Bv9ARM.ch06.html revision bd9a66d553962387bf36ada994e3658fa16f5639
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
04428429c4e689333e3ef8d19a2debeb20d4d15dMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
e999539fb3e45b2617571e0e3ecd651992291701Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
2a40fdc2d34adb8a5c72a748449699666032d461Mark Andrews - purpose with or without fee is hereby granted, provided that the above
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews - copyright notice and this permission notice appear in all copies.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id$ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<title>Chapter�6.�BIND 9 Configuration Reference</title>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<table width="100%" summary="Navigation header">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<div class="titlepage"><div><div><h2 class="title">
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573300">Comment Syntax</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574165"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574423"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574782"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">include</strong></span> Statement Definition and
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574891"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574915"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575009"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575144"><span><strong class="command">logging</strong></span> Statement Definition and
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577350"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577447"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577611"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577729"><span><strong class="command">masters</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577750"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593033"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
80f9a970ae6681c08529ef209eaabbe078c27ca3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593536"><span><strong class="command">trusted-keys</strong></span> Statement Definition
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593589"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593956"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596040"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2599748">Zone File</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601842">Discussion of MX Records</a></span></dt>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602594">Inverse Mapping in IPv4</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602789">Other Zone File Directives</a></span></dt>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2602994"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews of configuration, such as views. <acronym class="acronym">BIND</acronym>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews 9, although more complex configurations should be reviewed to check
ea935c46e8261ea10621e5b038426539fe8a7cc5Mark Andrews if they can be more efficiently implemented using the new features
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews found in <acronym class="acronym">BIND</acronym> 9.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <acronym class="acronym">BIND</acronym> 4 configuration files can be
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews converted to the new format
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews using the shell script
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews file documentation:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The name of an <code class="varname">address_match_list</code> as
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews defined by the <span><strong class="command">acl</strong></span> statement.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <code class="varname">address_match_list</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A list of one or more
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews or <code class="varname">acl_name</code> elements, see
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews A named list of one or more <code class="varname">ip_addr</code>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews with optional <code class="varname">key_id</code> and/or
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews A <code class="varname">masters_list</code> may include other
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A quoted string which will be used as
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews a DNS name, for example "<code class="literal">my.test.domain</code>".
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews A list of one or more <code class="varname">domain_name</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">dotted_decimal</code>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington One to four integers valued 0 through
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IPv4 address with exactly four elements
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in <code class="varname">dotted_decimal</code> notation.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington IPv6 scoped addresses that have ambiguity on their
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington scope zones must be disambiguated by an appropriate
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington zone ID with the percent character (`%') as
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington delimiter. It is strongly recommended to use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington string zone names rather than numeric identifiers,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in order to be robust against system configuration
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington changes. However, since there is no standard
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington mapping for such names and identifier values,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington currently only interface names as link identifiers
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are supported, assuming one-to-one mapping between
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington interfaces and links. For example, a link-local
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington address <span><strong class="command">fe80::1</strong></span> on the link
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington attached to the interface <span><strong class="command">ne0</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note that on most systems link-local addresses
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews always have the ambiguity, and need to be
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews disambiguated.
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews A <code class="varname">number</code> between 0 and 63, used
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews to select a differentiated services code point (DSCP)
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews value for use with outgoing traffic on operating systems
68baa2d193672c482b7ea07ece349e7b1ceb96e6Mark Andrews that support DSCP.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington An IP port <code class="varname">number</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <code class="varname">number</code> is limited to 0
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington through 65535, with values
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington below 1024 typically restricted to use by processes running
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In some cases, an asterisk (`*') character can be used as a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington placeholder to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington select a random high-numbered port.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews An IP network specified as an <code class="varname">ip_addr</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington followed by a slash (`/') and then the number of bits in the
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews Trailing zeros in a <code class="varname">ip_addr</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews may omitted.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For example, <span><strong class="command">127/8</strong></span> is the
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews network <span><strong class="command">127.0.0.0</strong></span> with
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When specifying a prefix involving a IPv6 scoped address
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the scope may be omitted. In that case the prefix will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington match packets from any scope.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A <code class="varname">domain_name</code> representing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the name of a shared key, to be used for transaction
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A list of one or more
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington separated by semicolons and ending with a semicolon.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews A non-negative 32-bit integer
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (i.e., a number between 0 and 4294967295, inclusive).
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Its acceptable value might further
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be limited by the context in which it is used.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews A quoted string which will be used as
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A list of an <code class="varname">ip_port</code> or a port
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews A port range is specified in the form of
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <strong class="userinput"><code>range</code></strong> followed by
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews <code class="varname">port_high</code>, which represents
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews port numbers from <code class="varname">port_low</code> through
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <code class="varname">port_high</code>, inclusive.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="varname">port_low</code> must not be larger than
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews For example,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>range 1024 65535</code></strong> represents
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ports from 1024 through 65535.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews In either case an asterisk (`*') character is not
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews allowed as a valid <code class="varname">ip_port</code>.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews A 64-bit unsigned integer, or the keywords
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>unlimited</code></strong> or
2bef3713093349af52ba61eaab07adf3207da873Mark Andrews <strong class="userinput"><code>default</code></strong>.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Integers may take values
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews 0 <= value <= 18446744073709551615, though
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews certain parameters
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews (such as <span><strong class="command">max-journal-size</strong></span>) may
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews use a more limited range within these extremes.
83a810eba60ae87341a2d177ff60d834e26d7a90Mark Andrews In most cases, setting a value to 0 does not
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews literally mean zero; it means "undefined" or
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews "as big as possible", depending on the context.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews See the explanations of particular parameters
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews that use <code class="varname">size_spec</code>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews for details on how they interpret its use.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Numeric values can optionally be followed by a
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews scaling factor:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for kilobytes,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews for megabytes, and
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington for gigabytes, which scale by 1024, 1024*1024, and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews 1024*1024*1024 respectively.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="varname">unlimited</code> generally means
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "as big as possible", and is usually the best
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews way to safely set a very large number.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews uses the limit that was in force when the server was started.
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews and <strong class="userinput"><code>0</code></strong>.
3a9a66b32adf379e680d18e92428058910880119Mark Andrews One of <strong class="userinput"><code>yes</code></strong>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>passive</code></strong>.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews are restricted to slave and stub zones.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
3a9a66b32adf379e680d18e92428058910880119Mark Andrews<a name="id2573131"></a>Syntax</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews [<span class="optional"> address_match_list_element; ... </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
3a9a66b32adf379e680d18e92428058910880119Mark Andrews key key_id | acl_name | { address_match_list } )
3a9a66b32adf379e680d18e92428058910880119Mark Andrews<div class="titlepage"><div><div><h4 class="title">
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews<a name="id2573159"></a>Definition and Usage</h4></div></div></div>
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews Address match lists are primarily used to determine access
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews control for various server operations. They are also used in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington statements. The elements which constitute an address match
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews list can be any of the following:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington a key ID, as defined by the <span><strong class="command">key</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<li>the name of an address match list defined with
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the <span><strong class="command">acl</strong></span> statement
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<li>a nested address match list enclosed in braces</li>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Elements can be negated with a leading exclamation mark (`!'),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and the match list names "any", "none", "localhost", and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington "localnets" are predefined. More information on those names
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews can be found in the description of the acl statement.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The addition of the key clause made the name of this syntactic
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews element something of a misnomer, since security keys can be used
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to validate access without regard to a host or network address.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Nonetheless, the term "address match list" is still used
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews throughout the documentation.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews When a given IP address or prefix is compared to an address
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington match list, the comparison takes place in approximately O(1)
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews time. However, key comparisons require that the list of keys
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews be traversed until a matching key is found, and therefore may
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington be somewhat slower.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The interpretation of a match depends on whether the list is being
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When used as an access control list, a non-negated match
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington allows access and a negated match denies access. If
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington there is no match, access is denied. The clauses
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-notify</strong></span>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">allow-recursion</strong></span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-recursion-on</strong></span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-query</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-query-on</strong></span>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">allow-query-cache</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">allow-query-cache-on</strong></span>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">allow-transfer</strong></span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">allow-update</strong></span>,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">allow-update-forwarding</strong></span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">blackhole</strong></span>, and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">keep-response-order</strong></span> all use address match
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server to refuse queries on any of the machine's
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews addresses which do not match the list.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Order of insertion is significant. If more than one element
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in an ACL is found to match a given IP address or prefix,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews preference will be given to the one that came
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson <span class="emphasis"><em>first</em></span> in the ACL definition.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Because of this first-match behavior, an element that
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews defines a subset of another element in the list should
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson come before the broader element, regardless of whether
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews either is negated. For example, in
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the 1.2.3.13 element is completely useless because the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews that problem by having 1.2.3.13 blocked by the negation, but
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews all other 1.2.3.* hosts fall through.
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<div class="titlepage"><div><div><h3 class="title">
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews<a name="id2573300"></a>Comment Syntax</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews comments to appear
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington file. To appeal to programmers of all kinds, they can be written
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2573383"></a>Syntax</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington# and perl</pre>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2573413"></a>Definition and Usage</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Comments may appear anywhere that whitespace may appear in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a <acronym class="acronym">BIND</acronym> configuration file.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews C-style comments start with the two characters /* (slash,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington star) and end with */ (star, slash). Because they are completely
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews delimited with these characters, they can be used to comment only
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a portion of a line or to span multiple lines.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews C-style comments cannot be nested. For example, the following
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is not valid because the entire comment ends with the first */:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">/* This is the start of a comment.
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington This is still part of the comment.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews/* This is an incorrect attempt at nesting a comment. */
53aed64e0f8553762fc0c380ee41cb42f514c7d5Brian Wellington This is no longer in any comment. */
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews C++-style comments start with the two characters // (slash,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews slash) and continue to the end of the physical line. They cannot
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews be continued across multiple physical lines; to have one logical
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews comment span multiple lines, each line must use the // pair.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews For example:
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<pre class="programlisting">// This is the start of a comment. The next line
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews// is a new comment, even though it is logically
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews// part of the previous comment.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews Shell-style (or perl-style, if you prefer) comments start
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews with the character <code class="literal">#</code> (number sign)
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews and continue to the end of the
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews physical line, as in C++ comments.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews For example:
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<pre class="programlisting"># This is the start of a comment. The next line
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews# is a new comment, even though it is logically
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews# part of the previous comment.
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews You cannot use the semicolon (`;') character
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to start a comment such as you would in a zone file. The
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews semicolon indicates the end of a configuration
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews A <acronym class="acronym">BIND</acronym> 9 configuration consists of
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews statements and comments.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Statements end with a semicolon. Statements and comments are the
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews only elements that can appear without enclosing braces. Many
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington statements contain a block of sub-statements, which are also
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews terminated with a semicolon.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The following statements are supported:
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <p><span><strong class="command">acl</strong></span></p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews defines a named IP address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington matching list, for access control and other uses.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <p><span><strong class="command">controls</strong></span></p>
73eb75dc212911e4da58a3ce0a4672d3910193ebBrian Wellington declares control channels to be used
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews by the <span><strong class="command">rndc</strong></span> utility.
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews <p><span><strong class="command">include</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington includes a file.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">key</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews specifies key information for use in
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews authentication and authorization using TSIG.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">logging</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington specifies what the server logs, and where
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the log messages are sent.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">lwres</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configures <span><strong class="command">named</strong></span> to
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <p><span><strong class="command">masters</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews defines a named masters list for
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews inclusion in stub and slave zones'
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">masters</strong></span> or
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <span><strong class="command">also-notify</strong></span> lists.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">options</strong></span></p>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews controls global server configuration
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington options and sets defaults for other statements.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <p><span><strong class="command">server</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington sets certain configuration options on
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a per-server basis.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews <p><span><strong class="command">statistics-channels</strong></span></p>
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews declares communication channels to get access to
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews <span><strong class="command">named</strong></span> statistics.
832cebe0cbc843785897f1c124ae54958028c4e7Mark Andrews <p><span><strong class="command">trusted-keys</strong></span></p>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews defines trusted DNSSEC keys.
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews <p><span><strong class="command">managed-keys</strong></span></p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington lists DNSSEC keys to be kept up to date
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews using RFC 5011 trust anchor maintenance.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">view</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews defines a view.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <p><span><strong class="command">zone</strong></span></p>
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews defines a zone.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">logging</strong></span> and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">options</strong></span> statements may only occur once
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews configuration.
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<a name="id2574165"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
0ca8fddd5b5e26d8a05f0936fc4b2666a025b9c0Mark Andrews address_match_list
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews The <span><strong class="command">acl</strong></span> statement assigns a symbolic
8fca573ba41a1669fff64f234275e956551eb6e5Mark Andrews name to an address match list. It gets its name from a primary
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews use of address match lists: Access Control Lists (ACLs).
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews The following ACLs are built-in:
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <p><span><strong class="command">any</strong></span></p>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews Matches all hosts.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <p><span><strong class="command">none</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Matches no hosts.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">localhost</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Matches the IPv4 and IPv6 addresses of all network
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews interfaces on the system. When addresses are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews added or removed, the <span><strong class="command">localhost</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ACL element is updated to reflect the changes.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <p><span><strong class="command">localnets</strong></span></p>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Matches any host on an IPv4 or IPv6 network
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for which the system has an interface.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews When addresses are added or removed,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the <span><strong class="command">localnets</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ACL element is updated to reflect the changes.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Some systems do not provide a way to determine the prefix
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews local IPv6 addresses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In such a case, <span><strong class="command">localnets</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews only matches the local
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574423"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">controls</strong></span> {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ inet ( ip_addr | * ) [ port ip_port ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews allow { <em class="replaceable"><code> address_match_list </code></em> }
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ inet ...; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews keys { <em class="replaceable"><code>key_list</code></em> }; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews [ unix ...; ]
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The <span><strong class="command">controls</strong></span> statement declares control
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews channels to be used by system administrators to control the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews operation of the name server. These control channels are
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews used by the <span><strong class="command">rndc</strong></span> utility to send
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews commands to and retrieve non-DNS results from a name server.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews An <span><strong class="command">inet</strong></span> control channel is a TCP socket
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews listening at the specified <span><strong class="command">ip_port</strong></span> on the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews interpreted as the IPv4 wildcard address; connections will be
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews accepted on any of the system's IPv4 addresses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To listen on the IPv6 wildcard address,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If you will only use <span><strong class="command">rndc</strong></span> on the local host,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews using the loopback address (<code class="literal">127.0.0.1</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews or <code class="literal">::1</code>) is recommended for maximum security.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If no port is specified, port 953 is used. The asterisk
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The ability to issue commands over the control channel is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews restricted by the <span><strong class="command">allow</strong></span> and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">keys</strong></span> clauses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Connections to the control channel are permitted based on the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">address_match_list</strong></span>. This is for simple
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews IP address based filtering only; any <span><strong class="command">key_id</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews elements of the <span><strong class="command">address_match_list</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews are ignored.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews socket listening at the specified path in the file system.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Note on some platforms (SunOS and Solaris) the permissions
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews (<span><strong class="command">perm</strong></span>) are applied to the parent directory
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews as the permissions on the socket itself are ignored.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The primary authorization mechanism of the command
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews channel is the <span><strong class="command">key_list</strong></span>, which
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews contains a list of <span><strong class="command">key_id</strong></span>s.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is authorized to execute commands over the control channel.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews for information about configuring keys in <span><strong class="command">rndc</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews If no <span><strong class="command">controls</strong></span> statement is present,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">named</strong></span> will set up a default
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews control channel listening on the loopback address 127.0.0.1
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and its IPv6 counterpart ::1.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews In this case, and also when the <span><strong class="command">controls</strong></span> statement
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is present but does not have a <span><strong class="command">keys</strong></span> clause,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">named</strong></span> will attempt to load the command channel key
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews from the file <code class="filename">rndc.key</code> in
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews was specified as when <acronym class="acronym">BIND</acronym> was built).
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To create a <code class="filename">rndc.key</code> file, run
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <strong class="userinput"><code>rndc-confgen -a</code></strong>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <code class="filename">rndc.key</code> feature was created to
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews which did not have digital signatures on its command channel
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews and still have <span><strong class="command">rndc</strong></span> work the same way
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews Since the <code class="filename">rndc.key</code> feature
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews is only intended to allow the backward-compatible usage of
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <acronym class="acronym">BIND</acronym> 8 configuration files, this
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews feature does not
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews have a high degree of configurability. You cannot easily change
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews the key name or the size of the secret, so you should make a
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">rndc.conf</code> with your own key if you
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews wish to change
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews those things. The <code class="filename">rndc.key</code> file
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews also has its
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews permissions set such that only the owner of the file (the user that
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">named</strong></span> is running as) can access it.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews desire greater flexibility in allowing other users to access
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">rndc</strong></span> commands, then you need to create
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <code class="filename">rndc.conf</code> file and make it group
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews readable by a group
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that contains the users who should have access.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews To disable the command channel, use an empty
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">controls</strong></span> statement:
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews <span><strong class="command">controls { };</strong></span>.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574782"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574800"></a><span><strong class="command">include</strong></span> Statement Definition and
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews The <span><strong class="command">include</strong></span> statement inserts the
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews specified file at the point where the <span><strong class="command">include</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement is encountered. The <span><strong class="command">include</strong></span>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews statement facilitates the administration of configuration
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews by permitting the reading or writing of some things but not
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews others. For example, the statement could include private keys
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews that are readable only by the name server.
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<div class="titlepage"><div><div><h3 class="title">
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<a name="id2574891"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
4f087942583014b241adca1bc78c6db89ed96e94Mark Andrews algorithm <em class="replaceable"><code>algorithm_id</code></em>;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington secret <em class="replaceable"><code>secret_string</code></em>;
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<div class="titlepage"><div><div><h3 class="title">
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<a name="id2574915"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The <span><strong class="command">key</strong></span> statement defines a shared
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews or the command channel
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Usage”</a>).
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews The <span><strong class="command">key</strong></span> statement can occur at the
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews of the configuration file or inside a <span><strong class="command">view</strong></span>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews statement. Keys defined in top-level <span><strong class="command">key</strong></span>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews statements can be used in all views. Keys intended for use in
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews a <span><strong class="command">controls</strong></span> statement
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Usage”</a>)
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews must be defined at the top level.
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews The <em class="replaceable"><code>key_id</code></em>, also known as the
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews key name, is a domain name uniquely identifying the key. It can
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews be used in a <span><strong class="command">server</strong></span>
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews statement to cause requests sent to that
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews server to be signed with this key, or in address match lists to
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews verify that incoming requests have been signed with a key
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews matching this name, algorithm, and secret.
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews The <em class="replaceable"><code>algorithm_id</code></em> is a string
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews that specifies a security/authentication algorithm. The
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <span><strong class="command">named</strong></span> server supports <code class="literal">hmac-md5</code>,
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
959fb01017fa83578e7c8776ed3baba3076a2409Mark Andrews <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson and <code class="literal">hmac-sha512</code> TSIG authentication.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Truncated hashes are supported by appending the minimum
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson number of required bits preceded by a dash, e.g.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <em class="replaceable"><code>secret_string</code></em> is the secret
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson to be used by the algorithm, and is treated as a base-64
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson encoded string.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<div class="titlepage"><div><div><h3 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2575009"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews<pre class="programlisting"><span><strong class="command">logging</strong></span> {
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
5c679dbb66df92766f6a7e7bb93c18d61275d1feMark Andrews [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews | <span><strong class="command">stderr</strong></span>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews | <span><strong class="command">null</strong></span> );
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
da93950363b307b718d156514b95b9df93a63776Mark Andrews [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
da93950363b307b718d156514b95b9df93a63776Mark Andrews [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [ <span><strong class="command">buffered</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<div class="titlepage"><div><div><h3 class="title">
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<a name="id2575144"></a><span><strong class="command">logging</strong></span> Statement Definition and
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews The <span><strong class="command">logging</strong></span> statement configures a
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews associates output methods, format options and severity levels with
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews a name that can then be used with the <span><strong class="command">category</strong></span> phrase
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews to select how various classes of messages are logged.
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews Only one <span><strong class="command">logging</strong></span> statement is used to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews the logging configuration will be:
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews category default { default_syslog; default_debug; };
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews category unmatched { null; };
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews If <span><strong class="command">named</strong></span> is started with the
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews <code class="option">-L</code> option, it logs to the specified file
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews at startup, instead of using syslog. In this case the logging
c28a1243429dfaf8dc5f6c1db0dccdc6ce386baeMark Andrews configuration will be:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews category default { default_logfile; default_debug; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews category unmatched { null; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews In <acronym class="acronym">BIND</acronym> 9, the logging configuration
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews is only established when
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews established as soon as the <span><strong class="command">logging</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews was parsed. When the server is starting up, all logging messages
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews regarding syntax errors in the configuration file go to the default
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews channels, or to standard error if the <code class="option">-g</code> option
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews was specified.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2575209"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews you can make as many of them as you want.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Every channel definition must include a destination clause that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews says whether messages selected for the channel go to a file, to a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews particular syslog facility, to the standard error stream, or are
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews discarded. It can optionally also limit the message severity level
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews that will be accepted by the channel (the default is
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <span><strong class="command">info</strong></span>), and whether to include a
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <span><strong class="command">named</strong></span>-generated time stamp, the
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews category name
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews and/or severity level (the default is not to include any).
195e7b7a6e0bdc80373d65085e12a2950e9a1226Mark Andrews The <span><strong class="command">null</strong></span> destination clause
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews causes all messages sent to the channel to be discarded;
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews in that case, other options for the channel are meaningless.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">file</strong></span> destination clause directs
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to a disk file. It can include limitations
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews both on how large the file is allowed to become, and how many
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the file will be saved each time the file is opened.
702d5594271bf0ade096b5a9bf4092f43604d451Mark Andrews If you use the <span><strong class="command">versions</strong></span> log file
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews option, then
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span><strong class="command">named</strong></span> will retain that many backup
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington versions of the file by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington renaming them when opening. For example, if you choose to keep
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington three old versions
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of the file <code class="filename">lamers.log</code>, then just
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington before it is opened
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">lamers.log.1</code> is renamed to
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews renamed to <code class="filename">lamers.log.0</code>.
251227789bd26421471076f04f4e9eb7f0efb2f1Mark Andrews You can say <span><strong class="command">versions unlimited</strong></span> to
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews the number of versions.
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews If a <span><strong class="command">size</strong></span> option is associated with
20403510ec038ae07b2b343bcc974428d8558555Mark Andrews the log file,
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews then renaming is only done when the file being opened exceeds the
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews indicated size. No backup versions are kept by default; any
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews log file is simply appended.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The <span><strong class="command">size</strong></span> option for files is used
5f7e0eb1cb917b788906d3e2aa01bfc4885dcae4Mark Andrews to limit log
bf1263835e8e35421960f65088c043f42aacef13Mark Andrews growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
15ae68f3db8261770fc33b8e0f83f5d8c7021e84Mark Andrews stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews associated with it. If backup versions are kept, the files are
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews described above and a new one begun. If there is no
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">versions</strong></span> option, no more data will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be written to the log
920c892667f7a1a284cc0f62e52a0cd3a7a78e14Mark Andrews until some out-of-band mechanism removes or truncates the log to
7a6ad11e0185a73984410f3252f3c49c3a301dbdBrian Wellington less than the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews maximum size. The default behavior is not to limit the size of
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews Example usage of the <span><strong class="command">size</strong></span> and
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span><strong class="command">versions</strong></span> options:
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews<pre class="programlisting">channel an_example_channel {
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews file "example.log" versions 3 size 20m;
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews print-time yes;
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews print-category yes;
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews The <span><strong class="command">syslog</strong></span> destination clause
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews channel to the system log. Its argument is a
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews syslog facility as described in the <span><strong class="command">syslog</strong></span> man
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">local7</strong></span>, however not all facilities
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater are supported on
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews all operating systems.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews How <span><strong class="command">syslog</strong></span> will handle messages
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews then this clause is silently ignored.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews On Windows machines syslog messages are directed to the EventViewer.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews "priorities", except that they can also be used if you are writing
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews straight to a file rather than using <span><strong class="command">syslog</strong></span>.
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews Messages which are not at least of the severity level given will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews not be selected for the channel; messages of higher severity
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews will be accepted.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews will also determine what eventually passes through. For example,
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews cause messages of severity <span><strong class="command">info</strong></span> and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">notice</strong></span> to
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
e49d15b398d34b76ceb51e50bcfea9501ade07b6Mark Andrews messages of only <span><strong class="command">warning</strong></span> or higher,
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson then <span><strong class="command">syslogd</strong></span> would
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews print all messages it received from the channel.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The <span><strong class="command">stderr</strong></span> destination clause
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews channel to the server's standard error stream. This is intended
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews use when the server is running as a foreground process, for
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews when debugging a configuration.
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews The server can supply extensive debugging information when
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews it is in debugging mode. If the server's global debug level is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews than zero, then debugging mode will be active. The global debug
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson level is set either by starting the <span><strong class="command">named</strong></span> server
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews with the <code class="option">-d</code> flag followed by a positive integer,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews or by running <span><strong class="command">rndc trace</strong></span>.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The global debug level
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsnotrace</strong></span>. All debugging messages in the server have a debug
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews level, and higher debug levels give more detailed output. Channels
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews that specify a specific debug severity, for example:
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<pre class="programlisting">channel specific_debug_level {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity debug 3;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews will get debugging output of level 3 or less any time the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews server is in debugging mode, regardless of the global debugging
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews level. Channels with <span><strong class="command">dynamic</strong></span>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity use the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews server's global debug level to determine what messages to print.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews If <span><strong class="command">print-time</strong></span> has been turned on,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the date and time will be logged. <span><strong class="command">print-time</strong></span> may
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be specified for a <span><strong class="command">syslog</strong></span> channel,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews but is usually
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews pointless since <span><strong class="command">syslog</strong></span> also logs
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the date and
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews time. If <span><strong class="command">print-category</strong></span> is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews requested, then the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews be used in any combination, and will always be printed in the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews order: time, category, severity. Here is an example where all
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews three <span><strong class="command">print-</strong></span> options
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews If <span><strong class="command">buffered</strong></span> has been turned on the output
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews to files will not be flushed after each log entry. By default
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews all log messages are flushed.
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater There are four predefined channels that are used for
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <span><strong class="command">named</strong></span>'s default logging as follows.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews If <span><strong class="command">named</strong></span> is started with the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews fifth channel <span><strong class="command">default_logfile</strong></span> is added.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews How they are
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<pre class="programlisting">channel default_syslog {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // send to syslog's daemon facility
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews syslog daemon;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // only send priority info and higher
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity info;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewschannel default_debug {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // write to named.run in the working directory
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // Note: stderr is used instead of "named.run" if
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // the server is started with the '-g' option.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // log at the server's current debug level
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity dynamic;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewschannel default_stderr {
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson // writes to stderr
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // only send priority info and higher
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity info;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewschannel null {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // toss anything sent to this channel
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewschannel default_logfile {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // this channel is only present if named is
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // started with the -L option, whose argument
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // provides the file name
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews // log at the server's current debug level
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews severity dynamic;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The <span><strong class="command">default_debug</strong></span> channel has the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews property that it only produces output when the server's debug
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews nonzero. It normally writes to a file called <code class="filename">named.run</code>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews in the server's working directory.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews For security reasons, when the <code class="option">-u</code>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson command line option is used, the <code class="filename">named.run</code> file
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews is created only after <span><strong class="command">named</strong></span> has
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews changed to the
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson starting up and still running as root is discarded. If you need
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson to capture this output, you must run the server with the <code class="option">-L</code>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews option to specify a default logfile, or the <code class="option">-g</code>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews option to log to standard error which you can redirect to a file.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Once a channel is defined, it cannot be redefined. Thus you
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews cannot alter the built-in channels directly, but you can modify
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews the default logging by pointing categories at channels you have
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h4 class="title">
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson There are many categories, so you can send the logs you want
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews to see wherever you want, without seeing logs you don't want. If
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews you don't specify a list of channels for a category, then log
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews in that category will be sent to the <span><strong class="command">default</strong></span> category
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews instead. If you don't specify a default category, the following
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews "default default" is used:
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews<pre class="programlisting">category default { default_syslog; default_debug; };
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews If you start <span><strong class="command">named</strong></span> with the
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews <code class="option">-L</code> option then the default category is:
39afe995c2bc1790061312b48ee294fd4907439fMark Andrews<pre class="programlisting">category default { default_logfile; default_debug; };
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews As an example, let's say you want to log security events to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a file, but you also want keep the default logging behavior. You'd
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson specify the following:
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews<pre class="programlisting">channel my_security_channel {
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews file "my_security_file";
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews severity info;
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafssoncategory security {
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews my_security_channel;
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews default_syslog;
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews default_debug;
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<pre class="programlisting">category xfer-out { null; };
068a66979695c77359e7a9181bb3f831c965b21cMark Andrewscategory notify { null; };
f345258dabf4e8ad8a1573c56810f52fca50f5d4Mark Andrews Following are the available categories and brief descriptions
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews of the types of log information they contain. More
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews categories may be added in future <acronym class="acronym">BIND</acronym> releases.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <p><span><strong class="command">default</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The default category defines the logging
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson options for those categories where no specific
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews configuration has been
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <p><span><strong class="command">general</strong></span></p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews The catch-all. Many things still aren't
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews classified into categories, and they all end up here.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews <p><span><strong class="command">database</strong></span></p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Messages relating to the databases used
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews internally by the name server to store zone and cache
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <p><span><strong class="command">security</strong></span></p>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Approval and denial of requests.
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <p><span><strong class="command">config</strong></span></p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews Configuration file parsing and processing.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews <p><span><strong class="command">resolver</strong></span></p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews DNS resolution, such as the recursive
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews lookups performed on behalf of clients by a caching name
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <p><span><strong class="command">xfer-in</strong></span></p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews Zone transfers the server is receiving.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews <p><span><strong class="command">xfer-out</strong></span></p>
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews Zone transfers the server is sending.
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <p><span><strong class="command">notify</strong></span></p>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The NOTIFY protocol.
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson <p><span><strong class="command">client</strong></span></p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews Processing of client requests.
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews <p><span><strong class="command">unmatched</strong></span></p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews Messages that <span><strong class="command">named</strong></span> was unable to determine the
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews class of or for which there was no matching <span><strong class="command">view</strong></span>.
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews This category is best sent to a file or stderr, by
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews default it is sent to
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews the <span><strong class="command">null</strong></span> channel.
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews <p><span><strong class="command">network</strong></span></p>
94da7d97aecac6e3edb92aafa6b2bc8e80404e11Mark Andrews Network operations.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <p><span><strong class="command">update</strong></span></p>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Dynamic updates.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews <p><span><strong class="command">update-security</strong></span></p>
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews Approval and denial of update requests.
f55369d776907119cd8699a4119d9c80daa7cae4Mark Andrews <p><span><strong class="command">queries</strong></span></p>
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews Specify where queries should be logged to.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews At startup, specifying the category <span><strong class="command">queries</strong></span> will also
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews enable query logging unless <span><strong class="command">querylog</strong></span> option has been
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The query log entry reports the client's IP
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews address and port number, and the query name,
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews class and type. Next it reports whether the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Recursion Desired flag was set (+ if set, -
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews if not set), if the query was signed (S),
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews EDNS was in used along with the EDNS version
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews number (E(#)), if TCP was used (T), if DO
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews (DNSSEC Ok) was set (D), if CD (Checking
70232e6b444994979d8bab60bc9a8656ffd861e9Mark Andrews Disabled) was set (C), if a valid DNS Server
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews COOKIE was recieved (V), or if a DNS COOKIE
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews option without a valid Server COOKIE was
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews present (K). After this the destination
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews address the query was sent to is reported.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
10640b2e3efc7bc8034108136d7487f7407fbf37Andreas Gustafsson (The first part of this log message, showing the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews repeated in all subsequent log messages related
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews to the same query.)
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <p><span><strong class="command">query-errors</strong></span></p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Information about queries that resulted in some
8112eda1404b589fae1605f4c6a905c588904b75Mark Andrews <p><span><strong class="command">dispatch</strong></span></p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Dispatching of incoming packets to the
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews server modules where they are to be processed.
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews <p><span><strong class="command">dnssec</strong></span></p>
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews DNSSEC and TSIG protocol processing.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <p><span><strong class="command">lame-servers</strong></span></p>
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Lame servers. These are misconfigurations
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews in remote servers, discovered by BIND 9 when trying to
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews query those servers during resolution.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <p><span><strong class="command">delegation-only</strong></span></p>
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Delegation only. Logs queries that have been
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews forced to NXDOMAIN as the result of a
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews delegation-only zone or a
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <span><strong class="command">delegation-only</strong></span> in a
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews forward, hint or stub zone declaration.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <p><span><strong class="command">edns-disabled</strong></span></p>
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Log queries that have been forced to use plain
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews DNS due to timeouts. This is often due to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews the remote servers not being RFC 1034 compliant
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews (not always returning FORMERR or similar to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews EDNS queries and other extensions to the DNS
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews when they are not understood). In other words, this is
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews targeted at servers that fail to respond to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews DNS queries that they don't understand.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews Note: the log message can also be due to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews packet loss. Before reporting servers for
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews non-RFC 1034 compliance they should be re-tested
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews to determine the nature of the non-compliance.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews This testing should prevent or reduce the
ea935c46e8261ea10621e5b038426539fe8a7cc5Mark Andrews number of false-positive reports.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Note: eventually <span><strong class="command">named</strong></span> will have to stop
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews treating such timeouts as due to RFC 1034 non
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews compliance and start treating it as plain
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews packet loss. Falsely classifying packet
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews loss as due to RFC 1034 non compliance impacts
ffa5575495e2cc1681ac8cfd42842b42af6997a6Mark Andrews on DNSSEC validation which requires EDNS for
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews the DNSSEC records to be returned.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <p><span><strong class="command">RPZ</strong></span></p>
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews Information about errors in response policy zone files,
d3a3e690ab1f87fa02b3fa77be5ddea5c1fe0cd4Mark Andrews rewritten responses, and at the highest
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews <span><strong class="command">debug</strong></span> levels, mere rewriting
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <p><span><strong class="command">rate-limit</strong></span></p>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The start, periodic, and final notices of the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews rate limiting of a stream of responses are logged at
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <span><strong class="command">info</strong></span> severity in this category.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews These messages include a hash value of the domain name
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews of the response and the name itself,
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews except when there is insufficient memory to record
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews the name for the final notice
52599ad4b7285da0c7f40f96392d5eddef1a6cc6Mark Andrews The final notice is normally delayed until about one
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews minute after rate limit stops.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews A lack of memory can hurry the final notice,
412c80a1e63b34c589a36ee93800850ae9248659Mark Andrews in which case it starts with an asterisk (*).
5147281cb8e25c599d759dfa65fdb6f9125efefbMark Andrews Various internal events are logged at debug 1 level
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews Rate limiting of individual requests
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews is logged in the <span><strong class="command">query-errors</strong></span> category.
e0a0c9fbbdcc67415eef6dc381434b25df7cd14bMark Andrews <p><span><strong class="command">cname</strong></span></p>
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews Logs nameservers that are skipped due to them being
ef67e6d8fa86d98a2c0defc43b624434324d9ce7Mark Andrews a CNAME rather than A / AAAA records.
78b7d41deb6a6db28696e83260dbd1ccfe6b96faMark Andrews<div class="titlepage"><div><div><h4 class="title">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews<a name="id2576830"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The <span><strong class="command">query-errors</strong></span> category is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews specifically intended for debugging purposes: To identify
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater why and how specific queries result in responses which
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews indicate an error.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Messages of this category are therefore only logged
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews with <span><strong class="command">debug</strong></span> levels.
ea8cec4518b8222909b259790e41ce1bd70f03c3Mark Andrews At the debug levels of 1 or higher, each response with the
ea8cec4518b8222909b259790e41ce1bd70f03c3Mark Andrews rcode of SERVFAIL is logged as follows:
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews This means an error resulting in SERVFAIL was
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews detected at line 3880 of source file
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews Log messages of this level will particularly
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews help identify the cause of SERVFAIL for an
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews authoritative server.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews At the debug levels of 2 or higher, detailed context
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews information of recursive resolutions that resulted in
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews SERVFAIL is logged.
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The log message will look like as follows:
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsfetch completed at resolver.c:2970 for www.example.com/A
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsin 30.000183: timed out/success [domain:example.com,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrewsreferral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrewsbadresp:1,adberr:0,findfail:0,valfail:0]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The first part before the colon shows that a recursive
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resolution for AAAA records of www.example.com completed
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews in 30.000183 seconds and the final result that led to the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews SERVFAIL was determined at line 2970 of source file
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The following part shows the detected final result and the
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews latest result of DNSSEC validation.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The latter is always success when no validation attempt
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews In this example, this query resulted in SERVFAIL probably
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews because all name servers are down or unreachable, leading
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews to a timeout in 30 seconds.
50a1a0e0d22d4537ae0d130da34199bb1a1820f7Mark Andrews DNSSEC validation was probably not attempted.
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews The last part enclosed in square brackets shows statistics
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews information collected for this particular resolution
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews The <code class="varname">domain</code> field shows the deepest zone
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews that the resolver reached;
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews it is the zone where the error was finally detected.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The meaning of the other fields is summarized in the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews following table.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The number of referrals the resolver received
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews throughout the resolution process.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews In the above example this is 2, which are most
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews likely com and example.com.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The number of cycles that the resolver tried
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews remote servers at the <code class="varname">domain</code>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews In each cycle the resolver sends one query
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews (possibly resending it, depending on the response)
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews to each known name server of
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews The number of queries the resolver sent at the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The number of timeouts since the resolver
5147281cb8e25c599d759dfa65fdb6f9125efefbMark Andrews received the last response.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews The number of lame servers the resolver detected
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews at the <code class="varname">domain</code> zone.
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews A server is detected to be lame either by an
3098364bcdd7a719fbafa5fc8d2cc9e90e5a5989Automatic Updater invalid response or as a result of lookup in
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews BIND9's address database (ADB), where lame
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews servers are cached.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The number of erroneous results that the
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews resolver encountered in sending queries
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews at the <code class="varname">domain</code> zone.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews One common case is the remote server is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews unreachable and the resolver receives an ICMP
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews unreachable error message.
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews The number of unexpected responses (other than
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews <code class="varname">lame</code>) to queries sent by the
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews resolver at the <code class="varname">domain</code> zone.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Failures in finding remote server addresses
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews of the <code class="varname">domain</code> zone in the ADB.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews One common case of this is that the remote
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews server's name does not have any address records.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Failures of resolving remote server addresses.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews This is a total number of failures throughout
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews the resolution process.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Failures of DNSSEC validation.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Validation failures are counted throughout
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews the resolution process (not limited to
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews the <code class="varname">domain</code> zone), but should
788778633d6d67dee01b68a5827f8e655f2c276bMark Andrews only happen in <code class="varname">domain</code>.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews At the debug levels of 3 or higher, the same messages
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews as those at the debug 1 level are logged for other errors
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews than SERVFAIL.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Note that negative responses such as NXDOMAIN are not
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews regarded as errors here.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews At the debug levels of 4 or higher, the same messages
6a78eb0a8677dca8817233799a715de27f9c2cbbMark Andrews as those at the debug 2 level are logged for other errors
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews than SERVFAIL.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews Unlike the above case of level 3, messages are logged for
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews negative responses.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews This is because any unexpected results can be difficult to
6a78eb0a8677dca8817233799a715de27f9c2cbbMark Andrews debug in the recursion case.
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews<div class="titlepage"><div><div><h3 class="title">
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews<a name="id2577350"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews This is the grammar of the <span><strong class="command">lwres</strong></span>
bac2ed6ec3fbb5420e6ce69dd1218745d4e02b1eMark Andrews statement in the <code class="filename">named.conf</code> file:
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
66b384dd2541972781b0d324757c4ea7ee49d0efMark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
ea8cec4518b8222909b259790e41ce1bd70f03c3Mark Andrews [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> lwres-tasks <em class="replaceable"><code>number</code></em>; </span>]
67afb42794e0efcbb1c96108037733127544787cMark Andrews [<span class="optional"> lwres-clients <em class="replaceable"><code>number</code></em>; </span>]
be91039743737206fd31c86bf83c10faf1d47c27Mark Andrews<div class="titlepage"><div><div><h3 class="title">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2577447"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews The <span><strong class="command">lwres</strong></span> statement configures the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server to also act as a lightweight resolver server. (See
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <span><strong class="command">lwres</strong></span> statements configuring
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews lightweight resolver servers with different properties.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">listen-on</strong></span> statement specifies a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews IPv4 addresses (and ports) that this instance of a lightweight
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resolver daemon
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews should accept requests on. If no port is specified, port 921 is
4ed465f13a05fad0d5dab113b2c949a359e9400eMark Andrews If this statement is omitted, requests will be accepted on
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">view</strong></span> statement binds this
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews instance of a
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews lightweight resolver daemon to a view in the DNS namespace, so that
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews response will be constructed in the same manner as a normal DNS
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews matching this view. If this statement is omitted, the default view
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews used, and if there is no default view, an error is triggered.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The <span><strong class="command">search</strong></span> statement is equivalent to
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <span><strong class="command">search</strong></span> statement in
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="filename">/etc/resolv.conf</code>. It provides a
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews list of domains
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews which are appended to relative names in queries.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews The <span><strong class="command">ndots</strong></span> statement is equivalent to
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews <span><strong class="command">ndots</strong></span> statement in
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="filename">/etc/resolv.conf</code>. It indicates the
6a78eb0a8677dca8817233799a715de27f9c2cbbMark Andrews number of dots in a relative domain name that should result in an
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews exact match lookup before search path elements are appended.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The <code class="option">lwres-tasks</code> statement specifies the number
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews of worker threads the lightweight resolver will dedicate to serving
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews clients. By default the number is the same as the number of CPUs on
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the system; this can be overridden using the <code class="option">-n</code>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews command line option when starting the server.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews The <code class="option">lwres-clients</code> specifies
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews the number of client objects per thread the lightweight
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews resolver should create to serve client queries.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews By default, if the lightweight resolver runs as a part
e44ce994323ebd81767f2919f46550a80b30d1d3Mark Andrews of <span><strong class="command">named</strong></span>, 256 client objects are
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews created for each task; if it runs as <span><strong class="command">lwresd</strong></span>,
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews 1024 client objects are created for each thread. The maximum
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews value is 32768; higher values will be silently ignored and
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews the maximum will be used instead.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Note that setting too high a value may overconsume
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews system resources.
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews The maximum number of client queries that the lightweight
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resolver can handle at any one time equals
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <code class="option">lwres-tasks</code> times <code class="option">lwres-clients</code>.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<div class="titlepage"><div><div><h3 class="title">
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews<a name="id2577611"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
6a78eb0a8677dca8817233799a715de27f9c2cbbMark Andrews<div class="titlepage"><div><div><h3 class="title">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<a name="id2577729"></a><span><strong class="command">masters</strong></span> Statement Definition and
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<p><span><strong class="command">masters</strong></span>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews lists allow for a common set of masters to be easily used by
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
dde4bc92964ec60a35212dfed59562580e3265e3Mark Andrews or <span><strong class="command">also-notify</strong></span> lists.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="id2577750"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews This is the grammar of the <span><strong class="command">options</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews statement in the <code class="filename">named.conf</code> file:
618d936b4783c66485a5a666e28f8c8d419f191cMark Andrews<pre class="programlisting"><span><strong class="command">options</strong></span> {
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> geoip-directory <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
6f046a065e5543f8cd7e2f24991c65d2372f4c8dMark Andrews [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> lock-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
be91039743737206fd31c86bf83c10faf1d47c27Mark Andrews [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
fca6550a9766fe9b0e203ff91399fae4ef3f4030Mark Andrews [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> send-cookie <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> cookie-algorithm <em class="replaceable"><code>secret_string</code></em>; </span>]
1b588ff54e83f082c186c713c4ea1112f8c823f8Mark Andrews [<span class="optional"> cookie-secret <em class="replaceable"><code>secret_string</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
a3b428812703d22a605a9f882e71ed65f0ffdc65Mark Andrews [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
be91039743737206fd31c86bf83c10faf1d47c27Mark Andrews [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
6f2f9dd4c18ae37572b6dc33ed4d9e0d11073fe5Mark Andrews [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1d92d8a2456b23842a649b6104c60a9d6ea25333Brian Wellington [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] {
70232e6b444994979d8bab60bc9a8656ffd861e9Mark Andrews ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ;
b7aab05edae933e169d5f83c653935b17c7f0a8bMark Andrews ... }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1d92d8a2456b23842a649b6104c60a9d6ea25333Brian Wellington [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> automatic-interface-scan { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> geoip-use-ecs <em class="replaceable"><code>yes_or_no</code></em>;</span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
be7f27304337afbf078e8bd8db0f951a33abe33bAndreas Gustafsson [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c25080dc50542213058c240226c9f342186e6285Mark Andrews [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews [<span class="optional"> keep-response-order { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
70232e6b444994979d8bab60bc9a8656ffd861e9Mark Andrews [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
11ba7973f989b3657cbb27447bdcdd976c71ac56Brian Wellington [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
11ba7973f989b3657cbb27447bdcdd976c71ac56Brian Wellington [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
c25080dc50542213058c240226c9f342186e6285Mark Andrews [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]
78b7d41deb6a6db28696e83260dbd1ccfe6b96faMark Andrews{ <em class="replaceable"><code>address_match_list</code></em> }; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
ea935c46e8261ea10621e5b038426539fe8a7cc5Mark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
78b7d41deb6a6db28696e83260dbd1ccfe6b96faMark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] |
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
e4757e3dafe50ae59f693eec828f68c42c197a70Andreas Gustafsson [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] )
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
618d936b4783c66485a5a666e28f8c8d419f191cMark Andrews [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
70232e6b444994979d8bab60bc9a8656ffd861e9Mark Andrews [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
67a0e14fa9c3c160116f0671f4ac5874306b1150Mark Andrews [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
4a9a20f4f58cc67c8750ea0449178c87346db1cfMark Andrews [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> fetches-per-zone<em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> notify-rate <em class="replaceable"><code>number</code></em>; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> startup-notify-rate <em class="replaceable"><code>number</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
bac2ed6ec3fbb5420e6ce69dd1218745d4e02b1eMark Andrews [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> servfail-ttl <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> nta-lifetime <em class="replaceable"><code>duration</code></em> ; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> nta-recheck <em class="replaceable"><code>duration</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> suffix IPv6-address; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews }; </span>];
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6bb1d8fc6d7f858315190cfb2c2048a6b3135a41Mark Andrews [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
794b06660baff2e96867c5216e28235d320ba2cdMark Andrews [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
690b796315aa662bdd0cf7da35d878794c782831Mark Andrews [<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>;
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson [<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson [<span class="optional"> masterfile-format
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson (<code class="constant">relative</code>|<code class="constant">full</code>) ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
34729dbcb3526974cf98ee03ec20a107d9458417Andreas Gustafsson [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson [<span class="optional"> prefetch <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
713c3d5b18463f2479973e4d14f73248e60a5df7Mark Andrews [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
45eca3a5d46ed15aee14d81f6cb6c9fb6f365344Mark Andrews [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews } ; </span>]
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews zone <em class="replaceable"><code>zone_name</code></em>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru | drop |
be91039743737206fd31c86bf83c10faf1d47c27Mark Andrews tcp-only | nxdomain | nodata | cname domain</code></em>) </span>]
0d3490f93bb980fde704055e74c1b508987a5fe4Mark Andrews [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews [<span class="optional"> log <em class="replaceable"><code>yes_or_no</code></em> </span>]
922e6a3c2ac4ef900dd9dc99f0cc137f18372583Andreas Gustafsson [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>]
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">options</strong></span> statement sets up global
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews to be used by <acronym class="acronym">BIND</acronym>. This statement
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews may appear only
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews once in a configuration file. If there is no <span><strong class="command">options</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews statement, an options block with each option set to its default will
e4dfb763224a6c8b83b3e94ba543a894d2b355cbMark Andrews<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
80f9a970ae6681c08529ef209eaabbe078c27ca3Mark Andrews Allows multiple views to share a single cache
992616aaf75643a0c9f84826f0a1ed5a27e84328Mark Andrews Each view has its own cache database by default, but
3341c8b653577f2f0cb8b72702ea6197035334ffMark Andrews if multiple views have the same operational policy
63d98873e29dee9608c27f40613cb69d130a56e7Mark Andrews for name resolution and caching, those views can
7860916d9c250b4a018e6675c8c2e3a690ff94e4Mark Andrews share a single cache to save memory and possibly
ca9a8f6d0b0f2a400a96f868193471510364336fMark Andrews improve resolution efficiency by using this option.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <span><strong class="command">attach-cache</strong></span> option
aa85e0c64e3e659f11d10e40eafdfe122ff684afMark Andrews may also be specified in <span><strong class="command">view</strong></span>
3341c8b653577f2f0cb8b72702ea6197035334ffMark Andrews statements, in which case it overrides the
40d9598efa56a495aabe77174cdf2429f9b01764Mark Andrews global <span><strong class="command">attach-cache</strong></span> option.
Usage">the section called “<span><strong class="command">acl</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
ignored if <span><strong class="command">named</strong></span> was run using the <code class="option">-X</code>
in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
(See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
Note some TLDs are not delegation only (e.g. "DE", "LV",
from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
Additionally a reverse IP6.ARPA zone will be created for
the prefix to provide a mapping from the IP6.ARPA names
to the corresponding IN-ADDR.ARPA names using synthesized
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong>
<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt>
If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
<span><strong class="command">geoip-use-ecs</strong></span> <strong class="userinput"><code>yes</code></strong>.
in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
and additional data sections when they are required (e.g.
changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
if known, even though they are not in the example.com zone.
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
when the serial number on the master is less than what <span><strong class="command">named</strong></span>
Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
Specify whether query logging should be started when <span><strong class="command">named</strong></span>
is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
insecure (i.e., signed to unsigned) by deleting all
stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
<dt><span class="term"><span><strong class="command">keep-response-order</strong></span></span></dt>
a response contains the names "example.com" and
(i.e., records of type NS, MX, CNAME, etc) will always
<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">startup-notify-rate</strong></span></span></dt>
the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
<a name="fetches-per-zone"></a><span class="term"><span><strong class="command">fetches-per-zone</strong></span></span>
<a name="fetches-per-server"></a><span class="term"><span><strong class="command">fetches-per-server</strong></span></span>
interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
class IN type A name "host.example.com" order random;
<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
a zone-signing process, i.e., whether it is still active
<span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
<span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
<a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
<span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
name (i.e., the CNAME alias or the substituted query name
for example, even if "example.com" is specified for
returned by an "example.com" server will be accepted.
For example, if you own a domain named "example.net" and
deny-answer-aliases { "example.net"; };
network look up an IPv4 address of "attacker.example.com",
internal web server "www.example.net" and the
it will be accepted since the owner name "www.example.net"
"example.net".
IPv4 address as in IN-ADDR.ARPA.
IP6.ARPA. (Note that this representation of IPv6
address is different from IP6.ARPA where each hex
wildcard such as *.example.com.
<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span>
<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
nxdomain.domain.com CNAME . ; NXDOMAIN policy
*.nxdomain.domain.com CNAME . ; NXDOMAIN policy
nodata.domain.com CNAME *. ; NODATA policy
*.nodata.domain.com CNAME *. ; NODATA policy
bad.domain.com A 10.0.0.1 ; redirect to a walled garden
; do not rewrite (PASSTHRU) OK.DOMAIN.COM
ok.domain.com CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME .
32.1.0.0.127.rpz-ip CNAME rpz-passthru.
ns.domain.com.rpz-nsdname CNAME .
48.zz.2.2001.rpz-nsip CNAME .
112.zz.2001.rpz-client-ip CNAME rpz-drop.
8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
; force some DNS clients and responses in the example.com zone to TCP
16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
example.com CNAME rpz-tcp-only.
*.example.com CNAME rpz-tcp-only.
<span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
This controls flooding using random.wild.example.com.
<span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
<span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
<span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
With a redirect zone (<span><strong class="command">zone "." { type redirect; };</strong></span>), the
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-expire <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> nocookie-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
[<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
<span><strong class="command">edns-udp-size</strong></span> in <span><strong class="command">options</strong></span>
The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
<a name="id2593033"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
<a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
<a href="http://127.0.0.1:8888/xml/v3/traffic" target="_top">http://127.0.0.1:8888/xml/v3/traffic</a>
<a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a>
<a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a>
<a href="http://127.0.0.1:8888/json/v1/traffic" target="_top">http://127.0.0.1:8888/json/v1/traffic</a>
<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
<a name="id2593536"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
<a name="id2593589"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
<em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
[<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
<a name="id2593956"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
// Provide a complete view of the example.com
zone "example.com" {
file "example-internal.db";
// Provide a restricted view of the example.com
zone "example.com" {
file "example-external.db";
<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ;
[<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
[<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
[<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
[<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
[<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
[<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
[<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
[<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
<a name="id2596040"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
Non recursive queries (i.e., those with the RD
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
status of infrastructure zones (e.g. COM,
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
<span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
<span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
<span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
For example, if "example.com" is configured as a
example.com. A 192.0.2.1
"www.example.com" with the RD bit on, the server
That is, when "example.net" is the origin of a
static-stub zone, "ns.example" and
"master.example.com" can be specified in the
"ns.example.net" cannot, and will be rejected by
For example, if "example.com" is configured as a
static-stub zone with "ns1.example.net" and
"www.example.com" with the RD bit on, the server
"ns2.example.net" to IP addresses, and then send
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
<span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
<a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
<span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
zone example.com {
file "example-external.db";
zone example.com {
Zone level acls (e.g. allow-query, allow-transfer) and
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
built-in server information zones, e.g.,
any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
and PTR records. Entries in the in-addr.arpa domain are made in
in-addr.arpa name of
3.2.1.10.in-addr.arpa. This name should have a PTR resource record
Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
<a name="id2602811"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
<a name="id2602827"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
$ORIGIN example.com.
<a name="id2602888"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
<a name="id2602957"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
<a name="id2602994"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
Classless IN-ADDR.ARPA delegation.
HOST-1.EXAMPLE. MX 0 .
HOST-2.EXAMPLE. A 1.2.3.2
HOST-2.EXAMPLE. MX 0 .
HOST-3.EXAMPLE. A 1.2.3.3
HOST-3.EXAMPLE. MX 0 .
HOST-127.EXAMPLE. A 1.2.3.127
HOST-127.EXAMPLE. MX 0 .
(<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
(see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
<a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
<a name="id2607740"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>