Bv9ARM.ch06.html revision bd84b04e4fda4f41923bba6e7277546d87045b5a
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
59dd3b3cd954239d98ef52cd26328856cb6f2975Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater - purpose with or without fee is hereby granted, provided that the above
7b67cfadd077feb0ec3e6c78385ba0d845a9789bMark Andrews - copyright notice and this permission notice appear in all copies.
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<title>Chapter�6.�BIND 9 Configuration Reference</title>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
04eba969cb9a54bbda2896db2067c07b2ac5ba16Automatic Updater<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<table width="100%" summary="Navigation header">
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater<div class="titlepage"><div><div><h2 class="title">
9d330c054e02f52cefd8dc0e71550b0fe07e077eAutomatic Updater<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
3a6600c8d319275d73c36eb625f77103cd83e824Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573300">Comment Syntax</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574165"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574423"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">include</strong></span> Statement Definition and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574891"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574915"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575009"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575144"><span><strong class="command">logging</strong></span> Statement Definition and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577350"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577447"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577611"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577729"><span><strong class="command">masters</strong></span> Statement Definition and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577750"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592974"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593477"><span><strong class="command">trusted-keys</strong></span> Statement Definition
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593530"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593897"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595777"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2599553">Zone File</a></span></dt>
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601783">Discussion of MX Records</a></span></dt>
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602467">Inverse Mapping in IPv4</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602594">Other Zone File Directives</a></span></dt>
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602867"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of configuration, such as views. <acronym class="acronym">BIND</acronym>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater 9, although more complex configurations should be reviewed to check
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater if they can be more efficiently implemented using the new features
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater found in <acronym class="acronym">BIND</acronym> 9.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater <acronym class="acronym">BIND</acronym> 4 configuration files can be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater converted to the new format
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater using the shell script
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file documentation:
bbb069be941f649228760edcc241122933c066d2Automatic Updater<div class="informaltable"><table border="1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The name of an <code class="varname">address_match_list</code> as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defined by the <span><strong class="command">acl</strong></span> statement.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">address_match_list</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A list of one or more
00be0f9f61d4c6bf197d000bfa1a6b7e70ea0866Automatic Updater <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson or <code class="varname">acl_name</code> elements, see
00be0f9f61d4c6bf197d000bfa1a6b7e70ea0866Automatic Updater <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson A named list of one or more <code class="varname">ip_addr</code>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews with optional <code class="varname">key_id</code> and/or
8ae412a86ed138263796195eed82a4716e7effcbMark Andrews A <code class="varname">masters_list</code> may include other
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">masters_lists</code>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews A quoted string which will be used as
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson a DNS name, for example "<code class="literal">my.test.domain</code>".
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews A list of one or more <code class="varname">domain_name</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">dotted_decimal</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington One to four integers valued 0 through
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IPv4 address with exactly four elements
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in <code class="varname">dotted_decimal</code> notation.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington IPv6 scoped addresses that have ambiguity on their
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington scope zones must be disambiguated by an appropriate
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone ID with the percent character (`%') as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington delimiter. It is strongly recommended to use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington string zone names rather than numeric identifiers,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in order to be robust against system configuration
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington changes. However, since there is no standard
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington mapping for such names and identifier values,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington currently only interface names as link identifiers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are supported, assuming one-to-one mapping between
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington interfaces and links. For example, a link-local
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington address <span><strong class="command">fe80::1</strong></span> on the link
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington attached to the interface <span><strong class="command">ne0</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note that on most systems link-local addresses
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington always have the ambiguity, and need to be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington disambiguated.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A <code class="varname">number</code> between 0 and 63, used
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to select a differentiated services code point (DSCP)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington value for use with outgoing traffic on operating systems
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that support DSCP.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater An IP port <code class="varname">number</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <code class="varname">number</code> is limited to 0
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater through 65535, with values
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater below 1024 typically restricted to use by processes running
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In some cases, an asterisk (`*') character can be used as a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater placeholder to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington select a random high-numbered port.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IP network specified as an <code class="varname">ip_addr</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington followed by a slash (`/') and then the number of bits in the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Trailing zeros in a <code class="varname">ip_addr</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For example, <span><strong class="command">127/8</strong></span> is the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network <span><strong class="command">127.0.0.0</strong></span> with
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When specifying a prefix involving a IPv6 scoped address
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the scope may be omitted. In that case the prefix will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater match packets from any scope.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A <code class="varname">domain_name</code> representing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the name of a shared key, to be used for transaction
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A list of one or more
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews separated by semicolons and ending with a semicolon.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A non-negative 32-bit integer
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (i.e., a number between 0 and 4294967295, inclusive).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Its acceptable value might further
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be limited by the context in which it is used.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater A quoted string which will be used as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A list of an <code class="varname">ip_port</code> or a port
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A port range is specified in the form of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>range</code></strong> followed by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_high</code>, which represents
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington port numbers from <code class="varname">port_low</code> through
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_high</code>, inclusive.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">port_low</code> must not be larger than
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>range 1024 65535</code></strong> represents
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ports from 1024 through 65535.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In either case an asterisk (`*') character is not
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allowed as a valid <code class="varname">ip_port</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A 64-bit unsigned integer, or the keywords
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <strong class="userinput"><code>unlimited</code></strong> or
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>default</code></strong>.
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater Integers may take values
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater 0 <= value <= 18446744073709551615, though
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater certain parameters
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater (such as <span><strong class="command">max-journal-size</strong></span>) may
532d27b39244fadfcf8d8b4593f4c65434c9c664Automatic Updater use a more limited range within these extremes.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater In most cases, setting a value to 0 does not
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington literally mean zero; it means "undefined" or
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington "as big as possible", depending on the context.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington See the explanations of particular parameters
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that use <code class="varname">size_spec</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for details on how they interpret its use.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Numeric values can optionally be followed by a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater scaling factor:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for kilobytes,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for megabytes, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater for gigabytes, which scale by 1024, 1024*1024, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater 1024*1024*1024 respectively.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">unlimited</code> generally means
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "as big as possible", and is usually the best
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater way to safely set a very large number.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater uses the limit that was in force when the server was started.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and <strong class="userinput"><code>0</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">dialup_option</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater One of <strong class="userinput"><code>yes</code></strong>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>passive</code></strong>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater are restricted to slave and stub zones.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2573131"></a>Syntax</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater [<span class="optional"> address_match_list_element; ... </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater key key_id | acl_name | { address_match_list } )
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2573159"></a>Definition and Usage</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Address match lists are primarily used to determine access
2da2220fe7af2c45724b50b0187523b1fab0cf08Rob Austein control for various server operations. They are also used in
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington statements. The elements which constitute an address match
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater list can be any of the following:
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater a key ID, as defined by the <span><strong class="command">key</strong></span>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<li>the name of an address match list defined with
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the <span><strong class="command">acl</strong></span> statement
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater<li>a nested address match list enclosed in braces</li>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Elements can be negated with a leading exclamation mark (`!'),
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater and the match list names "any", "none", "localhost", and
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater "localnets" are predefined. More information on those names
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater can be found in the description of the acl statement.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater The addition of the key clause made the name of this syntactic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington element something of a misnomer, since security keys can be used
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater to validate access without regard to a host or network address.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Nonetheless, the term "address match list" is still used
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater throughout the documentation.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When a given IP address or prefix is compared to an address
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater match list, the comparison takes place in approximately O(1)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater time. However, key comparisons require that the list of keys
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be traversed until a matching key is found, and therefore may
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be somewhat slower.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The interpretation of a match depends on whether the list is being
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When used as an access control list, a non-negated match
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allows access and a negated match denies access. If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington there is no match, access is denied. The clauses
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-notify</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-recursion</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-recursion-on</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-query</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-query-on</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-query-cache</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-query-cache-on</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-transfer</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-update</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">allow-update-forwarding</strong></span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">blackhole</strong></span>, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">keep-response-order</strong></span> all use address match
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server to refuse queries on any of the machine's
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater addresses which do not match the list.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Order of insertion is significant. If more than one element
f8c47598b87a5eb5ff2ceda6c81d136212d59cefAutomatic Updater in an ACL is found to match a given IP address or prefix,
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington preference will be given to the one that came
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span class="emphasis"><em>first</em></span> in the ACL definition.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Because of this first-match behavior, an element that
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington defines a subset of another element in the list should
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater come before the broader element, regardless of whether
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater either is negated. For example, in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the 1.2.3.13 element is completely useless because the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington that problem by having 1.2.3.13 blocked by the negation, but
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington all other 1.2.3.* hosts fall through.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2573300"></a>Comment Syntax</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
f65d2e1c04c806a185bf9f3120e80692f5ccd5e6Automatic Updater comments to appear
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file. To appeal to programmers of all kinds, they can be written
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
e062b72f783cdb436a1a57a630bdff471dbb3038Mark Andrews<a name="id2573383"></a>Syntax</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater# and perl</pre>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2573413"></a>Definition and Usage</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Comments may appear anywhere that whitespace may appear in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a <acronym class="acronym">BIND</acronym> configuration file.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater C-style comments start with the two characters /* (slash,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater star) and end with */ (star, slash). Because they are completely
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater delimited with these characters, they can be used to comment only
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a portion of a line or to span multiple lines.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater C-style comments cannot be nested. For example, the following
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is not valid because the entire comment ends with the first */:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">/* This is the start of a comment.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is still part of the comment.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington/* This is an incorrect attempt at nesting a comment. */
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater This is no longer in any comment. */
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews C++-style comments start with the two characters // (slash,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews slash) and continue to the end of the physical line. They cannot
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be continued across multiple physical lines; to have one logical
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater comment span multiple lines, each line must use the // pair.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">// This is the start of a comment. The next line
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews// is a new comment, even though it is logically
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater// part of the previous comment.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Shell-style (or perl-style, if you prefer) comments start
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with the character <code class="literal">#</code> (number sign)
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and continue to the end of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater physical line, as in C++ comments.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"># This is the start of a comment. The next line
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington# is a new comment, even though it is logically
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater# part of the previous comment.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater You cannot use the semicolon (`;') character
af3e516f771c8ba376a8cd954a7233badfce8cdcAutomatic Updater to start a comment such as you would in a zone file. The
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews semicolon indicates the end of a configuration
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews A <acronym class="acronym">BIND</acronym> 9 configuration consists of
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews statements and comments.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Statements end with a semicolon. Statements and comments are the
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews only elements that can appear without enclosing braces. Many
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews statements contain a block of sub-statements, which are also
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews terminated with a semicolon.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews The following statements are supported:
af3e516f771c8ba376a8cd954a7233badfce8cdcAutomatic Updater <p><span><strong class="command">acl</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defines a named IP address
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater matching list, for access control and other uses.
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater <p><span><strong class="command">controls</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater declares control channels to be used
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington by the <span><strong class="command">rndc</strong></span> utility.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">include</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater includes a file.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">key</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specifies key information for use in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington authentication and authorization using TSIG.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">logging</strong></span></p>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington specifies what the server logs, and where
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the log messages are sent.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">lwres</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configures <span><strong class="command">named</strong></span> to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">masters</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defines a named masters list for
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington inclusion in stub and slave zones'
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">masters</strong></span> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">also-notify</strong></span> lists.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <p><span><strong class="command">options</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater controls global server configuration
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater options and sets defaults for other statements.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">server</strong></span></p>
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater sets certain configuration options on
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a per-server basis.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">statistics-channels</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater declares communication channels to get access to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span> statistics.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">trusted-keys</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington defines trusted DNSSEC keys.
fd7c65dce9c2b1a3d12ca4df9074cd38019fdb5fAutomatic Updater <p><span><strong class="command">managed-keys</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington lists DNSSEC keys to be kept up to date
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater using RFC 5011 trust anchor maintenance.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">view</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defines a view.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">zone</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington defines a zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">logging</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">options</strong></span> statements may only occur once
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington configuration.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2574165"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
bd40cbcd09057ddfd043291aba82a56c90ec2523Automatic Updater address_match_list
a070512005933acaf17f635c6371e555425d9641Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The <span><strong class="command">acl</strong></span> statement assigns a symbolic
3341c8b653577f2f0cb8b72702ea6197035334ffMark Andrews name to an address match list. It gets its name from a primary
7932a7637170550bc53b38c35db9a0187dcb3d3bAutomatic Updater use of address match lists: Access Control Lists (ACLs).
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The following ACLs are built-in:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">any</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Matches all hosts.
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews <p><span><strong class="command">none</strong></span></p>
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews Matches no hosts.
10b4a0c3a4eec1b22b990c0a0595fbda51f54e94Automatic Updater <p><span><strong class="command">localhost</strong></span></p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Matches the IPv4 and IPv6 addresses of all network
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews interfaces on the system. When addresses are
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews added or removed, the <span><strong class="command">localhost</strong></span>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews ACL element is updated to reflect the changes.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <p><span><strong class="command">localnets</strong></span></p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Matches any host on an IPv4 or IPv6 network
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews for which the system has an interface.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews When addresses are added or removed,
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews the <span><strong class="command">localnets</strong></span>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews ACL element is updated to reflect the changes.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Some systems do not provide a way to determine the prefix
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews local IPv6 addresses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In such a case, <span><strong class="command">localnets</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews only matches the local
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574423"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">controls</strong></span> {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ inet ( ip_addr | * ) [ port ip_port ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews allow { <em class="replaceable"><code> address_match_list </code></em> }
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ inet ...; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ unix ...; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">controls</strong></span> statement declares control
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews channels to be used by system administrators to control the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews operation of the name server. These control channels are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used by the <span><strong class="command">rndc</strong></span> utility to send
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews commands to and retrieve non-DNS results from a name server.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews An <span><strong class="command">inet</strong></span> control channel is a TCP socket
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews listening at the specified <span><strong class="command">ip_port</strong></span> on the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews interpreted as the IPv4 wildcard address; connections will be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews accepted on any of the system's IPv4 addresses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To listen on the IPv6 wildcard address,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If you will only use <span><strong class="command">rndc</strong></span> on the local host,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews using the loopback address (<code class="literal">127.0.0.1</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews or <code class="literal">::1</code>) is recommended for maximum security.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If no port is specified, port 953 is used. The asterisk
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The ability to issue commands over the control channel is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews restricted by the <span><strong class="command">allow</strong></span> and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">keys</strong></span> clauses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Connections to the control channel are permitted based on the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">address_match_list</strong></span>. This is for simple
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IP address based filtering only; any <span><strong class="command">key_id</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews elements of the <span><strong class="command">address_match_list</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews are ignored.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews socket listening at the specified path in the file system.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Note on some platforms (SunOS and Solaris) the permissions
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (<span><strong class="command">perm</strong></span>) are applied to the parent directory
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews as the permissions on the socket itself are ignored.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The primary authorization mechanism of the command
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews channel is the <span><strong class="command">key_list</strong></span>, which
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews contains a list of <span><strong class="command">key_id</strong></span>s.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is authorized to execute commands over the control channel.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for information about configuring keys in <span><strong class="command">rndc</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If no <span><strong class="command">controls</strong></span> statement is present,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">named</strong></span> will set up a default
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews control channel listening on the loopback address 127.0.0.1
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and its IPv6 counterpart ::1.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In this case, and also when the <span><strong class="command">controls</strong></span> statement
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is present but does not have a <span><strong class="command">keys</strong></span> clause,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">named</strong></span> will attempt to load the command channel key
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews from the file <code class="filename">rndc.key</code> in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews was specified as when <acronym class="acronym">BIND</acronym> was built).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To create a <code class="filename">rndc.key</code> file, run
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>rndc-confgen -a</code></strong>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <code class="filename">rndc.key</code> feature was created to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews which did not have digital signatures on its command channel
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and still have <span><strong class="command">rndc</strong></span> work the same way
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Since the <code class="filename">rndc.key</code> feature
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is only intended to allow the backward-compatible usage of
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <acronym class="acronym">BIND</acronym> 8 configuration files, this
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews feature does not
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews have a high degree of configurability. You cannot easily change
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the key name or the size of the secret, so you should make a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">rndc.conf</code> with your own key if you
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews wish to change
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews those things. The <code class="filename">rndc.key</code> file
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews also has its
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews permissions set such that only the owner of the file (the user that
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">named</strong></span> is running as) can access it.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews desire greater flexibility in allowing other users to access
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">rndc</strong></span> commands, then you need to create
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">rndc.conf</code> file and make it group
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews readable by a group
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that contains the users who should have access.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To disable the command channel, use an empty
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">controls</strong></span> statement:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">controls { };</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574782"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574800"></a><span><strong class="command">include</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">include</strong></span> statement inserts the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews specified file at the point where the <span><strong class="command">include</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement is encountered. The <span><strong class="command">include</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement facilitates the administration of configuration
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews by permitting the reading or writing of some things but not
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews others. For example, the statement could include private keys
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that are readable only by the name server.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574891"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews algorithm <em class="replaceable"><code>algorithm_id</code></em>;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews secret <em class="replaceable"><code>secret_string</code></em>;
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574915"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">key</strong></span> statement defines a shared
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews or the command channel
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Usage”</a>).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">key</strong></span> statement can occur at the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews of the configuration file or inside a <span><strong class="command">view</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement. Keys defined in top-level <span><strong class="command">key</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statements can be used in all views. Keys intended for use in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews a <span><strong class="command">controls</strong></span> statement
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Usage”</a>)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews must be defined at the top level.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <em class="replaceable"><code>key_id</code></em>, also known as the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews key name, is a domain name uniquely identifying the key. It can
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews be used in a <span><strong class="command">server</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement to cause requests sent to that
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server to be signed with this key, or in address match lists to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater verify that incoming requests have been signed with a key
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater matching this name, algorithm, and secret.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The <em class="replaceable"><code>algorithm_id</code></em> is a string
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews that specifies a security/authentication algorithm. The
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">named</strong></span> server supports <code class="literal">hmac-md5</code>,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews and <code class="literal">hmac-sha512</code> TSIG authentication.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Truncated hashes are supported by appending the minimum
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews number of required bits preceded by a dash, e.g.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <em class="replaceable"><code>secret_string</code></em> is the secret
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews to be used by the algorithm, and is treated as a base-64
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews encoded string.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<a name="id2575009"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<pre class="programlisting"><span><strong class="command">logging</strong></span> {
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater | <span><strong class="command">stderr</strong></span>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater | <span><strong class="command">null</strong></span> );
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">buffered</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater<div class="titlepage"><div><div><h3 class="title">
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater<a name="id2575144"></a><span><strong class="command">logging</strong></span> Statement Definition and
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater The <span><strong class="command">logging</strong></span> statement configures a
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater associates output methods, format options and severity levels with
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater a name that can then be used with the <span><strong class="command">category</strong></span> phrase
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater to select how various classes of messages are logged.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Only one <span><strong class="command">logging</strong></span> statement is used to
309b912841e8b97bf0b0df0d96c3eaf16990c080Automatic Updater as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic Updater the logging configuration will be:
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson category default { default_syslog; default_debug; };
754ebd37e782356aedbb2987e3c1a8ab4f29574eMark Andrews category unmatched { null; };
94df856897945fe58f130ba78765c57308bc5400Automatic Updater If <span><strong class="command">named</strong></span> is started with the
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews <code class="option">-L</code> option, it logs to the specified file
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews at startup, instead of using syslog. In this case the logging
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews configuration will be:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater category default { default_logfile; default_debug; };
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews category unmatched { null; };
da93950363b307b718d156514b95b9df93a63776Mark Andrews In <acronym class="acronym">BIND</acronym> 9, the logging configuration
da93950363b307b718d156514b95b9df93a63776Mark Andrews is only established when
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater established as soon as the <span><strong class="command">logging</strong></span>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater was parsed. When the server is starting up, all logging messages
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater regarding syntax errors in the configuration file go to the default
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater channels, or to standard error if the <code class="option">-g</code> option
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater was specified.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2575209"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington you can make as many of them as you want.
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater Every channel definition must include a destination clause that
79207ee45ade44ff32f6ca93c5b60250bc482089Automatic Updater says whether messages selected for the channel go to a file, to a
79207ee45ade44ff32f6ca93c5b60250bc482089Automatic Updater particular syslog facility, to the standard error stream, or are
79207ee45ade44ff32f6ca93c5b60250bc482089Automatic Updater discarded. It can optionally also limit the message severity level
79207ee45ade44ff32f6ca93c5b60250bc482089Automatic Updater that will be accepted by the channel (the default is
79207ee45ade44ff32f6ca93c5b60250bc482089Automatic Updater <span><strong class="command">info</strong></span>), and whether to include a
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater <span><strong class="command">named</strong></span>-generated time stamp, the
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater and/or severity level (the default is not to include any).
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater The <span><strong class="command">null</strong></span> destination clause
8a377fbd29741102f2b5a9e978a0f0c17ebe0ba4Automatic Updater causes all messages sent to the channel to be discarded;
8af4db0817e439e428880b71ec188a75f9adbe98Mark Andrews in that case, other options for the channel are meaningless.
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews The <span><strong class="command">file</strong></span> destination clause directs
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater to a disk file. It can include limitations
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont both on how large the file is allowed to become, and how many
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater of the file will be saved each time the file is opened.
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater If you use the <span><strong class="command">versions</strong></span> log file
cf03a9be4174b9d6404a9e6de08bde414495e410Automatic Updater <span><strong class="command">named</strong></span> will retain that many backup
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater versions of the file by
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater renaming them when opening. For example, if you choose to keep
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater three old versions
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews of the file <code class="filename">lamers.log</code>, then just
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews before it is opened
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="filename">lamers.log.1</code> is renamed to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews renamed to <code class="filename">lamers.log.0</code>.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews You can say <span><strong class="command">versions unlimited</strong></span> to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the number of versions.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews If a <span><strong class="command">size</strong></span> option is associated with
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the log file,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews then renaming is only done when the file being opened exceeds the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews indicated size. No backup versions are kept by default; any
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews log file is simply appended.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">size</strong></span> option for files is used
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to limit log
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews associated with it. If backup versions are kept, the files are
f459d71198c95aee14506310947bbbf495ed2553Automatic Updater described above and a new one begun. If there is no
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">versions</strong></span> option, no more data will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be written to the log
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews until some out-of-band mechanism removes or truncates the log to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews less than the
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews maximum size. The default behavior is not to limit the size of
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Example usage of the <span><strong class="command">size</strong></span> and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">versions</strong></span> options:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">channel an_example_channel {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file "example.log" versions 3 size 20m;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews print-time yes;
872a5b83f68b8058945298715b0fa53442aad52fAutomatic Updater print-category yes;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">syslog</strong></span> destination clause
90eba8a49d580f9e718983fa39d8e5ee483558c9Automatic Updater channel to the system log. Its argument is a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington syslog facility as described in the <span><strong class="command">syslog</strong></span> man
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
208e504ca5f57d0fb0e14db81994b3c497063190Automatic Updater <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">local7</strong></span>, however not all facilities
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are supported on
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington all operating systems.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington How <span><strong class="command">syslog</strong></span> will handle messages
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then this clause is silently ignored.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater On Windows machines syslog messages are directed to the EventViewer.
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "priorities", except that they can also be used if you are writing
6c68e68fc550c947100581eb7b5340b81c062c94Andreas Gustafsson straight to a file rather than using <span><strong class="command">syslog</strong></span>.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Messages which are not at least of the severity level given will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews not be selected for the channel; messages of higher severity
bf1263835e8e35421960f65088c043f42aacef13Mark Andrews will be accepted.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews will also determine what eventually passes through. For example,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater cause messages of severity <span><strong class="command">info</strong></span> and
822df94949fc267ee9a9ab1a06c13f24522d3ac4Automatic Updater <span><strong class="command">notice</strong></span> to
1744a23d0f1c9928f98f1e0efb7bd6a4c7ad6250Automatic Updater be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater messages of only <span><strong class="command">warning</strong></span> or higher,
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews then <span><strong class="command">syslogd</strong></span> would
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater print all messages it received from the channel.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">stderr</strong></span> destination clause
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater channel to the server's standard error stream. This is intended
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater use when the server is running as a foreground process, for
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews when debugging a configuration.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The server can supply extensive debugging information when
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews it is in debugging mode. If the server's global debug level is
bf46736ab182c4663beb5a08cb2ebf7c364e0aa9Automatic Updater than zero, then debugging mode will be active. The global debug
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater level is set either by starting the <span><strong class="command">named</strong></span> server
bf46736ab182c4663beb5a08cb2ebf7c364e0aa9Automatic Updater with the <code class="option">-d</code> flag followed by a positive integer,
822df94949fc267ee9a9ab1a06c13f24522d3ac4Automatic Updater or by running <span><strong class="command">rndc trace</strong></span>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The global debug level
bf46736ab182c4663beb5a08cb2ebf7c364e0aa9Automatic Updater can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaternotrace</strong></span>. All debugging messages in the server have a debug
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater level, and higher debug levels give more detailed output. Channels
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater that specify a specific debug severity, for example:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">channel specific_debug_level {
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater severity debug 3;
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater will get debugging output of level 3 or less any time the
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater server is in debugging mode, regardless of the global debugging
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater level. Channels with <span><strong class="command">dynamic</strong></span>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater severity use the
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater server's global debug level to determine what messages to print.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">print-time</strong></span> has been turned on,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the date and time will be logged. <span><strong class="command">print-time</strong></span> may
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater be specified for a <span><strong class="command">syslog</strong></span> channel,
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater but is usually
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater pointless since <span><strong class="command">syslog</strong></span> also logs
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews time. If <span><strong class="command">print-category</strong></span> is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater requested, then the
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater be used in any combination, and will always be printed in the
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater order: time, category, severity. Here is an example where all
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater three <span><strong class="command">print-</strong></span> options
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">buffered</strong></span> has been turned on the output
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to files will not be flushed after each log entry. By default
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater all log messages are flushed.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater There are four predefined channels that are used for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">named</strong></span>'s default logging as follows.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If <span><strong class="command">named</strong></span> is started with the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater fifth channel <span><strong class="command">default_logfile</strong></span> is added.
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">channel default_syslog {
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater // send to syslog's daemon facility
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater syslog daemon;
56874aef380a64a2c183b7c282c3e7a361d67fa1Automatic Updater // only send priority info and higher
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater severity info;
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updaterchannel default_debug {
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater // write to named.run in the working directory
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // Note: stderr is used instead of "named.run" if
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater // the server is started with the '-g' option.
9d330c054e02f52cefd8dc0e71550b0fe07e077eAutomatic Updater // log at the server's current debug level
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater severity dynamic;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterchannel default_stderr {
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater // writes to stderr
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater // only send priority info and higher
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater severity info;
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater // toss anything sent to this channel
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updaterchannel default_logfile {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // this channel is only present if named is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // started with the -L option, whose argument
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // provides the file name
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater // log at the server's current debug level
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater severity dynamic;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">default_debug</strong></span> channel has the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater property that it only produces output when the server's debug
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater nonzero. It normally writes to a file called <code class="filename">named.run</code>
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater in the server's working directory.
ca904804e43f663f08eb1ac9d6d617930b9a3cd3Automatic Updater For security reasons, when the <code class="option">-u</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater command line option is used, the <code class="filename">named.run</code> file
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater is created only after <span><strong class="command">named</strong></span> has
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater changed to the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews starting up and still running as root is discarded. If you need
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to capture this output, you must run the server with the <code class="option">-L</code>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater option to specify a default logfile, or the <code class="option">-g</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater option to log to standard error which you can redirect to a file.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater Once a channel is defined, it cannot be redefined. Thus you
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater cannot alter the built-in channels directly, but you can modify
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the default logging by pointing categories at channels you have
bbb069be941f649228760edcc241122933c066d2Automatic Updater<div class="titlepage"><div><div><h4 class="title">
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater There are many categories, so you can send the logs you want
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater to see wherever you want, without seeing logs you don't want. If
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater you don't specify a list of channels for a category, then log
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater in that category will be sent to the <span><strong class="command">default</strong></span> category
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater instead. If you don't specify a default category, the following
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater "default default" is used:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">category default { default_syslog; default_debug; };
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater If you start <span><strong class="command">named</strong></span> with the
9a0529a96f1c97e5056f0c31d604279ca8fdbdc7Automatic Updater <code class="option">-L</code> option then the default category is:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">category default { default_logfile; default_debug; };
713a5e3080f112b3efde9235e9c92035056ff966Automatic Updater As an example, let's say you want to log security events to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a file, but you also want keep the default logging behavior. You'd
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specify the following:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">channel my_security_channel {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater file "my_security_file";
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater severity info;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatercategory security {
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater my_security_channel;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater default_syslog;
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater default_debug;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<pre class="programlisting">category xfer-out { null; };
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updatercategory notify { null; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Following are the available categories and brief descriptions
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of the types of log information they contain. More
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater categories may be added in future <acronym class="acronym">BIND</acronym> releases.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="informaltable"><table border="1">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">default</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The default category defines the logging
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater options for those categories where no specific
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater configuration has been
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">general</strong></span></p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The catch-all. Many things still aren't
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater classified into categories, and they all end up here.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">database</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Messages relating to the databases used
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater internally by the name server to store zone and cache
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">security</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Approval and denial of requests.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">config</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Configuration file parsing and processing.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">resolver</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNS resolution, such as the recursive
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater lookups performed on behalf of clients by a caching name
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">xfer-in</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Zone transfers the server is receiving.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">xfer-out</strong></span></p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Zone transfers the server is sending.
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater <p><span><strong class="command">notify</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The NOTIFY protocol.
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater <p><span><strong class="command">client</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Processing of client requests.
bb93c8542756719b53096b9939e4041d0966026fAutomatic Updater <p><span><strong class="command">unmatched</strong></span></p>
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews Messages that <span><strong class="command">named</strong></span> was unable to determine the
59dd3b3cd954239d98ef52cd26328856cb6f2975Automatic Updater class of or for which there was no matching <span><strong class="command">view</strong></span>.
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson This category is best sent to a file or stderr, by
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater default it is sent to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the <span><strong class="command">null</strong></span> channel.
681beefc668253b3e469a1de282fbc33a3752422Automatic Updater <p><span><strong class="command">network</strong></span></p>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Network operations.
9d330c054e02f52cefd8dc0e71550b0fe07e077eAutomatic Updater <p><span><strong class="command">update</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Dynamic updates.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">update-security</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Approval and denial of update requests.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater <p><span><strong class="command">queries</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Specify where queries should be logged to.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater At startup, specifying the category <span><strong class="command">queries</strong></span> will also
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater enable query logging unless <span><strong class="command">querylog</strong></span> option has been
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater The query log entry reports the client's IP
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater address and port number, and the query name,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater class and type. Next it reports whether the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Recursion Desired flag was set (+ if set, -
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater if not set), if the query was signed (S),
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater EDNS was in used along with the EDNS version
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater number (E(#)), if TCP was used (T), if DO
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (DNSSEC Ok) was set (D), if CD (Checking
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Disabled) was set (C), if a valid DNS Server
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater COOKIE was recieved (V), or if a DNS COOKIE
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater option without a valid Server COOKIE was
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater present (K). After this the destination
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater address the query was sent to is reported.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (The first part of this log message, showing the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater client address/port number and query name, is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater repeated in all subsequent log messages related
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the same query.)
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater <p><span><strong class="command">query-errors</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Information about queries that resulted in some
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">dispatch</strong></span></p>
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater Dispatching of incoming packets to the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server modules where they are to be processed.
ba291c35f734eb307495f13a073bdd12f725c23eAutomatic Updater <p><span><strong class="command">dnssec</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNSSEC and TSIG protocol processing.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">lame-servers</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Lame servers. These are misconfigurations
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews in remote servers, discovered by BIND 9 when trying to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater query those servers during resolution.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater <p><span><strong class="command">delegation-only</strong></span></p>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Delegation only. Logs queries that have been
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater forced to NXDOMAIN as the result of a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater delegation-only zone or a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">delegation-only</strong></span> in a
f6056ad06781c95198505ae3a361e6dd98df4b91Automatic Updater forward, hint or stub zone declaration.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater <p><span><strong class="command">edns-disabled</strong></span></p>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Log queries that have been forced to use plain
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNS due to timeouts. This is often due to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the remote servers not being RFC 1034 compliant
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater (not always returning FORMERR or similar to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater EDNS queries and other extensions to the DNS
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington when they are not understood). In other words, this is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater targeted at servers that fail to respond to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington DNS queries that they don't understand.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Note: the log message can also be due to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater packet loss. Before reporting servers for
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater non-RFC 1034 compliance they should be re-tested
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to determine the nature of the non-compliance.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This testing should prevent or reduce the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater number of false-positive reports.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater Note: eventually <span><strong class="command">named</strong></span> will have to stop
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater treating such timeouts as due to RFC 1034 non
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater compliance and start treating it as plain
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater packet loss. Falsely classifying packet
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater loss as due to RFC 1034 non compliance impacts
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater on DNSSEC validation which requires EDNS for
788778633d6d67dee01b68a5827f8e655f2c276bMark Andrews the DNSSEC records to be returned.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">RPZ</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Information about errors in response policy zone files,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rewritten responses, and at the highest
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">debug</strong></span> levels, mere rewriting
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">rate-limit</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The start, periodic, and final notices of the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rate limiting of a stream of responses are logged at
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <span><strong class="command">info</strong></span> severity in this category.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater These messages include a hash value of the domain name
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater of the response and the name itself,
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater except when there is insufficient memory to record
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater the name for the final notice
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater The final notice is normally delayed until about one
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater minute after rate limit stops.
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater A lack of memory can hurry the final notice,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in which case it starts with an asterisk (*).
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Various internal events are logged at debug 1 level
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Rate limiting of individual requests
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews is logged in the <span><strong class="command">query-errors</strong></span> category.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><span><strong class="command">cname</strong></span></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Logs nameservers that are skipped due to them being
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater a CNAME rather than A / AAAA records.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h4 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2576830"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
681beefc668253b3e469a1de282fbc33a3752422Automatic Updater The <span><strong class="command">query-errors</strong></span> category is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater specifically intended for debugging purposes: To identify
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater why and how specific queries result in responses which
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater indicate an error.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Messages of this category are therefore only logged
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater with <span><strong class="command">debug</strong></span> levels.
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updater At the debug levels of 1 or higher, each response with the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater rcode of SERVFAIL is logged as follows:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
681beefc668253b3e469a1de282fbc33a3752422Automatic Updater This means an error resulting in SERVFAIL was
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater detected at line 3880 of source file
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Log messages of this level will particularly
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater help identify the cause of SERVFAIL for an
97669cab1f7e6f953dbf39ef1b2c4206ecb50d9eAutomatic Updater authoritative server.
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater At the debug levels of 2 or higher, detailed context
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater information of recursive resolutions that resulted in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SERVFAIL is logged.
c6517a807173827b8f638d31303805ee4c1d8054Automatic Updater The log message will look like as follows:
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterfetch completed at resolver.c:2970 for www.example.com/A
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonin 30.000183: timed out/success [domain:example.com,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonbadresp:1,adberr:0,findfail:0,valfail:0]
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The first part before the colon shows that a recursive
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater resolution for AAAA records of www.example.com completed
6f046a065e5543f8cd7e2f24991c65d2372f4c8dMark Andrews in 30.000183 seconds and the final result that led to the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater SERVFAIL was determined at line 2970 of source file
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The following part shows the detected final result and the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater latest result of DNSSEC validation.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The latter is always success when no validation attempt
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater In this example, this query resulted in SERVFAIL probably
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater because all name servers are down or unreachable, leading
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to a timeout in 30 seconds.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater DNSSEC validation was probably not attempted.
59847bba2761ab86ea1edd97e3e8fd07bb5390cbAutomatic Updater The last part enclosed in square brackets shows statistics
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater information collected for this particular resolution
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <code class="varname">domain</code> field shows the deepest zone
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater that the resolver reached;
21386ce160ea276bcc61a14103933fe74ec77193Automatic Updater it is the zone where the error was finally detected.
00be0f9f61d4c6bf197d000bfa1a6b7e70ea0866Automatic Updater The meaning of the other fields is summarized in the
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson following table.
d145b64cacc8d9cda51f9924ec70cd4661c3e2cfAutomatic Updater<div class="informaltable"><table border="1">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">referral</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The number of referrals the resolver received
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater throughout the resolution process.
f0ecd0e64ffa2a8afef95d81275d46a845f15402Automatic Updater In the above example this is 2, which are most
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater <p><code class="varname">restart</code></p>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater The number of cycles that the resolver tried
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater remote servers at the <code class="varname">domain</code>
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater In each cycle the resolver sends one query
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater (possibly resending it, depending on the response)
30cd5217f750e75c24b4fe4b5ecf92e832ba64c3Automatic Updater to each known name server of
40696c4c389a780082fb77840c173b201ce696d6Automatic Updater the <code class="varname">domain</code> zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">qrysent</code></p>
1d92d8a2456b23842a649b6104c60a9d6ea25333Brian Wellington The number of queries the resolver sent at the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">timeout</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The number of timeouts since the resolver
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater received the last response.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The number of lame servers the resolver detected
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson at the <code class="varname">domain</code> zone.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews A server is detected to be lame either by an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater invalid response or as a result of lookup in
be7f27304337afbf078e8bd8db0f951a33abe33bAndreas Gustafsson BIND9's address database (ADB), where lame
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater servers are cached.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">neterr</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The number of erroneous results that the
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater resolver encountered in sending queries
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater at the <code class="varname">domain</code> zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater One common case is the remote server is
5ae0e2c8b72fa44237edeb37d1945b1c3535ca39Automatic Updater unreachable and the resolver receives an ICMP
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater unreachable error message.
822df94949fc267ee9a9ab1a06c13f24522d3ac4Automatic Updater The number of unexpected responses (other than
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="varname">lame</code>) to queries sent by the
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater resolver at the <code class="varname">domain</code> zone.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">adberr</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Failures in finding remote server addresses
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the <code class="varname">domain</code> zone in the ADB.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater One common case of this is that the remote
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater server's name does not have any address records.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">findfail</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Failures of resolving remote server addresses.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is a total number of failures throughout
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the resolution process.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <p><code class="varname">valfail</code></p>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Failures of DNSSEC validation.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Validation failures are counted throughout
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington the resolution process (not limited to
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater the <code class="varname">domain</code> zone), but should
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews only happen in <code class="varname">domain</code>.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews At the debug levels of 3 or higher, the same messages
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews as those at the debug 1 level are logged for other errors
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews than SERVFAIL.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Note that negative responses such as NXDOMAIN are not
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews regarded as errors here.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews At the debug levels of 4 or higher, the same messages
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews as those at the debug 2 level are logged for other errors
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews than SERVFAIL.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Unlike the above case of level 3, messages are logged for
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews negative responses.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews This is because any unexpected results can be difficult to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews debug in the recursion case.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<div class="titlepage"><div><div><h3 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="id2577350"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews This is the grammar of the <span><strong class="command">lwres</strong></span>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews statement in the <code class="filename">named.conf</code> file:
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> lwres-tasks <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> lwres-clients <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<div class="titlepage"><div><div><h3 class="title">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="id2577447"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews The <span><strong class="command">lwres</strong></span> statement configures the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews server to also act as a lightweight resolver server. (See
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">lwres</strong></span> statements configuring
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater lightweight resolver servers with different properties.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">listen-on</strong></span> statement specifies a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater IPv4 addresses (and ports) that this instance of a lightweight
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson resolver daemon
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater should accept requests on. If no port is specified, port 921 is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If this statement is omitted, requests will be accepted on
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The <span><strong class="command">view</strong></span> statement binds this
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater lightweight resolver daemon to a view in the DNS namespace, so that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater response will be constructed in the same manner as a normal DNS
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater matching this view. If this statement is omitted, the default view
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater used, and if there is no default view, an error is triggered.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The <span><strong class="command">search</strong></span> statement is equivalent to
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater <span><strong class="command">search</strong></span> statement in
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater <code class="filename">/etc/resolv.conf</code>. It provides a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater list of domains
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington which are appended to relative names in queries.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <span><strong class="command">ndots</strong></span> statement is equivalent to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">ndots</strong></span> statement in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">/etc/resolv.conf</code>. It indicates the
bbb069be941f649228760edcc241122933c066d2Automatic Updater number of dots in a relative domain name that should result in an
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater exact match lookup before search path elements are appended.
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews The <code class="option">lwres-tasks</code> statement specifies the number
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater of worker threads the lightweight resolver will dedicate to serving
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews clients. By default the number is the same as the number of CPUs on
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the system; this can be overridden using the <code class="option">-n</code>
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews command line option when starting the server.
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews The <code class="option">lwres-clients</code> specifies
6ceb29d4d4d6f639e50317fa6015806e80aa422aAutomatic Updater the number of client objects per thread the lightweight
922e6a3c2ac4ef900dd9dc99f0cc137f18372583Andreas Gustafsson resolver should create to serve client queries.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington By default, if the lightweight resolver runs as a part
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater of <span><strong class="command">named</strong></span>, 256 client objects are
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews created for each task; if it runs as <span><strong class="command">lwresd</strong></span>,
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater 1024 client objects are created for each thread. The maximum
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater value is 32768; higher values will be silently ignored and
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater the maximum will be used instead.
2f60dbd3787caa91e8ab1d7ae39ea312ad5ba31fAutomatic Updater Note that setting too high a value may overconsume
7af91d15b2ce1ce32f7320f6d5cc3b83621c241aAutomatic Updater system resources.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater The maximum number of client queries that the lightweight
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater resolver can handle at any one time equals
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">lwres-tasks</code> times <code class="option">lwres-clients</code>.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2577611"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2577729"></a><span><strong class="command">masters</strong></span> Statement Definition and
2a446e8c5a832275617d73e5090128f73f7e01caAutomatic Updater<p><span><strong class="command">masters</strong></span>
9870509cb161e9c8d809ea2db41d371317ba2a35Automatic Updater lists allow for a common set of masters to be easily used by
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
f9a89df8bd3cf6ae1a292dd6b122b4cf7d760314Automatic Updater or <span><strong class="command">also-notify</strong></span> lists.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<div class="titlepage"><div><div><h3 class="title">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<a name="id2577750"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater This is the grammar of the <span><strong class="command">options</strong></span>
d8de612c8582bd51d980cb124ddfaa63774e38c9Automatic Updater statement in the <code class="filename">named.conf</code> file:
40d9598efa56a495aabe77174cdf2429f9b01764Mark Andrews<pre class="programlisting"><span><strong class="command">options</strong></span> {
[<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
[<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
[<span class="optional"> geoip-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
[<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
[<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
[<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> cookie-algorithm <em class="replaceable"><code>secret_string</code></em>; </span>]
[<span class="optional"> cookie-secret <em class="replaceable"><code>secret_string</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
<em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] {
( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ;
[<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> automatic-interface-scan { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
[<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
[<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
[<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>]
[<span class="optional"> fetches-per-zone<em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
[<span class="optional"> startup-notify-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
[<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
[<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
[<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
[<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
[<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>;
[<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>]
[<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
[<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
(<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
[<span class="optional"> prefetch <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
} [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
[<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
Usage">the section called “<span><strong class="command">acl</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
ignored if <span><strong class="command">named</strong></span> was run using the <code class="option">-X</code>
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
Additionally a reverse IP6.ARPA zone will be created for
the prefix to provide a mapping from the IP6.ARPA names
to the corresponding IN-ADDR.ARPA names using synthesized
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
<span><strong class="command">geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">keep-response-order</strong></span></span></dt>
a response contains the names "example.com" and
(i.e., records of type NS, MX, CNAME, etc) will always
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">startup-notify-rate</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
<a name="fetches-per-zone"></a><span class="term"><span><strong class="command">fetches-per-zone</strong></span></span>
<a name="fetches-per-server"></a><span class="term"><span><strong class="command">fetches-per-server</strong></span></span>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
a zone-signing process, i.e., whether it is still active
<span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
IPv4 address as in IN-ADDR.ARPA.
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
wildcard such as *.example.com.
<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span>
<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME . ; NXDOMAIN policy
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
112.zz.2001.rpz-client-ip CNAME rpz-drop.
8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
; force some DNS clients and responses in the example.com zone to TCP
16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
example.com CNAME rpz-tcp-only.
*.example.com CNAME rpz-tcp-only.
<span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
This controls flooding using random.wild.example.com.
<span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
<span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
<span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
With a redirect zone (<span><strong class="command">zone "." { type redirect; };</strong></span>), the
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> nocookie-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
<span><strong class="command">edns-udp-size</strong></span> in <span><strong class="command">options</strong></span>
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2592974"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
<a href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
<a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
<a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
<a href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2593477"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2593530"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2593897"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2595777"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
zone example.com {
file "example-external.db";
zone example.com {
Zone level acls (e.g. allow-query, allow-transfer) and
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2602616"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2602632"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2602761"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2602830"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2602867"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2607545"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>