strong class="command">statistics-interval</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy minutes. The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy 60. The maximum value is 28 days (40320 minutes).
c869993e79c1eafbec61a56bf6cea848fe754c71xy If set to 0, no statistics will be logged.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Not yet implemented in
c869993e79c1eafbec61a56bf6cea848fe754c71xy All other things being equal, when the server chooses a name
c869993e79c1eafbec61a56bf6cea848fe754c71xy to query from a list of name servers, it prefers the one that is
c869993e79c1eafbec61a56bf6cea848fe754c71xy topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy takes an <span><strong class="command">address_match_list</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy interprets it
c869993e79c1eafbec61a56bf6cea848fe754c71xy in a special way. Each top-level list element is assigned a
c869993e79c1eafbec61a56bf6cea848fe754c71xy Non-negated elements get a distance based on their position in the
c869993e79c1eafbec61a56bf6cea848fe754c71xy list, where the closer the match is to the start of the list, the
c869993e79c1eafbec61a56bf6cea848fe754c71xy shorter the distance is between it and the server. A negated match
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be assigned the maximum distance from the server. If there
c869993e79c1eafbec61a56bf6cea848fe754c71xy is no match, the address will get a distance which is further than
c869993e79c1eafbec61a56bf6cea848fe754c71xy any non-negated list element, and closer than any negated element.
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example,
c869993e79c1eafbec61a56bf6cea848fe754c71xy will prefer servers on network 10 the most, followed by hosts
c869993e79c1eafbec61a56bf6cea848fe754c71xy on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
c869993e79c1eafbec61a56bf6cea848fe754c71xy exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
c869993e79c1eafbec61a56bf6cea848fe754c71xy is preferred least of all.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default topology is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<pre class="programlisting"> topology { localhost; localnets; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">topology</strong></span> option
c869993e79c1eafbec61a56bf6cea848fe754c71xy is not implemented in <acronym class="acronym">BIND</acronym> 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The response to a DNS query may consist of multiple resource
c869993e79c1eafbec61a56bf6cea848fe754c71xy records (RRs) forming a resource records set (RRset).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The name server will normally return the
c869993e79c1eafbec61a56bf6cea848fe754c71xy RRs within the RRset in an indeterminate order
c869993e79c1eafbec61a56bf6cea848fe754c71xy (but see the <span><strong class="command">rrset-order</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The client resolver code should rearrange the RRs as appropriate,
c869993e79c1eafbec61a56bf6cea848fe754c71xy that is, using any addresses on the local net in preference to
c869993e79c1eafbec61a56bf6cea848fe754c71xy other addresses.
c869993e79c1eafbec61a56bf6cea848fe754c71xy However, not all resolvers can do this or are correctly
c869993e79c1eafbec61a56bf6cea848fe754c71xy configured.
c869993e79c1eafbec61a56bf6cea848fe754c71xy When a client is using a local server, the sorting can be performed
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the server, based on the client's address. This only requires
c869993e79c1eafbec61a56bf6cea848fe754c71xy configuring the name servers, not all the clients.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">sortlist</strong></span> statement (see below)
c869993e79c1eafbec61a56bf6cea848fe754c71xy an <span><strong class="command">address_match_list</strong></span> and
c869993e79c1eafbec61a56bf6cea848fe754c71xy interprets it even
c869993e79c1eafbec61a56bf6cea848fe754c71xy more specifically than the <span><strong class="command">topology</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy Each top level statement in the <span><strong class="command">sortlist</strong></span> must
c869993e79c1eafbec61a56bf6cea848fe754c71xy itself be an explicit <span><strong class="command">address_match_list</strong></span> with
c869993e79c1eafbec61a56bf6cea848fe754c71xy one or two elements. The first element (which may be an IP
c869993e79c1eafbec61a56bf6cea848fe754c71xy an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy of each top level list is checked against the source address of
c869993e79c1eafbec61a56bf6cea848fe754c71xy the query until a match is found.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Once the source address of the query has been matched, if
c869993e79c1eafbec61a56bf6cea848fe754c71xy the top level statement contains only one element, the actual
c869993e79c1eafbec61a56bf6cea848fe754c71xy element that matched the source address is used to select the
c869993e79c1eafbec61a56bf6cea848fe754c71xy in the response to move to the beginning of the response. If the
c869993e79c1eafbec61a56bf6cea848fe754c71xy statement is a list of two elements, then the second element is
c869993e79c1eafbec61a56bf6cea848fe754c71xy treated the same as the <span><strong class="command">address_match_list</strong></span> in
c869993e79c1eafbec61a56bf6cea848fe754c71xy a <span><strong class="command">topology</strong></span> statement. Each top
c869993e79c1eafbec61a56bf6cea848fe754c71xy level element
c869993e79c1eafbec61a56bf6cea848fe754c71xy is assigned a distance and the address in the response with the
c869993e79c1eafbec61a56bf6cea848fe754c71xy distance is moved to the beginning of the response.
c869993e79c1eafbec61a56bf6cea848fe754c71xy In the following example, any queries received from any of
c869993e79c1eafbec61a56bf6cea848fe754c71xy the addresses of the host itself will get responses preferring
c869993e79c1eafbec61a56bf6cea848fe754c71xy on any of the locally connected networks. Next most preferred are
c869993e79c1eafbec61a56bf6cea848fe754c71xy 192.168.3/24 network with no preference shown between these two
c869993e79c1eafbec61a56bf6cea848fe754c71xy networks. Queries received from a host on the 192.168.1/24 network
c869993e79c1eafbec61a56bf6cea848fe754c71xy will prefer other addresses on that network to the 192.168.2/24
c869993e79c1eafbec61a56bf6cea848fe754c71xy 192.168.3/24 networks. Queries received from a host on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy or the 192.168.5/24 network will only prefer other addresses on
c869993e79c1eafbec61a56bf6cea848fe754c71xy their directly connected networks.
c869993e79c1eafbec61a56bf6cea848fe754c71xy { localhost; // IF the local host
c869993e79c1eafbec61a56bf6cea848fe754c71xy { localnets; // THEN first fit on the
c869993e79c1eafbec61a56bf6cea848fe754c71xy { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
c869993e79c1eafbec61a56bf6cea848fe754c71xy The following example will give reasonable behavior for the
c869993e79c1eafbec61a56bf6cea848fe754c71xy local host and hosts on directly connected networks. It is similar
c869993e79c1eafbec61a56bf6cea848fe754c71xy to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
c869993e79c1eafbec61a56bf6cea848fe754c71xy to queries from the local host will favor any of the directly
c869993e79c1eafbec61a56bf6cea848fe754c71xy networks. Responses sent to queries from any other hosts on a
c869993e79c1eafbec61a56bf6cea848fe754c71xy connected network will prefer addresses on that same network.
c869993e79c1eafbec61a56bf6cea848fe754c71xy to other queries will not be sorted.
c869993e79c1eafbec61a56bf6cea848fe754c71xy { localhost; localnets; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy { localnets; };
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy When multiple records are returned in an answer it may be
c869993e79c1eafbec61a56bf6cea848fe754c71xy useful to configure the order of the records placed into the
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">rrset-order</strong></span> statement permits
c869993e79c1eafbec61a56bf6cea848fe754c71xy configuration
c869993e79c1eafbec61a56bf6cea848fe754c71xy of the ordering of the records in a multiple record response.
c869993e79c1eafbec61a56bf6cea848fe754c71xy See also the <span><strong class="command">sortlist</strong></span> statement,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy An <span><strong class="command">order_spec</strong></span> is defined as
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The legal values for <span><strong class="command">ordering</strong></span> are:
c869993e79c1eafbec61a56bf6cea848fe754c71xy</colgroup>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">fixed</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Records are returned in the order they
c869993e79c1eafbec61a56bf6cea848fe754c71xy are defined in the zone file.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">random</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Records are returned in some random order.
c869993e79c1eafbec61a56bf6cea848fe754c71xy <p><span><strong class="command">cyclic</strong></span></p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Records are returned in a round-robin
c869993e79c1eafbec61a56bf6cea848fe754c71xy For example:
c869993e79c1eafbec61a56bf6cea848fe754c71xy class IN type A name "host.example.com" order random;
c869993e79c1eafbec61a56bf6cea848fe754c71xy order cyclic;
c869993e79c1eafbec61a56bf6cea848fe754c71xy will cause any responses for type A records in class IN that
c869993e79c1eafbec61a56bf6cea848fe754c71xy have "<code class="literal">host.example.com</code>" as a
c869993e79c1eafbec61a56bf6cea848fe754c71xy suffix, to always be returned
c869993e79c1eafbec61a56bf6cea848fe754c71xy in random order. All other records are returned in cyclic order.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If multiple <span><strong class="command">rrset-order</strong></span> statements
c869993e79c1eafbec61a56bf6cea848fe754c71xy they are not combined — the last one applies.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <span><strong class="command">rrset-order</strong></span> statement
c869993e79c1eafbec61a56bf6cea848fe754c71xy is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy BIND 9 currently does not fully support "fixed" ordering.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the number of seconds to cache a
c869993e79c1eafbec61a56bf6cea848fe754c71xy lame server indication. 0 disables caching. (This is
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span class="bold"><strong>NOT</strong></span> recommended.)
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default is <code class="literal">600</code> (10 minutes) and the
c869993e79c1eafbec61a56bf6cea848fe754c71xy maximum value is
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy To reduce network traffic and increase performance,
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
c869993e79c1eafbec61a56bf6cea848fe754c71xy used to set a maximum retention time for these answers in
c869993e79c1eafbec61a56bf6cea848fe754c71xy the server
c869993e79c1eafbec61a56bf6cea848fe754c71xy in seconds. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
c869993e79c1eafbec61a56bf6cea848fe754c71xy 7 days and will
c869993e79c1eafbec61a56bf6cea848fe754c71xy be silently truncated to 7 days if set to a greater value.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the maximum time for which the server will
c869993e79c1eafbec61a56bf6cea848fe754c71xy cache ordinary (positive) answers. The default is
c869993e79c1eafbec61a56bf6cea848fe754c71xy one week (7 days).
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The minimum number of root servers that
c869993e79c1eafbec61a56bf6cea848fe754c71xy is required for a request for the root servers to be
c869993e79c1eafbec61a56bf6cea848fe754c71xy accepted. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c869993e79c1eafbec61a56bf6cea848fe754c71xy Not implemented in <acronym class="acronym">BIND</acronym> 9.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Specifies the number of days into the
c869993e79c1eafbec61a56bf6cea848fe754c71xy future when DNSSEC signatures automatically generated as a
c869993e79c1eafbec61a56bf6cea848fe754c71xy of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>)
c869993e79c1eafbec61a56bf6cea848fe754c71xy will expire. The default is <code class="literal">30</code> days.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The maximum value is 10 years (3660 days). The signature
c869993e79c1eafbec61a56bf6cea848fe754c71xy inception time is unconditionally set to one hour before the
c869993e79c1eafbec61a56bf6cea848fe754c71xy current time
c869993e79c1eafbec61a56bf6cea848fe754c71xy to allow for a limited amount of clock skew.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy These options control the server's behavior on refreshing a
c869993e79c1eafbec61a56bf6cea848fe754c71xy (querying for SOA changes) or retrying failed transfers.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Usually the SOA values for the zone are used, but these
c869993e79c1eafbec61a56bf6cea848fe754c71xy are set by the master, giving slave server administrators
c869993e79c1eafbec61a56bf6cea848fe754c71xy control over their contents.
c869993e79c1eafbec61a56bf6cea848fe754c71xy These options allow the administrator to set a minimum and
c869993e79c1eafbec61a56bf6cea848fe754c71xy refresh and retry time either per-zone, per-view, or
c869993e79c1eafbec61a56bf6cea848fe754c71xy These options are valid for slave and stub zones,
c869993e79c1eafbec61a56bf6cea848fe754c71xy and clamp the SOA refresh and retry times to the specified
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the advertised EDNS UDP buffer size in bytes. Valid
c869993e79c1eafbec61a56bf6cea848fe754c71xy values are 512 to 4096 (values outside this range
c869993e79c1eafbec61a56bf6cea848fe754c71xy will be silently adjusted). The default value is
c869993e79c1eafbec61a56bf6cea848fe754c71xy 4096. The usual reason for setting edns-udp-size to
c869993e79c1eafbec61a56bf6cea848fe754c71xy a non-default value it to get UDP answers to pass
c869993e79c1eafbec61a56bf6cea848fe754c71xy through broken firewalls that block fragmented
c869993e79c1eafbec61a56bf6cea848fe754c71xy than 512 bytes.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the maximum EDNS UDP message size named will
c869993e79c1eafbec61a56bf6cea848fe754c71xy send in bytes. Valid values are 512 to 4096 (values outside
c869993e79c1eafbec61a56bf6cea848fe754c71xy this range will be silently adjusted). The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy value is 4096. The usual reason for setting
c869993e79c1eafbec61a56bf6cea848fe754c71xy max-udp-size to a non-default value is to get UDP
c869993e79c1eafbec61a56bf6cea848fe754c71xy answers to pass through broken firewalls that
c869993e79c1eafbec61a56bf6cea848fe754c71xy that are greater than 512 bytes.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy the file format of zone files (see
c869993e79c1eafbec61a56bf6cea848fe754c71xy <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
c869993e79c1eafbec61a56bf6cea848fe754c71xy The default value is <code class="constant">text</code>, which is the
c869993e79c1eafbec61a56bf6cea848fe754c71xy standard textual representation. Files in other formats
c869993e79c1eafbec61a56bf6cea848fe754c71xy than <code class="constant">text</code> are typically expected
c869993e79c1eafbec61a56bf6cea848fe754c71xy to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Note that when a zone file in a different format than
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy may omit some of the checks which would be performed for a
c869993e79c1eafbec61a56bf6cea848fe754c71xy file in the <code class="constant">text</code> format. In particular,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">check-names</strong></span> checks do not apply
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl for the <code class="constant">raw</code> format. This means
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl a zone file in the <code class="constant">raw</code> format
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl must be generated with the same check level as that
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl specified in the <span><strong class="command">named</strong></span> configuration
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl file. This statement sets the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">masterfile-format</strong></span> for all zones,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl but can be overridden on a per-zone or per-view basis
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl by including a <span><strong class="command">masterfile-format</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl statement within the <span><strong class="command">zone</strong></span> or
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">view</strong></span> block in the configuration
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<p>These set the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl initial value (minimum) and maximum number of recursive
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl simultanious clients for any given query
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl (<qname,qtype,qclass>) that the server will accept
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl before dropping additional clients. named will attempt to
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl self tune this value and changes will be logged. The
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl default values are 10 and 100.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl This value should reflect how many queries come in for
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl a given name in the time it takes to resolve that name.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If the number of queries exceed this value, named will
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl assume that it is dealing with a non-responsive zone
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl and will drop additional queries. If it gets a response
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl after dropping queries, it will raise the estimate. The
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl estimate will then be lowered in 20 minutes if it has
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl remained unchanged.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If <span><strong class="command">clients-per-query</strong></span> is set to zero,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl then there is no limit on the number of clients per query
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl and no queries will be dropped.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl then there is no upper bound other than imposed by
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">recursive-clients</strong></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The server provides some helpful diagnostic information
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl through a number of built-in zones under the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl pseudo-top-level-domain <code class="literal">bind</code> in the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">CHAOS</strong></span> class. These zones are part
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl <span><strong class="command">CHAOS</strong></span> which is separate from the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl default view of
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl class <span><strong class="command">IN</strong></span>; therefore, any global
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl server options
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl such as <span><strong class="command">allow-query</strong></span> do not apply
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl the these zones.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl If you feel the need to disable these zones, use the options
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl that matches all clients.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The version the server should report
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl via a query of the name <code class="literal">version.bind</code>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The default is the real version number of this server.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Specifying <span><strong class="command">version none</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl disables processing of the queries.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The hostname the server should report via a query of
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl This defaults to the hostname of the machine hosting the
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl name server as
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl found by the gethostname() function. The primary purpose of such queries
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl identify which of a group of anycast servers is actually
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl disables processing of the queries.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The ID of the server should report via a query of
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The primary purpose of such queries is to
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl identify which of a group of anycast servers is actually
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl disables processing of the queries.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl use the hostname as found by the gethostname() function.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl Named has some built-in empty zones (SOA and NS records only).
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl These are for zones that should normally be answered locally
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl and which queries should not be sent to the Internet's root
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl servers. The offical servers which cover these namespaces
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl return NXDOMAIN responses to these queries. In particular,
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl these cover the reverse namespace for addresses from RFC 1918 and
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl RFC 3330. They also include the reverse namespace for IPv6 local
8bb4b220fdb894543e41a5f9037898cf3c3f312bgl address (locally assigned), IPv6 link local addresses, the IPv6
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="id2585504"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2585553"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2585633"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com zone
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com zone
zone "example.com" {
file "example-external.db";
<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2587097"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
status of infrastructure zones (e.g. COM, NET, ORG).
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2592123"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2592184"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2592322"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2592358"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>